Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus


  • This topic is locked This topic is locked
31 replies to this topic

#1 IG-64

IG-64

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 22 June 2009 - 09:26 PM

Hello all, I seem to have contracted the Google Redirect virus over the weekend. At first, all links through a Google search were redirected to some fishy looking non-Google search results. I found a suspicious looking Viewpoint media player in my programs which I read somewhere was linked to a version of this virus which I uninstalled. It seemed to work, however, I still get redirected (though not all the time and not on every link). I ran AdAware, SpyBot, Windows Defender, AVG and Malbytes all day today and none of the found anything outside the usual tracking cookies. Below is my DDS report. My computer is not really slow at all unless I have a lot going on, but it seems a lot of processes are running (all I have running now as I type this is Firefox). Can any of them be ended?


DDS (Ver_09-05-14.01) - NTFSx86
Run by Matt Plantilla at 22:13:34.81 on Mon 06/22/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.48 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\twain_32\L12U16U2\SrvMod.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Matt Plantilla\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.toshiba.com/search
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [prnet] "c:\windows\system32\prnet.tmp"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\srvmod.lnk - c:\windows\twain_32\l12u16u2\SrvMod.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233291697750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\viyiyini.dll,c:\windows\system32\fulemege.dll,c:\windows\system32\geniweji.dll,c:\windows\system32\sapawoma.dll,c:\windows\system32\rugifuye.dll,c:\windows\system32\tutatezu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\viyiyini.dll c:\windows\system32\fulemege.dll c:\windows\system32\geniweji.dll c:\windows\system32\sapawoma.dll c:\windows\system32\rugifuye.dll c:\windows\system32\tutatezu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mattpl~1\applic~1\mozilla\firefox\profiles\adpjesln.default\
FF - prefs.js: browser.search.selectedEngine - SceneSource PreDB Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-29 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-29 108552]

=============== Created Last 30 ================

2009-06-21 13:29 <DIR> --d----- c:\program files\Trend Micro
2009-06-13 22:29 <DIR> --d----- c:\program files\common files\xing shared
2009-06-09 22:43 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 22:43 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-09 22:43 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-09 22:43 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-02 07:15 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-31 20:22 <DIR> --dsh--- c:\documents and settings\matt plantilla\PrivacIE
2009-05-31 20:06 <DIR> --dsh--- c:\documents and settings\matt plantilla\IETldCache
2009-05-31 19:58 <DIR> --d----- c:\windows\ie8updates
2009-05-31 19:53 <DIR> -cd-h--- c:\windows\ie8
2009-05-31 19:45 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll

==================== Find3M ====================

2009-06-13 22:28 499,712 a------- c:\windows\system32\msvcp71.dll
2009-05-14 17:24 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-14 17:23 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-02 10:21 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 10:21 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 10:20 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 22:17:32.44 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 June 2009 - 10:25 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 IG-64

IG-64
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  

Posted 27 June 2009 - 11:15 AM

Posted below is my new DDS log


DDS (Ver_09-06-26.01) - NTFSx86
Run by Matt Plantilla at 12:09:44.21 on Sat 06/27/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.toshiba.com/search
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [prnet] "c:\windows\system32\prnet.tmp"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233291697750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\viyiyini.dll,c:\windows\system32\fulemege.dll,c:\windows\system32\geniweji.dll,c:\windows\system32\sapawoma.dll,c:\windows\system32\rugifuye.dll,c:\windows\system32\tutatezu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\viyiyini.dll c:\windows\system32\fulemege.dll c:\windows\system32\geniweji.dll c:\windows\system32\sapawoma.dll c:\windows\system32\rugifuye.dll c:\windows\system32\tutatezu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mattpl~1\applic~1\mozilla\firefox\profiles\adpjesln.default\
FF - prefs.js: browser.search.selectedEngine - SceneSource PreDB Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-21 13:29 <DIR> --d----- c:\program files\Trend Micro
2009-06-13 22:29 <DIR> --d----- c:\program files\common files\xing shared
2009-06-09 22:43 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 22:43 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-09 22:43 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-09 22:43 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-02 07:15 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-31 20:22 <DIR> --dsh--- c:\documents and settings\matt plantilla\PrivacIE
2009-05-31 20:06 <DIR> --dsh--- c:\documents and settings\matt plantilla\IETldCache
2009-05-31 19:58 <DIR> --d----- c:\windows\ie8updates
2009-05-31 19:53 <DIR> -cd-h--- c:\windows\ie8
2009-05-31 19:45 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll

==================== Find3M ====================

2009-06-13 22:28 499,712 a------- c:\windows\system32\msvcp71.dll
2009-05-14 17:24 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-14 17:23 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-02 10:21 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 10:21 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 10:20 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 12:12:53.00 ===============

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:14 AM

Posted 28 June 2009 - 08:17 AM

Hello Matt,

I'll be guiding you to look for and remove malwares.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are a casual observer, do NOT try this on your system!


If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

The logs show a Vundo infection. Let's have you start with the following

Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both of those boxes.

