Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 jigster

jigster

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 14 July 2009 - 08:35 PM

Just spent some time reading the forums and wish I had found you earlier! My PC acquired a virus which caused various audio...commercials, music, etc...and abrupt redirects to google.com and some loss of control over Internet Explorer. It also seemed to turn off the firewall. I ran several scans including AVG, Adaware, SuperAntiSpyware and Malwarebytes which seemed to do the best (I had to rename the file before it would run). Malwarebytes removed everything except for uacinit.dll. I then did a search and found combofix online and ran that. It was able to remove uacinit.dll and my computer seems back to normal, but I'm spooked now. Any chance you could review my logs for problems? I read the Preparation Guide and ran the DDS Tool. The DDS log is below and the ATTACH log is attached. Many thanks if this is possible!


DDS (Ver_09-06-26.01) - NTFSx86
Run by Tom at 21:06:57.93 on Tue 07/14/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.115 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;<local>
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
mPolicies-explorer: <NO NAME> =
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Trusted Zone: fidelity.com
Trusted Zone: usaa.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} - hxxp://download.mcafee.com/molbin/Shared/MGBrwFld.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134700855750
DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} - hxxp://www.nanoscan.com/cabs/nanoinst.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs5b.instantservice.com/jars/customerxsigned33.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} - hxxp://ib.armstrong.com/ib/databases/actimage30717.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} - hxxp://66.119.139.74/cabs/zinst.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\pakdyf95.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-12 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-14 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-14 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-14 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-31 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-19 298776]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-5-17 17149]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-5-17 384608]
RUnknown ufqwanh;ufqwanh; [x]
S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\drivers\RioUsb.sys [2003-2-4 10020]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [2004-1-15 40625]
S3 RIOXDRV;SONICblue Rio generic driver XP+;c:\windows\system32\drivers\RIOXDRV.sys [2003-12-25 18304]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S4 FlipShare Service;FlipShare Service;c:\program files\flip video\flipshare\FlipShareService.exe [2009-2-17 451904]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-1-26 1174152]

=============== Created Last 30 ================

2009-07-14 17:56 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-14 16:02 <DIR> a-dshr-- C:\cmdcons
2009-07-14 15:57 219,648 a------- c:\windows\PEV.exe
2009-07-14 15:57 161,792 a------- c:\windows\SWREG.exe
2009-07-14 15:57 98,816 a------- c:\windows\sed.exe
2009-07-14 12:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-14 12:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-14 12:20 <DIR> --d----- c:\docume~1\tom\applic~1\SUPERAntiSpyware.com
2009-07-14 12:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-14 10:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 10:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-13 23:02 <DIR> --d----- c:\docume~1\tom\applic~1\Malwarebytes
2009-07-13 09:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-13 09:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-12 21:52 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-12 21:37 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-12 21:33 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-06-29 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar

==================== Find3M ====================

2009-07-07 13:53 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 22:45 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-04-30 17:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 17:22 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-04-30 07:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-25 01:30 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2008-12-08 19:11 109,472 a------- c:\docume~1\tom\applic~1\GDIPFONTCACHEV1.DAT
2008-07-19 15:31 531 a------- c:\documents and settings\tom\Reset.cmd
2004-06-14 16:00 13,824 a------- c:\documents and settings\tom\cnmss Canon MP780 Series Printer (Local).exe
2008-07-19 16:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071920080720\index.dat

============= FINISH: 21:09:41.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:06:30 PM

Posted 25 July 2009 - 10:18 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 jigster

jigster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 27 July 2009 - 03:02 PM

Thanks for the reply! Here are the new logs...


