Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log - TDss.aips, Crypt.Xpack, Spy.Router, and Alureon


  • This topic is locked This topic is locked
14 replies to this topic

#1 mikedj72

mikedj72

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 09 July 2009 - 12:44 PM

Rigel tried to help me in this thread and sent me here. As you can see, many help programs suggested are blocked from running. I can't even start in safe mode and he suggested I come here. Hope I do this correctly, thanks for any input.

Largest issue to date is the fact I do a topic or company search on a search engine and see the proper results. When I click something like Dell.com, I go to another website. I must hit my back button once, then click the result a second time in the search engine and it will finally go to the correct website listed. No matter the subject or company, you ALWAYS go to the wrong website the first time around.

Next problems deal with the fact that most programs like Malwarbytes/SpybotS&D/etc are all blocked from running to fix the hijack. Can't start in Safe Mode to run SmitFraudfix as Rigel suggested. This bug also was so good that it blocked Trend Micros online virus scan from running with some kind of java error.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Mike at 13:23:27.06 on Thu 07/09/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.1686 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\SAMSUNG\Samsung SCX-4725 Series\SPanel\RCP\Scan2pc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Vuze\Azureus.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Mike\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: []
mRun: [Whitney2_S2P] c:\program files\samsung\samsung scx-4725 series\spanel\rcp\Scan2pc.exe
mRun: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {165B3239-2565-49DB-8A82-F28631CE44ED} - hxxp://www.cme-equotes.com/webstart/webstart.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\6802tt0b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ms&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ms&p=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-6 64160]
R1 RRCtrl;RRCtrl;c:\windows\system32\drivers\RRCTRL.SYS [2009-4-11 16640]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};c:\program files\cyberlink\powerdvd dx\000.fcl [2008-8-15 39408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-7 108289]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-4-3 1153368]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2008-8-19 5120]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2009-2-24 81920]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S4 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
S4 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]

=============== Created Last 30 ================

2009-07-07 11:49 2,132 a------- c:\windows\system32\tmp.reg
2009-07-07 09:29 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-07 09:29 --d----- c:\programdata\Avira
2009-07-07 09:29 --d----- c:\program files\Avira
2009-07-07 09:29 --d----- c:\progra~2\Avira
2009-07-07 09:14 --d----- c:\program files\Safer Networking
2009-07-06 15:29 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 15:29 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-06 15:29 --d----- c:\programdata\Malwarebytes
2009-07-06 15:29 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 15:29 --d----- c:\progra~2\Malwarebytes
2009-07-06 15:25 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-06 15:24 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-06 15:23 -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-06 15:23 -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-06 15:23 --d----- c:\program files\Lavasoft
2009-07-06 15:17 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-06 15:16 --d----- c:\users\mike\.housecall6.6
2009-06-29 15:12 --d----- c:\windows\system32\vi-VN
2009-06-29 15:12 --d----- c:\windows\system32\eu-ES
2009-06-29 15:12 --d----- c:\windows\system32\ca-ES
2009-06-29 15:01 2,868,224 a------- c:\windows\system32\mf.dll
2009-06-22 13:34 819,200 a------- c:\windows\system32\xvidcore.dll
2009-06-22 13:34 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-06-22 13:34 77,824 a------- c:\windows\system32\xvid.ax
2009-06-22 13:34 --d----- c:\program files\Xvid
2009-06-17 14:34 70,984 a------- c:\users\mike\g2mdlhlpx.exe
2009-06-11 03:11 --dsh--- c:\windows\system32\%APPDATA%