=

Next, un-isntall BitTorrent DNA.
Your logs showed some peer-to-peer filesharing apps. I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.
"File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

Good & bad P2P Programs
http://www.malwareremoval.com/p2pindex.php

Restart the system after all "torrents" are de-installed.
=
Next
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

Next, Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Next, Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe Posted Image to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :files
    c:\windows\system32\prnet.tmp
    c:\windows\system32\viyiyini.dll
    c:\windows\system32\fulemege.dll
    c:\windows\system32\geniweji.dll
    c:\windows\system32\sapawoma.dll
    c:\windows\system32\rugifuye.dll
    c:\windows\system32\tutatezu.dll
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
=
Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
=

Please download GooredFix and save it to your Desktop.
Double-click Goored.exe to run it.
Select 2. Fix Goored by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Next, Do a new DDS run.

Reply with copies of the MovedFiles log from OTL (above)
the latest MBAM scan log
the Goored.txt
the new DDS.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 IG-64

IG-64
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 28 June 2009 - 02:10 PM

Thanks for the help. Here are the requested logs.

OTL:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== FILES ==========
File\Folder c:\windows\system32\prnet.tmp not found.
File\Folder c:\windows\system32\viyiyini.dll not found.
File\Folder c:\windows\system32\fulemege.dll not found.
File\Folder c:\windows\system32\geniweji.dll not found.
File\Folder c:\windows\system32\sapawoma.dll not found.
File\Folder c:\windows\system32\rugifuye.dll not found.
File\Folder c:\windows\system32\tutatezu.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32835 bytes

User: Matt Plantilla
->Temp folder emptied: 261754944 bytes
->Temporary Internet Files folder emptied: 328231991 bytes
->Java cache emptied: 13653869 bytes
->FireFox cache emptied: 50562936 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49219 bytes

User: Susan Plantilla

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 4751695 bytes

RecycleBin emptied: 163520 bytes

Total Files Cleaned = 628.68 mb

Error: Unable to interpret <[start explorer]> in the current context!

OTL by OldTimer - Version 3.0.5.3 log created on 06282009_132325

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

MBAM:

Malwarebytes' Anti-Malware 1.38
Database version: 2347
Windows 5.1.2600 Service Pack 3

6/28/2009 2:59:52 PM
mbam-log-2009-06-28 (14-59-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 255220
Time elapsed: 1 hour(s), 1 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Goored:

GooredFix v1.92 by jpshortstuff
Log created at 15:01 on 28/06/2009 running Option #2 (Matt Plantilla)
Firefox version 3.0.11 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"


DDS:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Matt Plantilla at 15:02:12.17 on Sun 06/28/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.216 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\twain_32\L12U16U2\SrvMod.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Matt Plantilla\Desktop\GooredFix.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Matt Plantilla\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.toshiba.com/search
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mattpl~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\srvmod.lnk - c:\windows\twain_32\l12u16u2\SrvMod.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233291697750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\viyiyini.dll,c:\windows\system32\fulemege.dll,c:\windows\system32\geniweji.dll,c:\windows\system32\sapawoma.dll,c:\windows\system32\rugifuye.dll,c:\windows\system32\tutatezu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\viyiyini.dll c:\windows\system32\fulemege.dll c:\windows\system32\geniweji.dll c:\windows\system32\sapawoma.dll c:\windows\system32\rugifuye.dll c:\windows\system32\tutatezu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mattpl~1\applic~1\mozilla\firefox\profiles\adpjesln.default\
FF - prefs.js: browser.search.selectedEngine - SceneSource PreDB Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-29 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-29 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-29 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-29 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 298776]

=============== Created Last 30 ================

2009-06-28 13:23 <DIR> --d----- C:\_OTL
2009-06-21 13:29 <DIR> --d----- c:\program files\Trend Micro
2009-06-13 22:29 <DIR> --d----- c:\program files\common files\xing shared
2009-06-09 22:43 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 22:43 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-09 22:43 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-09 22:43 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-02 07:15 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-31 20:22 <DIR> --dsh--- c:\documents and settings\matt plantilla\PrivacIE
2009-05-31 20:06 <DIR> --dsh--- c:\documents and settings\matt plantilla\IETldCache
2009-05-31 19:58 <DIR> --d----- c:\windows\ie8updates
2009-05-31 19:53 <DIR> -cd-h--- c:\windows\ie8
2009-05-31 19:45 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-13 22:28 499,712 a------- c:\windows\system32\msvcp71.dll
2009-05-14 17:24 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-14 17:23 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-02 10:21 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 10:21 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 10:20 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 15:04:59.01 ===============

#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:14 AM

Posted 28 June 2009 - 05:09 PM

Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both of those boxes.

Also, temporarily disable your antivirus app. See How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

I'm going to suggest your run 2 tools. Have infinite patience while they run, especially the Sysclean.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not IG-64 and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.


If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

RE-Enable your AntiVirus and AntiSpyware applications but not Ad-Watch.