DDS (Ver_09-06-26.01) - NTFSx86
Run by Tom at 15:52:30.34 on Mon 07/27/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.113 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;<local>;*.local
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [FileHippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /background
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
mPolicies-explorer: <NO NAME> =
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: fidelity.com
Trusted Zone: usaa.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} - hxxp://download.mcafee.com/molbin/Shared/MGBrwFld.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134700855750
DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} - hxxp://www.nanoscan.com/cabs/nanoinst.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs5b.instantservice.com/jars/customerxsigned33.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} - hxxp://ib.armstrong.com/ib/databases/actimage30717.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} - hxxp://66.119.139.74/cabs/zinst.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-12 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-14 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-14 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-14 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-31 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-19 298776]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-5-17 17149]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-5-17 384608]
S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\drivers\riousb.sys --> c:\windows\system32\drivers\RioUsb.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [2004-1-15 40625]
S3 RIOXDRV;SONICblue Rio generic driver XP+;c:\windows\system32\drivers\RIOXDRV.sys [2003-12-25 18304]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S4 FlipShare Service;FlipShare Service;c:\program files\flip video\flipshare\FlipShareService.exe [2009-2-17 451904]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-1-26 1174152]

=============== Created Last 30 ================

2009-07-22 15:38 <DIR> --d----- c:\program files\SyncToy 2.0
2009-07-18 19:16 <DIR> --d----- c:\documents and settings\tom\Tracing
2009-07-18 19:14 <DIR> --d----- c:\program files\Microsoft
2009-07-18 19:14 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-18 18:29 <DIR> --d----- c:\program files\iTunes
2009-07-18 18:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-18 18:28 <DIR> --d----- c:\program files\Bonjour
2009-07-18 11:46 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-18 08:01 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-18 08:01 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-17 20:10 336 a------- c:\program files\temp995.bat
2009-07-17 11:44 <DIR> --d----- c:\windows\system32\Adobe
2009-07-17 11:39 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-17 10:29 <DIR> --d----- c:\program files\FileHippo.com
2009-07-17 10:05 <DIR> --d----- c:\program files\SpywareBlaster
2009-07-16 13:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-16 13:17 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-07-15 18:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 18:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-15 18:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 17:56 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-14 16:02 <DIR> a-dshr-- C:\cmdcons
2009-07-14 12:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-14 12:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-14 12:20 <DIR> --d----- c:\docume~1\tom\applic~1\SUPERAntiSpyware.com
2009-07-14 12:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-13 23:02 <DIR> --d----- c:\docume~1\tom\applic~1\Malwarebytes
2009-07-13 09:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-12 21:52 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-12 21:37 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-12 21:33 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-06-29 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar

==================== Find3M ====================

2009-07-23 14:34 110,056 a------- c:\docume~1\tom\applic~1\GDIPFONTCACHEV1.DAT
2009-07-07 13:53 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 22:45 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-04-30 17:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 17:22 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-04-30 07:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-07-19 15:31 531 a------- c:\documents and settings\tom\Reset.cmd
2004-06-14 16:00 13,824 a------- c:\documents and settings\tom\cnmss Canon MP780 Series Printer (Local).exe
2008-07-19 16:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071920080720\index.dat

============= FINISH: 15:53:34.65 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:30 PM

Posted 30 July 2009 - 01:41 PM

Hi jigster,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar


Due to the warning from the developer of combofix, this tool should not run by oneself for being unsupervised. Sometimes, it will result into an unbootable machine.
It seemed that combofix had removed the culprit from your computer. but we still have some works to do. Please do the following:




Step1

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
DDS::
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;<local>;*.local
uURLSearchHooks: H - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation



In your next reply, please post back:

1.Combofix log
2.KAS Scan Report
3.Fresh DDS log

Tell me how your pc is acting now.

#5 jigster

jigster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 31 July 2009 - 09:38 AM

Thanks Sundavis. I removed the Viewpoint programs (thanks for letting me know about those by the way!), ran the ATF cleaner, and have included the scan reports below. My computer seems to be OK now. No more strange audio or google search re-directs. The only problem I have is in updating Malwarebytes and SuperAntiSpyware which is probably a different issue. Even with the Firewall and Antivirus off, neither program will update. Could the security settings of my router be the problem? Thanks for your help!