==================== Find3M ====================

2009-07-07 16:22 2,140 a------- c:\windows\bthservsdp.dat
2009-07-07 13:48 848 a--sh--- c:\programdata\KGyGaAvL.sys
2009-07-07 13:48 848 a--sh--- c:\progra~2\KGyGaAvL.sys
2009-06-29 15:17 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-29 15:17 86,016 a------- c:\windows\inf\infstor.dat
2009-06-29 15:17 51,200 a------- c:\windows\inf\infpub.dat
2009-06-29 15:12 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-23 08:15 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:14 623,616 a------- c:\windows\system32\localspl.dll
2009-04-21 07:39 2,034,688 a------- c:\windows\system32\win32k.sys
2009-04-11 02:33 986,600 a------- c:\windows\system32\winload.exe
2009-04-11 02:33 926,184 a------- c:\windows\system32\winresume.exe
2009-04-11 02:33 614,376 a------- c:\windows\system32\ci.dll
2009-04-11 02:32 50,664 a------- c:\windows\system32\PSHED.DLL
2009-04-11 02:32 3,601,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-11 02:32 3,549,672 a------- c:\windows\system32\ntoskrnl.exe
2009-04-11 02:32 438,744 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-04-11 02:32 245,736 a------- c:\windows\system32\clfs.sys
2009-04-11 02:32 177,128 a------- c:\windows\system32\halmacpi.dll
2009-04-11 02:32 140,776 a------- c:\windows\system32\halacpi.dll
2009-04-11 02:32 17,896 a------- c:\windows\system32\kd1394.dll
2009-04-11 02:32 19,944 a------- c:\windows\system32\kdusb.dll
2009-04-11 02:32 17,384 a------- c:\windows\system32\kdcom.dll
2009-04-11 02:27 627,200 a------- c:\windows\system32\sethc.exe
2009-04-11 02:22 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-04-11 02:21 37,376 a------- c:\windows\system32\cdd.dll
2009-04-11 01:03 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 01:03 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 00:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-11 00:54 2,048 a------- c:\windows\system32\mferror.dll
2009-04-11 00:39 16,384 a------- c:\windows\system32\iscsilog.dll
2009-04-11 00:27 2,560 a------- c:\windows\system32\msimsg.dll
2009-04-11 00:23 289,792 a------- c:\windows\system32\atmfd.dll
2009-04-11 00:12 617,984 a------- c:\windows\system32\adtschema.dll
2009-04-10 21:59 107,612 a------- c:\windows\system32\StructuredQuerySchema.bin
2009-03-11 10:04 88 ---shr-- c:\programdata\66E1128861.sys
2009-03-11 10:04 88 ---shr-- c:\progra~2\66E1128861.sys
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:23:53.57 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:04 PM

Posted 17 July 2009 - 08:35 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Posted Image
m0le is a proud member of UNITE

#3 mikedj72

mikedj72
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 19 July 2009 - 12:26 PM

Hello and thanks for all you and your team do here, it's a wonderful service and I'll be sure to make a donation for the work.

I still have the same issues as before, typing bleeping compter into Yahoo/Google types gives me the proper results. But I click the results of the search engine and I'm redirected. Hit my back button once, hit results again, I finally get my 'proper' website. Programs like Spybot S&D, Malwarbytes, etc. are all blocked from running. The guy in your virus section I mentioned above told me to use a program from safe mode, my computer is blocked from safe mode. The only new issue is that now about every other reboot/restart, I see a blue screen crash dump that takes me to a black screen blinking cursor.

To run DDS as suggested, I turned off all programs as suggested. The only one that did not follow the exact directions as you've laid out in the link was Spybot Search & Destroy. I cannot start that, so I had to disable it from the system tray.

I've also read that P2P programs are what cause this and once I'm back online, I will delete all programs you suggest. Thanks again for all your help and the time each of you give.

Mike



DDS (Ver_09-06-26.01) - NTFSx86
Run by Mike at 13:10:30.64 on Sun 07/19/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2234 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\SAMSUNG\Samsung SCX-4725 Series\SPanel\RCP\Scan2pc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\LaCie\Shortcut Button\LaCieShortcutTrayApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LaCie\Genie Backup Manager Pro\GBMAgent.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\SearchFilterHost.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mike\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [GBMPro8AgentLaCie] c:\program files\lacie\genie backup manager pro\GBMAgent.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [<NO NAME>]
mRun: [Whitney2_S2P] c:\program files\samsung\samsung scx-4725 series\spanel\rcp\Scan2pc.exe
mRun: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [GBMPro8AgentLaCie] c:\program files\lacie\genie backup manager pro\GBMAgent.exe
mRun: [LaCie Shortcut Startup] c:\program files\lacie\shortcut button\LaCieShortcutTrayApp.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {165B3239-2565-49DB-8A82-F28631CE44ED} - hxxp://www.cme-equotes.com/webstart/webstart.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\6802tt0b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ms&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ms&p=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-6 64160]
R1 RRCtrl;RRCtrl;c:\windows\system32\drivers\RRCTRL.SYS [2009-4-11 16640]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};c:\program files\cyberlink\powerdvd dx\000.fcl [2008-8-15 39408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-7 108289]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-4-3 1153368]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2008-8-19 5120]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2009-2-24 81920]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-6 38160]
S4 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
S4 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]

