Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis log


  • This topic is locked This topic is locked
9 replies to this topic

#1 lundie

lundie

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 29 June 2009 - 12:29 AM

Hi there,

I routinely use Malawarebytes to scan the computer, and, this morning it found 58 infected file and folders - the 'vendor' being AdawareMyWeb/AdawareMy Web Search. I believe there is a virus called Adaware-WebSearch? Malawarebytes quarantined and deleted all the infections successfully - I think.

I've just run a HijackThis scan (I believe this is the correct 'procedure' to follow - detect and remove infections with usual software, then use HijackThis if you have more problems?). I haven't had more problems, and the virus seems to be gone, but I would really appreciate someone analysing my HijackThis log and advising me as to any further action I need to take?

Thanks very much. I'll copy and paste the log, as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:54 p.m., on 29/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\ICO.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Ashampoo\Ashampoo FireWall FREE\FireWall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] c:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall FREE\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121786370781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1246068112140
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - c:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)

--
End of file - 6131 bytes

BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:55 PM

Posted 02 July 2009 - 01:10 PM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 lundie

lundie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 04 July 2009 - 06:44 PM

Hi there Net_Surfer,

Thanks for this, sorry for my delay in posting results of DDS scan - I logged in the day after I posted my request for help, and there had been literally hundreds (thousands) of postings in between! I don't know how you guys keep up! Anyway, I had assumed I'd been overlooked (perfectly understandable) but it seems not! Thanks again.

I think I have given a clear description of my 'problem' and steps taken so far in my first post? Hope so. DDS.txt (copied and pasted) is as follows; and, Attach.txt is attached.


DDS (Ver_09-06-26.01) - NTFSx86
Run by TANYAS STUFF at 11:17:00.46 on Sun 05/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.64.1033.18.1271.652 [GMT 12:00]

AV: avast! antivirus 4.8.1335 [VPS 090704-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\CNAB3RPK.EXE
C:\WINDOWS\Explorer.EXE
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP3\sandra.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP3\RpcAgentSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP3\WNt500x86\RpcSandraSrv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TANYAS STUFF\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.nz/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - No File
BHO: NitroPDFBHO Class: {cf070cb8-f02f-4af4-a7b7-8d45cad4bb54} - c:\program files\nitro pdf\pdf download\NitroPDF.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Ashampoo FireWall] "c:\program files\ashampoo\ashampoo firewall\FireWall.exe" -TRAY
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [NWEReboot]
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Save Page As PDF ... - file://c:\program files\nitro pdf\pdf download\nitroweb.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {AD9E6088-E00B-42f9-9F0C-8480525D234E} - {FF5073C0-28A0-4223-9BDF-59FF020FE77C} - c:\program files\nitro pdf\pdf download\NitroPDF.dll
LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240621899468
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli pwdmon

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tanyas~1\applic~1\mozilla\firefox\profiles\0e47y3wt.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-4 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-2-22 138680]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-9-24 64256]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2005-5-29 16384]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [2005-5-29 9216]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2009.sp3\RpcAgentSrv.exe [2009-7-4 98488]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-2-22 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-2-22 352920]
S4 Seagate Sync Service;Seagate Sync Service;c:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]

=============== Created Last 30 ================

2009-07-04 16:20 <DIR> --d----- C:\LENOVO
2009-07-04 10:10 <DIR> --d----- c:\program files\SiSoftware
2009-07-04 09:42 <DIR> --d----- c:\program files\Unknown Device Identifier
2009-07-01 13:47 <DIR> --d----- c:\program files\Free Extended Task Manager
2009-07-01 13:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TaskManager
2009-06-30 16:59 <DIR> --d----- c:\program files\AvastSkins
2009-06-30 14:30 <DIR> --d----- c:\docume~1\tanyas~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-30 14:09 <DIR> --d-h--- c:\windows\PIF
2009-06-23 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCDr
2009-06-23 19:39 <DIR> --d----- c:\program files\PCDR5
2009-06-23 18:29 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-06-23 12:21 <DIR> --d----- c:\windows\system32\save$$updater
2009-06-20 13:26 <DIR> --d----- c:\program files\Seagate
2009-06-20 12:20 <DIR> --d----- C:\daff3c99965789a08e49e0
2009-06-17 17:22 135,168 a------- c:\windows\system32\igfxres.dll
2009-06-17 17:06 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-06-16 20:49 3,251 a------- c:\windows\system32\wbem\Outlook_01c9ee5f54f99e5e.mof
2009-06-14 18:04 <DIR> --d----- c:\program files\Debugging Tools for Windows (x86)
2009-06-14 17:11 <DIR> --d----- c:\program files\ProcessExplorer
2009-06-14 16:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-06-13 15:46 <DIR> --d----- c:\program files\iTunes
2009-06-11 11:36 3,251 a------- c:\windows\system32\wbem\Outlook_01c9ea2445b6b4b6.mof
2009-06-11 10:05 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 10:05 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 16:57 <DIR> --d-h--- c:\windows\ie8
2009-06-05 17:06 23,600 a------- c:\windows\system32\drivers\TVICHW32.SYS