Reply with copy of C:\Combofix.txt
and Sysclean.log
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 IG-64

IG-64
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 28 June 2009 - 05:24 PM

Here are the logs:

Combofix:

ComboFix 09-06-26.02 - Matt Plantilla 06/28/2009 21:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.46 [GMT -4:00]
Running from: c:\documents and settings\Matt Plantilla\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CGoW 2006-11 (Week 1) (Crystal Alice) [15 Pics]\_desktop.ini
c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CGoW 2006-11 (Week 2) (Amanda Corey) [15 Pics]\_desktop.ini
c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CGoW 2006-11 (Week 3) (Ashlee Jae) [15 Pics]\_desktop.ini
c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CGoW 2006-11 (Week 4) (Roxanne Dawn) [15 Pics]\_desktop.ini
c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CotW 2006-12 (Week 2) (Jenna Lea Deforke) [06 Pics]\_desktop.ini
c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CotW 2006-12 (Week 3) (Becky Wunder) [06 Pics]\_desktop.ini
c:\windows\kb913800.exe
c:\windows\system32\drivers\SKYNETsoybpjds.sys
c:\windows\system32\SKYNEThcxxumqr.dat
c:\windows\system32\SKYNETitexrirl.dll
c:\windows\system32\SKYNETmlhbotkl.dll
c:\windows\system32\SKYNETvdkvvkba.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETyejalxnm


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-29 00:36 . 2009-06-29 00:43 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-28 17:23 . 2009-06-28 17:23 -------- d-----w- C:\_OTL
2009-06-28 17:07 . 2009-06-28 17:07 -------- d-----w- c:\program files\ERUNT
2009-06-22 21:38 . 2009-06-22 21:38 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-22 21:38 . 2009-06-22 21:38 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-22 21:38 . 2009-06-22 21:38 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-22 21:38 . 2009-06-22 21:38 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-22 21:37 . 2009-06-22 21:37 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-22 21:37 . 2009-06-22 21:37 296800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-22 21:37 . 2009-06-22 21:37 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-22 21:31 . 2009-06-22 21:31 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-22 21:30 . 2009-06-22 21:30 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-22 21:30 . 2009-06-22 21:30 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-22 21:30 . 2009-06-22 21:30 72704 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-22 21:30 . 2009-06-22 21:30 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-22 21:29 . 2009-06-22 21:29 561016 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-22 21:29 . 2009-06-22 21:29 565096 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-22 21:29 . 2009-06-22 21:29 2349384 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-22 21:28 . 2009-06-22 21:28 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-22 21:27 . 2009-06-22 21:27 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-22 21:26 . 2009-06-22 21:26 1003344 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-22 10:59 . 2009-06-22 10:59 93 ----a-w- c:\windows\system32\SKYNET.dat
2009-06-21 17:29 . 2009-06-21 17:29 -------- d-----w- c:\program files\Trend Micro
2009-06-21 02:01 . 2009-06-21 02:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-20 20:16 . 2009-06-20 20:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-14 02:29 . 2009-06-14 02:29 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-10 07:05 . 2009-06-10 07:05 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-06-10 02:43 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 02:43 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 02:43 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-10 02:43 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-01 03:56 . 2009-06-01 03:56 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-01 00:22 . 2009-06-01 00:22 -------- d-sh--w- c:\documents and settings\Matt Plantilla\PrivacIE
2009-06-01 00:06 . 2009-06-01 00:06 -------- d-sh--w- c:\documents and settings\Matt Plantilla\IETldCache
2009-05-31 23:58 . 2009-06-10 07:39 -------- d-----w- c:\windows\ie8updates
2009-05-31 23:53 . 2009-05-31 23:57 -------- dc-h--w- c:\windows\ie8
2009-05-31 23:45 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 17:55 . 2009-02-05 14:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 17:55 . 2009-04-09 02:59 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-28 16:14 . 2009-01-30 01:17 -------- d-----w- c:\program files\DNA
2009-06-21 02:10 . 2009-03-11 01:01 -------- d-----w- c:\program files\JDownloader
2009-06-17 15:27 . 2009-02-05 14:46 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-02-05 14:46 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 11:28 . 2009-01-30 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-14 02:29 . 2006-02-16 09:56 -------- d-----w- c:\program files\Common Files\Real
2009-06-14 02:28 . 2003-08-13 01:17 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-06-10 07:32 . 2006-02-16 10:39 -------- d-----w- c:\program files\Microsoft Works
2009-06-01 01:55 . 2006-02-16 16:59 72392 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-01 00:25 . 2006-02-18 15:56 -------- d-----w- c:\program files\Google
2009-05-31 08:42 . 2009-01-30 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-20 03:36 . 2009-05-20 03:36 1915520 ----a-w- c:\documents and settings\Matt Plantilla\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-18 03:09 . 2009-05-18 03:09 -------- d-----w- c:\documents and settings\Matt Plantilla\Application Data\InterVideo
2009-05-14 21:24 . 2009-01-30 10:33 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-14 21:23 . 2009-05-14 21:23 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-14 21:23 . 2009-01-30 01:23 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-13 05:15 . 2006-02-15 14:04 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2006-02-15 14:02 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 14:21 . 2009-01-30 01:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-02 14:21 . 2009-01-30 01:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-02 14:21 . 2009-01-30 01:20 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 14:20 . 2009-01-30 01:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-02 07:01 . 2009-01-30 01:18 -------- d-----w- c:\documents and settings\Matt Plantilla\Application Data\BitTorrent
2009-04-17 12:26 . 2006-02-15 14:04 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-15 14:03 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-05 01:49 . 2009-04-05 01:49 29184 ----a-r- c:\documents and settings\Matt Plantilla\Application Data\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
2009-03-31 23:29 . 2009-03-31 23:29 152576 ----a-w- c:\documents and settings\Matt Plantilla\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-30 01:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-01 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-22 518488]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-12-19 83336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-01 68592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-14 198160]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Matt Plantilla\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
SrvMod.lnk - c:\windows\twain_32\L12U16U2\SrvMod.exe [2009-2-8 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 14:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\twain_32\\L12U16U2\\SrvMod.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/29/2009 9:23 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/29/2009 9:20 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/29/2009 9:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/29/2009 9:20 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 9:20 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1003344]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 11:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:29]