=============== Created Last 30 ================

2009-07-16 12:02 140,442,006 a------- c:\windows\MEMORY.DMP
2009-07-15 15:54 <DIR> --d----- c:\users\mike\appdata\roaming\Malwarebytes
2009-07-15 10:00 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 10:00 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 10:00 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 10:00 23,552 a------- c:\windows\system32\lpk.dll
2009-07-15 10:00 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-14 13:32 <DIR> --d----- c:\users\mike\appdata\roaming\Genie-Soft
2009-07-14 13:29 128,104 a------- c:\windows\system32\drivers\WimFltr.sys
2009-07-14 13:29 <DIR> --d----- c:\program files\LaCie
2009-07-07 11:49 2,132 a------- c:\windows\system32\tmp.reg
2009-07-07 09:29 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-07 09:29 <DIR> --d----- c:\programdata\Avira
2009-07-07 09:29 <DIR> --d----- c:\program files\Avira
2009-07-07 09:29 <DIR> --d----- c:\progra~2\Avira
2009-07-07 09:14 <DIR> --d----- c:\program files\Safer Networking
2009-07-06 15:29 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 15:29 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-06 15:29 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-06 15:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 15:29 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-06 15:25 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-06 15:24 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-06 15:23 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-06 15:23 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-06 15:23 <DIR> --d----- c:\program files\Lavasoft
2009-07-06 15:17 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-06 15:16 <DIR> --d----- c:\users\mike\.housecall6.6
2009-06-29 15:12 <DIR> --d----- c:\windows\system32\vi-VN
2009-06-29 15:12 <DIR> --d----- c:\windows\system32\eu-ES
2009-06-29 15:12 <DIR> --d----- c:\windows\system32\ca-ES
2009-06-29 15:01 2,868,224 a------- c:\windows\system32\mf.dll
2009-06-22 13:34 819,200 a------- c:\windows\system32\xvidcore.dll
2009-06-22 13:34 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-06-22 13:34 77,824 a------- c:\windows\system32\xvid.ax
2009-06-22 13:34 <DIR> --d----- c:\program files\Xvid

==================== Find3M ====================

2009-07-17 16:54 2,140 a------- c:\windows\bthservsdp.dat
2009-07-17 14:03 848 a--sh--- c:\programdata\KGyGaAvL.sys
2009-07-17 14:03 848 a--sh--- c:\progra~2\KGyGaAvL.sys
2009-06-29 15:17 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-29 15:17 86,016 a------- c:\windows\inf\infstor.dat
2009-06-29 15:17 51,200 a------- c:\windows\inf\infpub.dat
2009-06-29 15:12 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-17 14:34 70,984 a------- c:\users\mike\g2mdlhlpx.exe
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-23 08:15 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:14 623,616 a------- c:\windows\system32\localspl.dll
2009-04-21 07:39 2,034,688 a------- c:\windows\system32\win32k.sys
2009-03-11 10:04 88 ---shr-- c:\programdata\66E1128861.sys
2009-03-11 10:04 88 ---shr-- c:\progra~2\66E1128861.sys
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:10:48.96 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:04 PM

Posted 19 July 2009 - 03:38 PM

Hey mikedj72,

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Let me know if you have any problems downloading or running Combofix.
Posted Image
m0le is a proud member of UNITE

#5 mikedj72

mikedj72
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 20 July 2009 - 08:24 AM

Internet Explorer is no longer working, I had to use Firefox to get on the net.