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-02 22:12 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 17:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 17:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 17:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-08 03:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-08 03:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-01 09:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-05-01 09:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-05-01 09:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-05-01 09:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-05-01 09:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 23:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-18 00:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-18 00:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-17 12:04 389,120 a------- c:\windows\system32\CF2587.exe
2009-04-17 11:51 389,120 a------- c:\windows\system32\CF32742.exe
2009-04-16 02:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-16 02:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2007-01-16 15:05 299 a------- c:\docume~1\tanyas~1\applic~1\internaldb1942.dat
2007-01-16 13:31 25,755,448 a------- c:\program files\wmp11-windowsxp-x86-enu.exe
2008-01-01 17:36 80 ---shr-- c:\windows\system32\C357AF5612.dll
2009-04-01 12:37 16,384 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-05-17 19:18 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051720080518

\index.dat

============= FINISH: 11:17:34.32 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:55 AM

Posted 07 July 2009 - 03:27 PM

Hi lundie,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • You have the latest version of Java (Java 6 update 14) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Java™ 6 Update 2
    Java™ 6 Update 3


  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:55 AM

Posted 11 July 2009 - 09:20 AM

Are you still there? I'll wait one more day before closing the topic.

#6 lundie

lundie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 11 July 2009 - 11:02 PM

FarBar!

Yes, yes, still here. I have, finally, followed all your instructions and will post results below.

But first, apologies for my silence! I'll try to explain briefly...

I have one internet connection and two (unnetworked) computers, and, I managed to get them mixed up, because I swopped the internet connection between the computers between posting my initial request for assistance and then replying...(yes, I do have blonde hair!)...it only affects my first reply to Net_Surfer though!! That DDS scan result was of my clean computer!!!

I am now thoroughly sussed...and it won't happen again, PROMISE.

OK, you wanted:

(1) Copied/pasted result of quick scan with updated Malawarebytes:

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

12/07/2009 3:00:59 p.m.
mbam-log-2009-07-12 (15-00-59).txt

Scan type: Quick Scan
Objects scanned: 94420
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

(2) Copied and pasted C:\ComboFix.txt (I installed Microsoft Windows Recovery Console):