2009-06-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-06-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PadTouch - c:\program files\TOSHIBA\Touch and Launch\PadExe.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Matt Plantilla\Application Data\Mozilla\Firefox\Profiles\adpjesln.default\
FF - prefs.js: browser.search.selectedEngine - SceneSource PreDB Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 21:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\notepad.exe
.
**************************************************************************
.
Completion time: 2009-06-29 21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-29 01:34

Pre-Run: 29,578,919,936 bytes free
Post-Run: 29,510,258,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

272 --- E O F --- 2009-06-26 11:02


sysclean.log

ComboFix 09-06-26.02 - Matt Plantilla 06/28/2009 21:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.46 [GMT -4:00]
Running from: c:\documents and settings\Matt Plantilla\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CGoW 2006-11 (Week 1) (Crystal Alice) [15 Pics]\_desktop.ini
c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CGoW 2006-11 (Week 2) (Amanda Corey) [15 Pics]\_desktop.ini
c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CGoW 2006-11 (Week 3) (Ashlee Jae) [15 Pics]\_desktop.ini
c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CGoW 2006-11 (Week 4) (Roxanne Dawn) [15 Pics]\_desktop.ini
c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CotW 2006-12 (Week 2) (Jenna Lea Deforke) [06 Pics]\_desktop.ini
c:\documents and settings\Matt Plantilla\My Documents\My Pictures\temp\CotW 2006-12 (Week 3) (Becky Wunder) [06 Pics]\_desktop.ini
c:\windows\kb913800.exe
c:\windows\system32\drivers\SKYNETsoybpjds.sys
c:\windows\system32\SKYNEThcxxumqr.dat
c:\windows\system32\SKYNETitexrirl.dll
c:\windows\system32\SKYNETmlhbotkl.dll
c:\windows\system32\SKYNETvdkvvkba.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETyejalxnm


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-29 00:36 . 2009-06-29 00:43 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-28 17:23 . 2009-06-28 17:23 -------- d-----w- C:\_OTL
2009-06-28 17:07 . 2009-06-28 17:07 -------- d-----w- c:\program files\ERUNT
2009-06-22 21:38 . 2009-06-22 21:38 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-22 21:38 . 2009-06-22 21:38 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-22 21:38 . 2009-06-22 21:38 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-22 21:38 . 2009-06-22 21:38 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-22 21:37 . 2009-06-22 21:37 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-22 21:37 . 2009-06-22 21:37 296800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-22 21:37 . 2009-06-22 21:37 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-22 21:31 . 2009-06-22 21:31 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-22 21:30 . 2009-06-22 21:30 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-22 21:30 . 2009-06-22 21:30 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-22 21:30 . 2009-06-22 21:30 72704 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-22 21:30 . 2009-06-22 21:30 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-22 21:29 . 2009-06-22 21:29 561016 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-22 21:29 . 2009-06-22 21:29 565096 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-22 21:29 . 2009-06-22 21:29 2349384 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-22 21:28 . 2009-06-22 21:28 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-22 21:27 . 2009-06-22 21:27 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-22 21:26 . 2009-06-22 21:26 1003344 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-22 10:59 . 2009-06-22 10:59 93 ----a-w- c:\windows\system32\SKYNET.dat
2009-06-21 17:29 . 2009-06-21 17:29 -------- d-----w- c:\program files\Trend Micro
2009-06-21 02:01 . 2009-06-21 02:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-20 20:16 . 2009-06-20 20:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-14 02:29 . 2009-06-14 02:29 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-10 07:05 . 2009-06-10 07:05 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-06-10 02:43 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 02:43 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 02:43 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-10 02:43 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-01 03:56 . 2009-06-01 03:56 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-01 00:22 . 2009-06-01 00:22 -------- d-sh--w- c:\documents and settings\Matt Plantilla\PrivacIE
2009-06-01 00:06 . 2009-06-01 00:06 -------- d-sh--w- c:\documents and settings\Matt Plantilla\IETldCache
2009-05-31 23:58 . 2009-06-10 07:39 -------- d-----w- c:\windows\ie8updates
2009-05-31 23:53 . 2009-05-31 23:57 -------- dc-h--w- c:\windows\ie8
2009-05-31 23:45 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 17:55 . 2009-02-05 14:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 17:55 . 2009-04-09 02:59 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-28 16:14 . 2009-01-30 01:17 -------- d-----w- c:\program files\DNA
2009-06-21 02:10 . 2009-03-11 01:01 -------- d-----w- c:\program files\JDownloader
2009-06-17 15:27 . 2009-02-05 14:46 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-02-05 14:46 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 11:28 . 2009-01-30 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-14 02:29 . 2006-02-16 09:56 -------- d-----w- c:\program files\Common Files\Real
2009-06-14 02:28 . 2003-08-13 01:17 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-06-10 07:32 . 2006-02-16 10:39 -------- d-----w- c:\program files\Microsoft Works
2009-06-01 01:55 . 2006-02-16 16:59 72392 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-01 00:25 . 2006-02-18 15:56 -------- d-----w- c:\program files\Google
2009-05-31 08:42 . 2009-01-30 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-20 03:36 . 2009-05-20 03:36 1915520 ----a-w- c:\documents and settings\Matt Plantilla\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-18 03:09 . 2009-05-18 03:09 -------- d-----w- c:\documents and settings\Matt Plantilla\Application Data\InterVideo
2009-05-14 21:24 . 2009-01-30 10:33 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-14 21:23 . 2009-05-14 21:23 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-14 21:23 . 2009-01-30 01:23 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-13 05:15 . 2006-02-15 14:04 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2006-02-15 14:02 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 14:21 . 2009-01-30 01:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-02 14:21 . 2009-01-30 01:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-02 14:21 . 2009-01-30 01:20 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 14:20 . 2009-01-30 01:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-02 07:01 . 2009-01-30 01:18 -------- d-----w- c:\documents and settings\Matt Plantilla\Application Data\BitTorrent
2009-04-17 12:26 . 2006-02-15 14:04 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-15 14:03 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-05 01:49 . 2009-04-05 01:49 29184 ----a-r- c:\documents and settings\Matt Plantilla\Application Data\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
2009-03-31 23:29 . 2009-03-31 23:29 152576 ----a-w- c:\documents and settings\Matt Plantilla\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-30 01:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-01 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-22 518488]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-12-19 83336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-01 68592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-14 198160]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Matt Plantilla\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
SrvMod.lnk - c:\windows\twain_32\L12U16U2\SrvMod.exe [2009-2-8 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 14:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\twain_32\\L12U16U2\\SrvMod.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/29/2009 9:23 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/29/2009 9:20 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/29/2009 9:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/29/2009 9:20 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 9:20 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1003344]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 11:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:29]