For note, I disabled all programs as suggested. Even disabling Avira, it ran during the reboot on ComboFix. Several files kept popping up in the Avira window which I choose, "Deny Access." Those file were (TR/TDss.yuz, PKIT/TDss.an, and TR/Crypt.XPACK.gen)

Let me know if I need to redo a different way.

Mike






ComboFix 09-07-14.08 - Mike 07/20/2009 9:02.1.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2174 [GMT -4:00]
Running from: c:\users\Mike\Desktop\Combo-Fix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1222040490-3548352618-2589853025-1005
c:\$recycle.bin\S-1-5-21-1222040490-3548352618-2589853025-500
c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\users\Mike\AppData\Roaming\.#
c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Uninstall.lnk
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\MSIVXwamqjswkmpfeynfssowbdojxmxecbetr.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\MSIVXcount
c:\windows\System32\MSIVXokxpenjxarusogpahrtnbedlgotaanwo.dll
c:\windows\System32\MSIVXrnxvnpkblrbdksfaddxyxlgvrpiewbmj.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.

2009-07-20 13:08 . 2009-07-20 13:08 -------- d-----w- c:\users\Mike\AppData\Local\temp
2009-07-15 20:41 . 2009-07-14 22:08 438651 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aescript.dll
2009-07-15 20:41 . 2009-07-14 22:08 430452 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll
2009-07-15 20:41 . 2009-05-15 20:20 127347 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aescn.dll
2009-07-15 20:41 . 2009-04-30 19:33 106868 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll
2009-07-15 20:41 . 2009-07-14 22:08 1855864 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll
2009-07-15 20:41 . 2009-07-14 22:08 229748 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll
2009-07-15 20:41 . 2009-07-14 22:08 180597 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aecore.dll
2009-07-15 20:41 . 2009-07-02 16:39 348532 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aegen.dll
2009-07-15 20:41 . 2009-06-17 19:32 196987 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aeoffice.dll
2009-07-15 20:41 . 2009-05-27 22:10 401783 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aepack.dll
2009-07-15 20:41 . 2008-10-15 15:49 393588 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aeemu.dll
2009-07-15 20:41 . 2008-10-15 15:49 53618 ----a-w- c:\programdata\Avira\AntiVir Desktop\FAILSAVE\aebb.dll
2009-07-15 19:55 . 2009-07-15 19:55 3775176 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-15 19:54 . 2009-07-15 19:54 -------- d-----w- c:\users\Mike\AppData\Roaming\Malwarebytes
2009-07-15 14:00 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-15 14:00 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-15 14:00 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-15 14:00 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-15 14:00 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-14 17:32 . 2009-07-14 17:32 -------- d-----w- c:\users\Mike\AppData\Local\LaCie
2009-07-14 17:32 . 2009-07-14 17:32 -------- d-----w- c:\users\Mike\AppData\Roaming\Genie-Soft
2009-07-14 17:29 . 2006-11-02 04:50 128104 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2009-07-14 17:29 . 2009-07-14 17:32 -------- d-----w- c:\program files\LaCie
2009-07-07 13:29 . 2009-07-07 13:29 -------- d-----w- c:\programdata\Avira
2009-07-07 13:29 . 2009-07-07 13:29 -------- d-----w- c:\program files\Avira
2009-07-07 13:29 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-07 13:29 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-07 13:14 . 2009-07-07 13:14 -------- d-----w- c:\program files\Safer Networking
2009-07-06 19:29 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 19:29 . 2009-07-15 19:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 19:29 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-06 19:29 . 2009-07-06 19:29 -------- d-----w- c:\programdata\Malwarebytes
2009-07-06 19:25 . 2009-03-09 19:06 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-06 19:24 . 2009-03-09 19:06 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-06 19:23 . 2009-07-06 19:23 -------- dc-h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-06 19:23 . 2009-03-12 08:17 2902048 -c--a-w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-06 19:23 . 2009-07-06 19:23 -------- d-----w- c:\program files\Lavasoft