ComboFix 09-07-09.07 - Lundie 12/07/2009 15:24.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.1014.579 [GMT 12:00]
Running from: c:\documents and settings\Lundie\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090711-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\10ba5b5.msp
c:\windows\Installer\10ba5c9.msp
c:\windows\Installer\10ba5dd.msp
c:\windows\Installer\1a8add.msp
c:\windows\Installer\1a8af1.msp
c:\windows\Installer\1a8b05.msp
c:\windows\Installer\1a8b0f.msp
c:\windows\Installer\3d4b1.msp
c:\windows\Installer\3d4c4.msp
c:\windows\Installer\3d4d8.msp
c:\windows\Installer\3d4ec.msp
c:\windows\Installer\3d507.msp
c:\windows\Installer\3d51b.msp
c:\windows\Installer\3d532.msp
c:\windows\Installer\3d546.msp
c:\windows\Installer\3d55a.msp
c:\windows\Installer\3d56f.msp
c:\windows\Installer\3d587.msp
c:\windows\Installer\85cc78.msp
c:\windows\Installer\85cdd8.msp
c:\windows\Installer\85cdf2.msp
c:\windows\Installer\8e77b6.msp
c:\windows\Installer\8e77b7.msp
c:\windows\Installer\8e77b8.msp
c:\windows\Installer\8e77b9.msp
c:\windows\Installer\8e77ba.msp
c:\windows\Installer\8e77bb.msp
c:\windows\Installer\8e77bc.msp
c:\windows\Installer\8e77bd.msp
c:\windows\Installer\8e77be.msp
c:\windows\Installer\912f99.msp
c:\windows\Installer\912f9a.msp
c:\windows\Installer\912f9b.msp
c:\windows\Installer\912f9c.msp
c:\windows\Installer\912f9d.msp
c:\windows\Installer\912f9e.msp
c:\windows\Installer\912f9f.msp
c:\windows\Installer\912fa0.msp
c:\windows\Installer\912fa1.msp
c:\windows\Installer\912fa2.msp
c:\windows\Installer\921b92.msp
c:\windows\Installer\921b9c.msp
c:\windows\Installer\921ba7.msp
c:\windows\Installer\9846a.msp
c:\windows\system32\pwdmon.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-09 03:20 . 2009-07-09 03:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-09 03:20 . 2009-07-09 03:20 -------- d-----w- c:\program files\Java
2009-07-05 05:08 . 2009-07-05 05:08 -------- d-----w- c:\program files\SIW
2009-06-29 04:31 . 2009-06-29 04:32 -------- d-----w- c:\windows\system32\NtmsData
2009-06-29 04:23 . 2009-06-29 04:23 -------- d-----w- c:\program files\Trend Micro
2009-06-29 00:22 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-29 00:22 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-29 00:22 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-29 00:22 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-29 00:22 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-29 00:22 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-29 00:22 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-29 00:22 . 2009-06-29 00:23 -------- d-----w- C:\d0a472909106dda0e8
2009-06-28 23:17 . 2008-10-16 02:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-28 23:05 . 2009-06-28 23:05 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-28 09:58 . 2009-06-28 23:02 -------- d-----w- c:\program files\QuickTime
2009-06-28 09:57 . 2009-06-28 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-28 09:56 . 2009-06-28 23:02 -------- d-----w- c:\program files\InterVideo Information Service
2009-06-28 09:31 . 2009-06-28 09:31 -------- d-----w- c:\windows\Logs
2009-06-28 09:07 . 2009-06-28 23:03 -------- d-----w- c:\windows\msdownld.tmp
2009-06-28 06:12 . 2009-06-29 00:23 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-28 06:12 . 2009-06-28 06:12 -------- d-----w- c:\program files\MSBuild
2009-06-28 06:12 . 2009-06-28 06:12 -------- d-----w- c:\program files\Reference Assemblies
2009-06-28 06:10 . 2009-06-28 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-06-28 05:59 . 2009-06-29 00:03 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-28 05:28 . 2009-06-28 05:28 -------- d-----w- c:\documents and settings\Lundie\Application Data\Leadertech
2009-06-28 04:31 . 2009-06-28 04:31 -------- d-----w- c:\documents and settings\Lundie\Local Settings\Application Data\Identities
2009-06-28 03:23 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-28 03:23 . 2009-06-28 05:31 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-28 03:22 . 2009-06-28 03:23 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-06-28 03:22 . 2009-06-28 03:22 -------- d-----w- c:\windows\system32\LogFiles
2009-06-28 03:20 . 2009-06-28 03:20 3584 ----a-r- c:\documents and settings\Lundie\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-28 03:20 . 2009-06-28 03:20 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-06-28 03:19 . 2009-06-28 03:19 -------- d-----w- c:\program files\MSECACHE
2009-06-28 02:46 . 2009-06-28 02:50 -------- d-----w- c:\windows\system32\KB905474
2009-06-28 02:46 . 2009-03-10 10:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-06-27 06:10 . 2007-01-12 21:45 172032 ----a-w- c:\windows\system32\igfxres.dll
2009-06-27 05:35 . 2009-06-27 05:35 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-27 05:19 . 2009-06-27 05:19 -------- d-----w- c:\windows\system32\scripting
2009-06-27 05:19 . 2009-06-27 05:19 -------- d-----w- c:\windows\system32\en
2009-06-27 05:19 . 2009-06-27 05:19 -------- d-----w- c:\windows\l2schemas
2009-06-27 05:19 . 2009-06-27 05:19 -------- d-----w- c:\windows\system32\bits
2009-06-27 05:17 . 2009-06-27 05:20 -------- d-----w- c:\windows\ServicePackFiles
2009-06-27 05:06 . 2004-08-03 10:29 25471 ------w- c:\windows\system32\drivers\watv10nt.sys
2009-06-27 05:06 . 2004-08-03 10:29 22271 ------w- c:\windows\system32\drivers\watv06nt.sys
2009-06-27 05:06 . 2004-08-03 10:29 11935 ------w- c:\windows\system32\drivers\wadv11nt.sys
2009-06-27 05:06 . 2004-08-03 10:29 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys
2009-06-27 05:06 . 2004-08-03 10:29 11807 ------w- c:\windows\system32\drivers\wadv07nt.sys
2009-06-27 05:06 . 2004-08-03 10:29 11295 ------w- c:\windows\system32\drivers\wadv08nt.sys
2009-06-27 05:03 . 2004-08-03 10:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-06-27 04:32 . 2009-06-27 04:32 -------- d-sh--w- c:\documents and settings\Lundie\IECompatCache
2009-06-27 04:31 . 2009-06-27 04:31 -------- d-sh--w- c:\documents and settings\Lundie\PrivacIE
2009-06-27 04:22 . 2009-06-27 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-27 04:22 . 2009-06-27 04:22 -------- d-sh--w- c:\documents and settings\Lundie\IETldCache