2009-06-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-06-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PadTouch - c:\program files\TOSHIBA\Touch and Launch\PadExe.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Matt Plantilla\Application Data\Mozilla\Firefox\Profiles\adpjesln.default\
FF - prefs.js: browser.search.selectedEngine - SceneSource PreDB Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 21:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\notepad.exe
.
**************************************************************************
.
Completion time: 2009-06-29 21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-29 01:34

Pre-Run: 29,578,919,936 bytes free
Post-Run: 29,510,258,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

272 --- E O F --- 2009-06-26 11:02

Edited by IG-64, 28 June 2009 - 11:04 PM.


#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:14 AM

Posted 29 June 2009 - 03:02 AM

Your last reply had 2 copies of the Combofix log, and none of the Sysclean log.
Have you got and run Sysclean ? Post a copy of the Syclean log for my review.

The Combofix log does not show malwares remaining. But I would suggest you not use peer-to-peer download programs like Bit Torrent. Downloading from such apps from unknown sources is a leading cause of infections.

Also, tell me if the Google redirect issue is still happening?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 IG-64

IG-64
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 29 June 2009 - 06:21 AM

Sorry, here is the Sysclean log. I have not had any redirects since the Combofix and Sysclean completed.



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-06-28, 21:46:30, Auto-clean mode specified.
2009-06-28, 21:46:31, Initialized Rootkit Driver version 2.2.0.1004.
2009-06-28, 21:46:31, Running scanner "C:\Documents and Settings\Matt Plantilla\Desktop\DCE\TSC.BIN"...
2009-06-28, 21:47:18, Scanner "C:\Documents and Settings\Matt Plantilla\Desktop\DCE\TSC.BIN" has finished running.
2009-06-28, 21:47:18, TSC Log:

˙ūD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : 2 . 2 . 0 - 1 0 0 4 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : S u n J u n 2 8 2 0 0 9 2 1 : 4 6 : 3 7





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ M a t t P l a n t i l l a \ D e s k t o p \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ M a t t P l a n t i l l a \ D e s k t o p \ D C E \ t s c . p t n " ( v e r s i o n 1 0 4 6 ) [ s u c c e s s ]





C o m p l e t e t i m e : S u n J u n 2 8 2 0 0 9 2 1 : 4 7 : 1 8


E x e c u t e p a t t e r n c o u n t ( 3 0 6 0 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-06-28, 21:47:18, Running scanner "C:\Documents and Settings\Matt Plantilla\Desktop\DCE\VSCANTM.BIN"...
2009-06-28, 23:20:08, Scanner "C:\Documents and Settings\Matt Plantilla\Desktop\DCE\VSCANTM.BIN" has finished running.
2009-06-28, 23:20:08, VSCANTM Log:

2009-06-28, 23:20:08, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 6/28/2009 21:47:18
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 231 (433981/433981 Patterns) (2009/06/27) (623100)

Command Line: C:\Documents and Settings\Matt Plantilla\Desktop\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Matt Plantilla\Desktop\DCE\lpt$vpn.231

146489 files have been read.
146489 files have been checked.
146432 files have been scanned.
260384 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 6/28/2009 23:20:06 1 hour 32 minutes 46 seconds (5566.92 seconds) has elapsed.(38.002 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-06-28, 23:20:08, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 6/28/2009 21:47:18
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 231 (433981/433981 Patterns) (2009/06/27) (623100)