2009-07-06 19:17 . 2009-07-06 19:16 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-06 19:16 . 2009-07-07 13:03 -------- d-----w- c:\users\Mike\.housecall6.6
2009-07-06 18:51 . 2009-07-06 18:51 -------- d-----w- c:\users\Mike\AppData\Roaming\DivX
2009-06-29 19:12 . 2009-06-29 19:12 -------- d-----w- c:\windows\system32\ca-ES
2009-06-29 19:12 . 2009-06-29 19:12 -------- d-----w- c:\windows\system32\eu-ES
2009-06-29 19:12 . 2009-06-29 19:12 -------- d-----w- c:\windows\system32\vi-VN
2009-06-29 19:01 . 2009-04-11 06:28 291328 ----a-w- c:\windows\system32\WscEapPr.dll
2009-06-22 17:34 . 2009-06-22 17:34 -------- d-----w- c:\program files\Xvid
2009-06-22 17:34 . 2009-06-07 20:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-06-22 17:34 . 2009-06-07 20:16 819200 ----a-w- c:\windows\system32\xvidcore.dll
2009-06-22 13:11 . 2009-06-22 13:11 552 ----a-w- c:\users\Mike\AppData\Local\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 13:02 . 2008-08-20 13:00 7620 ----a-w- c:\users\Mike\AppData\Local\d3d9caps.dat
2009-07-20 13:01 . 2008-08-15 07:58 2140 ----a-w- c:\windows\bthservsdp.dat
2009-07-20 12:52 . 2009-04-03 13:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-20 12:52 . 2009-04-03 13:20 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-07-17 18:03 . 2008-08-26 18:31 848 --sha-w- c:\programdata\KGyGaAvL.sys
2009-07-17 18:03 . 2008-08-26 18:31 848 --sha-w- c:\programdata\KGyGaAvL.sys
2009-07-16 15:26 . 2008-08-21 20:34 -------- d-----w- c:\users\Mike\AppData\Roaming\Azureus
2009-07-15 19:34 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-15 19:34 . 2008-08-15 12:18 -------- d-----w- c:\programdata\Microsoft Help
2009-07-14 17:31 . 2008-08-15 12:27 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-07-06 19:47 . 2009-02-19 21:14 -------- d-----w- c:\program files\DivX
2009-07-06 19:45 . 2009-03-23 18:03 -------- d-----w- c:\programdata\WebEx
2009-07-06 19:45 . 2008-08-19 05:31 -------- d-----w- c:\program files\Yahoo!
2009-07-06 19:44 . 2009-04-15 20:24 -------- d-----w- c:\programdata\Yahoo!
2009-07-06 19:23 . 2008-08-21 17:37 -------- d-----w- c:\programdata\Lavasoft
2009-06-29 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-29 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-29 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-29 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-29 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-29 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-29 19:12 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-29 19:08 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-17 18:34 . 2008-08-15 12:30 -------- d-----w- c:\program files\Citrix
2009-06-17 18:34 . 2009-06-17 18:34 70984 ----a-w- c:\users\Mike\g2mdlhlpx.exe
2009-06-12 12:09 . 2009-06-12 12:08 -------- d-----w- c:\users\Mike\AppData\Roaming\U3
2009-05-09 05:50 . 2009-06-10 08:07 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-10 08:07 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-07 17:58 . 2009-05-07 17:58 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-30 19:55 . 2008-08-19 04:07 119680 ----a-w- c:\users\Mike\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-23 12:15 . 2009-06-10 08:07 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:14 . 2009-06-10 08:07 623616 ----a-w- c:\windows\system32\localspl.dll
2009-07-07 13:02 . 2008-08-19 07:04 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-08-15 15:52 . 2008-08-15 15:52 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBMPro8AgentLaCie"="c:\program files\LaCie\Genie Backup Manager Pro\GBMAgent.exe" [2008-09-18 189056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Whitney2_S2P"="c:\program files\Samsung\Samsung SCX-4725 Series\SPanel\RCP\Scan2pc.exe" [2007-01-24 253952]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"GBMPro8AgentLaCie"="c:\program files\LaCie\Genie Backup Manager Pro\GBMAgent.exe" [2008-09-18 189056]