2009-06-27 03:55 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-27 03:55 . 2009-06-27 03:55 -------- d-----w- c:\windows\ie8updates
2009-06-27 03:55 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-27 03:55 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-06-27 03:55 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-06-27 03:55 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-27 03:54 . 2009-06-27 03:55 -------- dc-h--w- c:\windows\ie8
2009-06-27 03:46 . 2009-06-27 03:46 -------- d-----w- c:\documents and settings\Lundie\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-27 03:42 . 2009-06-27 03:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-27 03:14 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Lundie\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-06-27 03:14 . 2009-06-27 03:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-27 03:02 . 2009-06-27 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
2009-06-27 03:02 . 2009-06-27 03:02 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-27 03:01 . 2009-06-27 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-27 03:01 . 2009-06-27 03:01 -------- d-----w- c:\program files\NOS
2009-06-27 03:01 . 2009-06-29 06:03 -------- d-----w- c:\program files\PCDR5
2009-06-27 00:50 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-06-27 00:48 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-27 00:48 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-06-27 00:46 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-06-27 00:46 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-06-27 00:30 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-06-27 00:24 . 2009-06-27 00:24 -------- d-----w- c:\documents and settings\Lundie\Local Settings\Application Data\Ashampoo
2009-06-26 07:05 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-06-26 07:05 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-26 07:03 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-06-26 07:02 . 2009-06-26 07:02 -------- d-----w- c:\program files\Ashampoo
2009-06-26 06:56 . 2009-06-26 06:56 0 ----a-w- c:\windows\nsreg.dat
2009-06-26 06:56 . 2009-06-26 06:56 -------- d-----w- c:\documents and settings\Lundie\Local Settings\Application Data\Mozilla
2009-06-26 06:54 . 2009-06-26 06:54 -------- d-----w- c:\program files\CCleaner
2009-06-26 06:32 . 2009-02-05 22:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-26 06:32 . 2009-02-05 22:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-26 06:32 . 2009-02-05 22:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-26 06:32 . 2009-02-05 22:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-26 06:32 . 2009-02-05 22:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-26 06:32 . 2009-02-05 22:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-26 06:32 . 2009-02-05 22:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-26 06:32 . 2009-02-05 22:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-26 06:32 . 2009-02-05 22:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-26 06:32 . 2009-06-26 06:32 -------- d-----w- c:\program files\Alwil Software
2009-06-26 06:31 . 2008-10-03 10:02 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-06-26 06:30 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-06-26 06:30 . 2008-09-04 17:15 1106944 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-06-26 06:21 . 2009-06-26 06:21 -------- d-----w- c:\documents and settings\Lundie\Application Data\Malwarebytes
2009-06-26 06:21 . 2009-06-16 23:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 06:21 . 2009-07-10 07:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-26 06:21 . 2009-06-26 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 06:21 . 2009-06-16 23:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 06:17 . 2009-06-26 06:17 -------- d-----w- c:\windows\system32\save$$updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 06:59 . 1980-01-01 07:00 187392 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2009-06-29 06:06 . 2005-07-03 21:04 -------- d-----w- c:\program files\InterVideo
2009-06-29 04:24 . 2005-07-30 08:53 64312 ----a-w- c:\documents and settings\Lundie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 23:02 . 2005-07-03 20:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-28 09:55 . 2005-07-03 20:57 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-28 03:22 . 2005-07-03 21:03 -------- d-----w- c:\program files\Windows Media Connect
2009-06-28 03:22 . 2005-07-19 15:07 129 ----a-w- c:\documents and settings\Lundie\Local Settings\Application Data\fusioncache.dat
2009-06-27 05:23 . 2004-08-09 17:54 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-27 02:59 . 2007-02-12 23:36 -------- d-----w- c:\documents and settings\Lundie\Application Data\AdobeUM
2009-06-27 02:31 . 2005-07-20 04:19 -------- d-----w- c:\program files\Canon
2009-05-13 05:15 . 1980-01-01 07:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 1980-01-01 07:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 1980-01-01 07:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 1980-01-01 07:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Ashampoo FireWall"="c:\program files\Ashampoo\Ashampoo FireWall FREE\FireWall.exe" [2008-06-02 3251800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-12-16 90112]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2004-07-14 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [26/06/2009 6:32 p.m. 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/06/2009 6:32 p.m. 20560]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [16/12/2004 11:12 p.m. 63616]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [4/07/2005 9:15 a.m. 16384]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [4/07/2005 9:15 a.m. 9216]
S3 cpuz132;cpuz132;\??\c:\docume~1\Lundie\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\Lundie\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys [?]
S3 getPlusŪ Helper;getPlusŪ Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [27/06/2009 3:01 p.m. 66048]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 05:04]