Command Line: C:\Documents and Settings\Matt Plantilla\Desktop\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Matt Plantilla\Desktop\DCE\lpt$vpn.231

146489 files have been read.
146489 files have been checked.
146432 files have been scanned.
260384 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 6/28/2009 23:20:06 1 hour 32 minutes 46 seconds (5566.92 seconds) has elapsed.(38.002 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-06-28, 23:20:08, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 6/28/2009 21:47:18
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 231 (433981/433981 Patterns) (2009/06/27) (623100)

Command Line: C:\Documents and Settings\Matt Plantilla\Desktop\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Matt Plantilla\Desktop\DCE\lpt$vpn.231

146489 files have been read.
146489 files have been checked.
146432 files have been scanned.
260384 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 6/28/2009 23:20:06 1 hour 32 minutes 46 seconds (5566.92 seconds) has elapsed.(38.002 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-06-28, 23:20:08, Running SSAPI scanner ""...
2009-06-28, 23:57:25, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.89
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 06/28/2009 23:20:22


SSAPI requires the system to reboot.
Detected Items:
[CLEAN SUCCESS][Cookie_RealMedia] Internet Explorer Cache\247realmedia.com,Cookie:matt plantilla@247realmedia.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@247realmedia[1].txt
[CLEAN SUCCESS][Cookie_2o7] Internet Explorer Cache\2o7.net,Cookie:matt plantilla@2o7.net/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@2o7[2].txt
[CLEAN SUCCESS][Cookie_7Search] Internet Explorer Cache\7search.com,Cookie:matt plantilla@7search.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@7search[2].txt
[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:matt plantilla@ad.yieldmanager.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@ad.yieldmanager[2].txt
[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:matt plantilla@ads.pointroll.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@ads.pointroll[1].txt
[CLEAN SUCCESS][Cookie_InsightExpressAI] Internet Explorer Cache\insightexpressai.com,Cookie:matt plantilla@insightexpressai.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@insightexpressai[2].txt
[CLEAN SUCCESS][Cookie_Overture] Internet Explorer Cache\overture.com,Cookie:matt plantilla@overture.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@overture[1].txt
[CLEAN SUCCESS][Cookie_Questionmarket] Internet Explorer Cache\questionmarket.com,Cookie:matt plantilla@questionmarket.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@questionmarket[2].txt
[CLEAN SUCCESS][Cookie_RealMedia] Internet Explorer Cache\realmedia.com,Cookie:matt plantilla@realmedia.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@realmedia[2].txt
[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:matt plantilla@revsci.net/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@revsci[2].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:matt plantilla@server.iad.liveperson.net/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@server.iad.liveperson[2].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:matt plantilla@server.iad.liveperson.net/hc/19452074,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@server.iad.liveperson[3].txt
[CLEAN SUCCESS][Cookie_ServingSys] Internet Explorer Cache\serving-sys.com,Cookie:matt plantilla@serving-sys.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@serving-sys[2].txt
[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:matt plantilla@specificclick.net/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@specificclick[2].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\tribalfusion.com,Cookie:matt plantilla@tribalfusion.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@tribalfusion[2].txt
[CLEAN SUCCESS][Cookie_BurstBeacon] Internet Explorer Cache\www.burstbeacon.com,Cookie:matt plantilla@www.burstbeacon.com/,C:\Documents and Settings\Matt Plantilla\Cookies\matt_plantilla@www.burstbeacon[1].txt
Detected: 16 items.
Cleaned Success: 16 items.
Clean Failed: 0 items.

Spyware Scan Ended: 06/28/2009 23:56:59
Scan Complete. Time=2209.099854.

#10 IG-64

IG-64
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 29 June 2009 - 07:07 PM

Okay, so I seem to have been infected again! This time, much worse than the Google Redirect virus. Desktop has been taken over by something called Antivirus System Pro. It posted a wallpaper that says that I am infected by spyware, has posted an 'Infiltration Alert' popup in the lower righthand corner and constantly pops up a Windows security alert from a shield-looking icon in the taskbar. Computer is practically unusable. I am running AVG and MBAM scans to attempt to find it. AVG popped multiple trojan attacks that it seemed to quarantine yet the infection obviously got through. Please advise, thanks.

#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:14 AM

Posted 29 June 2009 - 09:25 PM

You would have been close to being done ..... before this last (new) infection. YIPES.
Not to put aspersions.... but did anyone download someting they should not have ?
Do have have a peer-to-peer filesharing program active on this system? a torrent or such ??

If you get any rogue window or bogus alert window, press and hold ALT key on your keyboard and then press F4 function key. That closes the window. Repeat as needed.

Once the rogue windows are out of the way, do this to get MBAM updated and then a scan.

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2353 or later. The latest program version is 1.38 (released June 17)

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.
Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with the new MBAM scan log and
the C:\Combofix.txt log

Edited by Maurice Naggar, 29 June 2009 - 09:29 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 IG-64

IG-64
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 29 June 2009 - 09:40 PM

Nah, nothing malicious. I haven't used Bit Torrent in a year or so and I didn't even know I had that DNA program you asked me to uninstall until you pointed it out. When I logged on today I started to check my e-mail and some news sites and my computer just got really slow all of a sudden. AVG popped up with some trojan warnings but a few things seemed to have got through and put themselves on the taskbar. I am running a MBAM scan now and will do the Combo-Fix afterwards. Thanks again for your help.