"LaCie Shortcut Startup"="c:\program files\LaCie\Shortcut Button\LaCieShortcutTrayApp.exe" [2008-09-19 274432]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" - c:\windows\System32\HCIMNTR.DLL [2006-12-07 9728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-15 12:30 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Folder Castle Support]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SetPoint.lnk
backup=c:\windows\pss\SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::35,67,4f,51,ee,f8,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2C20D7C0-F4CB-4FD8-A57A-37A17D4BD655}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{89F924F0-7968-4A25-B8CF-7BFF8A76A44C}"= c:\program files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{D9FB4B05-2CD1-4A06-AEEF-A23FF04A33E3}"= c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"TCP Query User{E78432B3-C3C2-49A3-B65E-1E1039EB0DE5}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7244BA10-0DDD-48F9-B7E8-15A58056B95B}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{37352BF5-A7E8-4547-95D3-BF6DF97CEA53}c:\\program files\\act\\act for windows\\actsage.exe"= UDP:c:\program files\act\act for windows\actsage.exe:ACT! by Sage
"UDP Query User{C8160C5B-91DF-4F4F-B24E-FD6AFF7409DB}c:\\program files\\act\\act for windows\\actsage.exe"= TCP:c:\program files\act\act for windows\actsage.exe:ACT! by Sage
"TCP Query User{C89A6AC0-B405-4D08-A165-482161FFEEF5}c:\\program files\\act\\act for windows\\actsage.exe"= UDP:c:\program files\act\act for windows\actsage.exe:ACT! by Sage
"UDP Query User{A9C23CC4-3EDE-4E42-99A7-EF084EC5AB56}c:\\program files\\act\\act for windows\\actsage.exe"= TCP:c:\program files\act\act for windows\actsage.exe:ACT! by Sage
"TCP Query User{9D791EB8-8BF1-4C24-8F59-89801D1160B2}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{CBC021ED-71E3-40B2-8C03-7B47214972E6}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{41EF17D9-27EE-4B85-8F78-0C892C0B6609}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{023830FC-5578-4993-8645-3B4B001C87B2}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{DC405FDB-0E9F-4EB4-AAEF-C62372C37C92}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{85CD9AD8-9B66-41F1-8A0B-082ED5909E8D}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{2457950B-B55C-423A-8966-CCE5B6727345}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java™ Platform SE binary
"UDP Query User{18736F9F-6DDE-4A3D-95F2-7F200821283D}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java™ Platform SE binary
"{E6A4C25A-7DCE-4672-87C9-5CD83F7520AB}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D9BB7E4D-11CF-49E8-97B2-BC12B479568D}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{48352ECE-2098-4FFB-B51F-DB86814A6CBD}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{AE514D25-C2B0-48BC-A54B-976346F1DF65}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [7/6/2009 15:24 64160]
R1 RRCtrl;RRCtrl;c:\windows\System32\drivers\RRCTRL.SYS [4/11/2009 10:43 16640]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};c:\program files\CyberLink\PowerDVD DX\000.fcl [8/15/2008 08:20 39408]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/7/2009 09:29 108289]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [4/28/2008 16:56 161048]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 22:31 29263712]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [8/19/2008 04:56 5120]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [2/24/2009 11:08 81920]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 10:32 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 10:32 166384]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 15:06 951632]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [7/6/2009 15:29 38160]
S4 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 10:31 1120752]
S4 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {165B3239-2565-49DB-8A82-F28631CE44ED} - hxxp://www.cme-equotes.com/webstart/webstart.cab
FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6802tt0b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ms&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ms&p=
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 09:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003\Software\Magnet\Handlers\LimeWire\Type]
@DACL=(02 0000)
"urn:sha1"=dword:00000000