2009-07-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 05:04]

2009-06-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.co.nz/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Ashampoo\Ashampoo FireWall FREE\spi.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Lundie\Application Data\Mozilla\Firefox\Profiles\18xg5wc3.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 15:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\Lundie\LOCALS~1\Temp\ASFWHide"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(740)
c:\program files\Ashampoo\Ashampoo FireWall FREE\spi.dll

- - - - - - - > 'explorer.exe'(3152)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\pelscrll.dll
c:\windows\system32\PELCOMM.dll
c:\windows\system32\PELHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\PELMICED.EXE
.
**************************************************************************
.
Completion time: 2009-07-12 15:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-12 03:32

Pre-Run: 62,698,213,376 bytes free
Post-Run: 63,025,864,704 bytes free

283 --- E O F --- 2009-06-29 06:42


Thanks very much for your patience...and thanks for advice about all the Java stuff needing removal from the other computer...its all gone.

Regards,

Tanya L

Hope I'm not too late!

Edited by lundie, 11 July 2009 - 11:04 PM.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:55 AM

Posted 12 July 2009 - 06:23 AM

Hi Tanya,

Well done. :thumbup2:
You seem too smart for your blond hair! :)

Please bear in mind that I'm gong on vacation after a couple of days and try to be fast this time. Thank you.

MBAM shows a clean log and ComboFix removed some stuff. This looks good.
  • Let's take a look at your program files. Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.

  • Tell me how is your computer running.


#8 lundie

lundie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 12 July 2009 - 06:32 PM

Hi again Farbar,

You are too kind...but blonde hair is wonderful excuse for doing the inexplicably stupid things, that you do, every now and again...

(1) Here's the Add-Remove Programs.txt:

Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Ashampoo FireWall FREE 1.20
avast! Antivirus
Canon PhotoRecord
Canon PIXMA iP3000
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CCleaner (remove only)
CD-LabelPrint
Critical Update for Windows Media Player 11 (KB959772)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
IBM 32-bit Runtime Environment for Java 2, v1.4.2
IBM DLA
IBM RecordNow!
IBM Rescue and Recovery with Rapid Restore
IBM Themes
IntelŪ Graphics Media Accelerator Driver
InterVideo WinDVD
InterVideo WinDVD Creator
Java™ 6 Update 14
Lenovo System Toolbox
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mouse Suite
Mozilla Firefox (3.0.11)
OGA Notifier 1.7.0105.35.0
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)

Sorry, I thought I'd checked for old Java applications on this computer too (after your first advice) seems I missed one!

(2) The computer is running really well. No complaints at all. To be honest, apart from Malawarebytes telling me there were infected folders and files, I'd noticed none of the symptoms usually associated with being 'infected' so to speak! Hang on, I tell a lie...there was a funny little icon in the task bar (next to where the date shows) but that disappeared when Malawarebytes deleted all the bad stuff and I haven't seen anything since.


I'm sorry to be so boring, you guys probably appreciate having something to really get your teeth into? But I s'pose simple requests can be gotten out of the way quicker? I think you need medals along with 'donations' by the way...what an awesome service!!

Hey...enjoy your vacation!

Thanks again,

Tanya L

Edited by lundie, 12 July 2009 - 06:39 PM.


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:55 AM

Posted 12 July 2009 - 06:57 PM

Hi Tanya,

You don't need any excuse to make mistakes, we are all human.
You are welcome and thanks for your kind words.

Everything looks good. :thumbup2:

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /u


This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

Happy Surfing! :)

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:55 AM

Posted 23 August 2009 - 08:17 AM

This thread will now be closed since the issue seems to be resolved.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users