#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:14 AM

Posted 29 June 2009 - 10:42 PM

Allow each of MBAM and Combofix to run by themselves, as standalone programs.
Do NOT do any websurfing or such, and no email either.
Let each of these programs, (and any other tool I ask you to run) to run alone. No need to reply. Just please follow my advice.
Close your browsers and run the tools.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#14 IG-64

IG-64
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 29 June 2009 - 11:04 PM

Here are the results:

MBAM

Malwarebytes' Anti-Malware 1.38
Database version: 2347
Windows 5.1.2600 Service Pack 3

6/29/2009 11:14:22 PM
mbam-log-2009-06-29 (23-14-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 231607
Time elapsed: 3 hour(s), 13 minute(s), 27 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lowriskfiletypes (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7998DC37-D3FE-487C-A60A-7701FCC70CC6}\InprocServer32\(default) (Hijack.Repdrvfs) -> Bad: (\\?\globalroot\systemroot\installer\32a5a3.msi) Good: (repdrvfs.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\matt plantilla\local settings\temp\installb[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\matt plantilla\local settings\temporary internet files\Content.IE5\00WY31TR\oheefst[1].txt (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\matt plantilla\local settings\temporary internet files\Content.IE5\KNG0F382\atnaa[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\matt plantilla\local settings\temporary internet files\Content.IE5\KNG0F382\oheefst[2].txt (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\matt plantilla\local settings\temporary internet files\Content.IE5\LLMEK5DA\lakkl[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\matt plantilla\local settings\temporary internet files\Content.IE5\LLMEK5DA\ouuivaan[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\matt plantilla\local settings\temporary internet files\Content.IE5\TOPKEC3P\lakkl[2].htm (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\matt plantilla\local settings\temporary internet files\Content.IE5\TOPKEC3P\atnaa[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\matt plantilla\local settings\temporary internet files\Content.IE5\TOPKEC3P\qwtkll[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\SKYNETitexrirl.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{4b1aea69-b95e-4955-a6a6-502cd89cda69}\RP155\A0084826.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Combo-Fix

ComboFix 09-06-29.04 - Matt Plantilla 06/29/2009 23:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.203 [GMT -4:00]
Running from: c:\documents and settings\Matt Plantilla\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 03:42 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-30 03:42 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-29 23:32 . 2009-06-29 23:32 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-29 23:27 . 2009-06-29 23:28 -------- d-sh--w- c:\windows\System Volume Information
2009-06-29 23:27 . 2009-06-29 23:27 40960 ----a-w- C:\poykfa.exe
2009-06-29 00:36 . 2009-06-29 00:43 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-28 17:23 . 2009-06-28 17:23 -------- d-----w- C:\_OTL
2009-06-28 17:07 . 2009-06-28 17:07 -------- d-----w- c:\program files\ERUNT
2009-06-22 21:38 . 2009-06-22 21:38 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-22 21:38 . 2009-06-22 21:38 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-22 21:38 . 2009-06-22 21:38 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-22 21:38 . 2009-06-22 21:38 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-22 21:37 . 2009-06-22 21:37 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-22 21:37 . 2009-06-22 21:37 296800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-22 21:37 . 2009-06-22 21:37 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-22 21:31 . 2009-06-22 21:31 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-22 21:30 . 2009-06-22 21:30 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-22 21:30 . 2009-06-22 21:30 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-22 21:30 . 2009-06-22 21:30 72704 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-22 21:30 . 2009-06-22 21:30 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-22 21:29 . 2009-06-22 21:29 561016 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-22 21:29 . 2009-06-22 21:29 565096 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-22 21:29 . 2009-06-22 21:29 2349384 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-22 21:28 . 2009-06-22 21:28 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-22 21:27 . 2009-06-22 21:27 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-22 21:26 . 2009-06-22 21:26 1003344 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-22 10:59 . 2009-06-22 10:59 93 ----a-w- c:\windows\system32\SKYNET.dat
2009-06-21 17:29 . 2009-06-21 17:29 -------- d-----w- c:\program files\Trend Micro
2009-06-21 02:01 . 2009-06-21 02:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-20 20:16 . 2009-06-20 20:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-14 02:29 . 2009-06-14 02:29 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-10 07:05 . 2009-06-10 07:05 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-06-10 02:43 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 02:43 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 02:43 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-10 02:43 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-01 03:56 . 2009-06-01 03:56 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-01 00:22 . 2009-06-01 00:22 -------- d-sh--w- c:\documents and settings\Matt Plantilla\PrivacIE
2009-06-01 00:06 . 2009-06-01 00:06 -------- d-sh--w- c:\documents and settings\Matt Plantilla\IETldCache
2009-05-31 23:58 . 2009-06-10 07:39 -------- d-----w- c:\windows\ie8updates
2009-05-31 23:53 . 2009-05-31 23:57 -------- dc-h--w- c:\windows\ie8
2009-05-31 23:45 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 03:20 . 2009-01-30 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-28 17:55 . 2009-02-05 14:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 17:55 . 2009-04-09 02:59 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-21 02:10 . 2009-03-11 01:01 -------- d-----w- c:\program files\JDownloader
2009-06-17 15:27 . 2009-02-05 14:46 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-02-05 14:46 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 11:28 . 2009-01-30 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-14 02:29 . 2006-02-16 09:56 -------- d-----w- c:\program files\Common Files\Real
2009-06-14 02:28 . 2003-08-13 01:17 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-06-10 07:32 . 2006-02-16 10:39 -------- d-----w- c:\program files\Microsoft Works
2009-06-01 01:55 . 2006-02-16 16:59 72392 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-01 00:25 . 2006-02-18 15:56 -------- d-----w- c:\program files\Google
2009-05-20 03:36 . 2009-05-20 03:36 1915520 ----a-w- c:\documents and settings\Matt Plantilla\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-18 03:09 . 2009-05-18 03:09 -------- d-----w- c:\documents and settings\Matt Plantilla\Application Data\InterVideo
2009-05-14 21:24 . 2009-01-30 10:33 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-14 21:23 . 2009-05-14 21:23 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-14 21:23 . 2009-01-30 01:23 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-13 05:15 . 2006-02-15 14:04 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2006-02-15 14:02 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 14:21 . 2009-01-30 01:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-02 14:21 . 2009-01-30 01:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-02 14:21 . 2009-01-30 01:20 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 14:20 . 2009-01-30 01:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-02 07:01 . 2009-01-30 01:18 -------- d-----w- c:\documents and settings\Matt Plantilla\Application Data\BitTorrent
2009-04-17 12:26 . 2006-02-15 14:04 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-15 14:03 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-05 01:49 . 2009-04-05 01:49 29184 ----a-r- c:\documents and settings\Matt Plantilla\Application Data\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_01.21.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 03:20 . 2009-06-30 03:20 16384 c:\windows\Temp\Perflib_Perfdata_158.dat
+ 2009-06-29 22:34 . 2009-06-29 22:34 270336 c:\windows\ERDNT\AutoBackup\6-29-2009\Users\00000002\UsrClass.dat
+ 2009-06-29 22:34 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\6-29-2009\ERDNT.EXE
+ 2009-06-29 22:34 . 2009-06-29 22:34 9633792 c:\windows\ERDNT\AutoBackup\6-29-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-30 01:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-01 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-22 518488]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-12-19 83336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-01 68592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-14 198160]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Matt Plantilla\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
SrvMod.lnk - c:\windows\twain_32\L12U16U2\SrvMod.exe [2009-2-8 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 14:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\twain_32\\L12U16U2\\SrvMod.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/29/2009 9:23 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/29/2009 9:20 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/29/2009 9:20 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/29/2009 9:20 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 9:20 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1003344]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 11:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:29]