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CMP\DefaultIcon]
@DACL=(02 0000)
@="c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe, 0"

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CMP\OpenWithList]
@DACL=(02 0000)
@="c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CON\DefaultIcon]
@DACL=(02 0000)
@="c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe, 0"

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CON\OpenWithList]
@DACL=(02 0000)
@="c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.GRP\DefaultIcon]
@DACL=(02 0000)
@="c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe, 0"

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.GRP\OpenWithList]
@DACL=(02 0000)
@="c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURLNewWindow]
@DACL=(02 0000)
"ProcessName"="iexplore.exe"
"WindowClassName"="DDEMLMom"

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003\Software\Symantec\ACT!]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003_Classes\LimeWire\DefaultIcon]
@DACL=(02 0000)
@="c:\\Program Files\\LimeWire\\LimeWire.exe,1"

[HKEY_USERS\S-1-5-21-1222040490-3548352618-2589853025-1003_Classes\LimeWire\shell]
@DACL=(02 0000)
.
Completion time: 2009-07-20 9:09
ComboFix-quarantined-files.txt 2009-07-20 13:09

Pre-Run: 270,547,079,168 bytes free
Post-Run: 270,626,566,144 bytes free

284 --- E O F --- 2009-07-19 16:54

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:04 PM

Posted 20 July 2009 - 03:19 PM

Hi mikedj72,

This fix would be a lot easier with an internet connection so we are going to attempt to reset the network as the removal of the malware has stopped your connection.

Go to the Start Menu, type cmd and right click or (Ctrl + Shift and hit Enter), and select "Run As Administrator"

Type the following commands, each followed by pressing enter.

ipconfig /flushdns
nbtstat -R
nbtstat -RR
netsh int reset all
netsh int ip reset
netsh winsock reset

Please let me know if that deals with it. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 mikedj72

mikedj72
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 21 July 2009 - 09:03 AM

Yes, that was the fix thanks!

Ready for the next step Captain:-)

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:04 PM

Posted 21 July 2009 - 10:40 AM

Okay, that's good news. :thumbup2:

Next we need to run a good online scanner to search for remnants and stray files.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
This should be clear...or nearly clear...

Thanks :)
Posted Image
m0le is a proud member of UNITE

#9 mikedj72

mikedj72
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 21 July 2009 - 02:36 PM

Looking better. Firefox seems to have no issues. I must go into the folder directory and launch Internet Explorer as an Admin for it to run. All desktop and quicklaunch buttons for IE will not run, you click and nothing happens. Not sure there??

C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Program Files\Vuze\.install4j\i4j_extf_8_5p83tu.exe a variant of Win32/AdInstaller application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\Process.exe.vir Win32/PrcView application cleaned by deleting - quarantined
D:\2008 Junk\Nero-8.2.8.0_eng_update.exe Win32/Toolbar.AskSBar application deleted - quarantined
D:\2008 Junk\Latest Move\Burn Programs\Nero-8.1.1.0b_eng_trial.exe Win32/Toolbar.AskSBar application deleted - quarantined

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:04 PM

Posted 21 July 2009 - 05:57 PM

There were a few items that ESET has removed. Some were already sitting in quarantine folders and they've gone too.

The IE issue is not connected to malware, though it may have damaged some system files.

We need to run a system file check.

Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'.

Please post back with the results.
Posted Image
m0le is a proud member of UNITE

#11 mikedj72

mikedj72
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 22 July 2009 - 09:13 AM

Found problems that it could not repair. I had to open notepad as admin to view it, millions of lines of code. Your attach feature would not let me attach it here.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:04 PM

Posted 22 July 2009 - 11:46 AM

This is what I thought.

I'm afraid you will need to post in another Bleeping forum for help with that, mikedj72. This is a malware removal forum only.

The good news though is that your log is clean of malware.

Good stuff! :thumbup2:

Let's firstly do some housekeeping

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


Please post for operating system support here. I hope they can sort out your problem there. :)

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#13 mikedj72

mikedj72
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 23 July 2009 - 08:26 AM

I will post in that section with reference to this thread. Thank you so much for the help! I'll be out of the office today and will do the cleanup tomorrow. At that time, I will also make a donation from your link below. I may have a couple other systems at our office this infected, I will be sure to bring them here if standard removal fails.

THANKS for digging it up!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:04 PM

Posted 23 July 2009 - 10:16 AM

Thanks, glad I could help :thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:04 PM

Posted 27 July 2009 - 12:40 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users