2009-06-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-06-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Matt Plantilla\Application Data\Mozilla\Firefox\Profiles\adpjesln.default\
FF - prefs.js: browser.search.selectedEngine - SceneSource PreDB Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 23:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP000000D0A5B9087580BBFC6F

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-06-30 23:47
ComboFix-quarantined-files.txt 2009-06-30 03:47
ComboFix2.txt 2009-06-29 01:34

Pre-Run: 29,188,517,888 bytes free
Post-Run: 29,350,113,280 bytes free

217 --- E O F --- 2009-06-26 11:02

#15 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:14 AM

Posted 30 June 2009 - 06:32 AM

One of the infections you had was the rogue SpywareProtect, which MBAM has removed. But it also found several other trojans.
This needs more follow-up; so do the following.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not IG-64 and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

First, Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both of those boxes.

Next, Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
=
Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.
=

Your temp files need to be deleted and a malware dropper by the name of POYKFA.EXE needs to be removed.
This next process should take care of them. A reboot of the system will be done as part of this !
  • Please double-click OTL.exe Posted Image to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :files
    C:\poykfa.exe
    C:\32788R22FWJFW.0.tmp
    c:\windows\TEMP\TMP000000D0A5B9087580BBFC6F
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Next, Download and save to your Dekstop: PrevX CSI: http://www.prevx.com/freescan.asp

Run Prevx CSI.
If it wants to reboot when finished, do so.

=

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! Perhaps also save the file on your pc.

Close all browsers and all open windows & programs.

1. Please download SmitfraudFix (by S!Ri) and SAVE it to your Desktop.
Posted ImageIt's very important that you be using the most recent version (v2.423 as of this post).

2. Reboot into Safe Mode (Restart your computer, then continually tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. More at http://service1.symantec.com/SUPPORT/tsgen...001052409420406.)

3. Once in Safe Mode:
Double click the SmitFruadfix.exe file. It will create a folder named SmitfraudFix) on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Have plenty of patience as a Command prompt window opens. You'll eventually see a message and a "press any key to continue".
Press the space bar or any other key on the keyboard.

4. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

5. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

6. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

7. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

8. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:
  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you were infected
>
Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Reply with copy of the OTL MovedFiles log
copy of C:\rapport.txt
copy of the DrWeb Cure-It log
and tell me, How is your system now ? Are the Google redirects past history ?

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply. Make sure you do not post duplicate copies of same log (as you have done before). Always PREVIEW.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 30 June 2009 - 06:36 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users