ComboFix 09-07-29.04 - Tom 07/30/2009 15:18.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.265 [GMT -4:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\recycler\NPROTECT\01022464.
c:\recycler\NPROTECT\01028383.
c:\recycler\NPROTECT\01028384.
c:\recycler\NPROTECT\01028385.
c:\recycler\NPROTECT\01028386.
c:\recycler\NPROTECT\01028425.
c:\recycler\NPROTECT\01030052.
c:\recycler\NPROTECT\01110826.
c:\recycler\NPROTECT\01155206.
c:\recycler\NPROTECT\01195689.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-29 13:19 . 2009-07-30 19:40 117760 ----a-w- c:\documents and settings\Tom\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-29 13:14 . 2009-07-29 13:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-22 19:38 . 2009-07-22 19:38 -------- d-----w- c:\program files\SyncToy 2.0
2009-07-22 19:37 . 2009-07-22 19:37 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-07-18 23:16 . 2009-07-30 16:13 -------- d-----w- c:\documents and settings\Tom\Tracing
2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Microsoft
2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-18 23:13 . 2009-07-18 23:14 -------- d-----w- c:\program files\Windows Live
2009-07-18 22:29 . 2009-07-18 22:30 -------- d-----w- c:\program files\iTunes
2009-07-18 22:29 . 2009-07-18 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-18 22:28 . 2009-07-18 22:28 -------- d-----w- c:\program files\Bonjour
2009-07-18 22:27 . 2009-07-18 22:30 -------- d-----w- c:\program files\Common Files\Apple
2009-07-18 15:46 . 2009-07-18 15:46 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-18 12:01 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-18 00:10 . 2009-07-18 00:10 336 ----a-w- c:\program files\temp995.bat
2009-07-17 15:44 . 2009-07-17 15:44 -------- d-----w- c:\windows\system32\Adobe
2009-07-17 15:39 . 2009-07-17 15:39 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-17 15:06 . 2009-07-17 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-17 14:29 . 2009-07-17 14:29 -------- d-----w- c:\program files\FileHippo.com
2009-07-17 14:05 . 2009-07-19 00:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-17 14:05 . 2009-07-19 00:36 -------- d-----w- c:\program files\SpywareBlaster
2009-07-16 17:23 . 2009-07-16 17:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-16 17:22 . 2009-07-16 17:22 152576 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-16 17:17 . 2009-07-16 17:17 3584 ----a-r- c:\documents and settings\Tom\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-07-16 17:17 . 2009-07-16 17:17 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-07-15 22:20 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 22:20 . 2009-07-15 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 22:20 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-14 16:25 . 2009-07-14 16:26 117760 ----a-w- c:\documents and settings\Administrator.DEN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-14 16:25 . 2009-07-14 16:25 -------- d-----w- c:\documents and settings\Administrator.DEN\Application Data\SUPERAntiSpyware.com
2009-07-14 16:20 . 2009-07-14 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-14 16:20 . 2009-07-29 13:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-14 16:20 . 2009-07-29 13:18 -------- d-----w- c:\documents and settings\Tom\Application Data\SUPERAntiSpyware.com
2009-07-14 03:02 . 2009-07-14 03:02 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes
2009-07-13 19:08 . 2009-07-13 19:08 -------- d-sh--w- c:\documents and settings\Administrator.DEN\PrivacIE
2009-07-13 19:08 . 2009-07-13 19:08 -------- d-sh--w- c:\documents and settings\Administrator.DEN\IETldCache
2009-07-13 18:22 . 2009-07-13 18:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-13 13:25 . 2009-07-13 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-13 01:52 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-13 01:37 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-13 01:33 . 2009-07-13 01:34 -------- d-----w- c:\program files\Google
2009-07-13 01:33 . 2009-07-13 01:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-13 01:33 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-12 03:34 . 2009-07-12 03:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 19:08 . 2004-04-27 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-22 16:00 . 2005-09-26 16:02 -------- d-----w- c:\program files\TweakNow RegCleaner
2009-07-22 16:00 . 2003-01-31 01:39 -------- d-----w- c:\program files\Common Files\Intuit
2009-07-22 15:59 . 2005-01-16 02:50 -------- d-----w- c:\program files\TaxCut04
2009-07-22 15:58 . 2004-02-13 17:05 -------- d-----w- c:\program files\TaxCut03
2009-07-18 23:16 . 2003-01-18 16:17 110056 ----a-w- c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-18 22:30 . 2006-12-28 19:46 -------- d-----w- c:\program files\iPod
2009-07-18 00:10 . 2008-01-30 15:14 -------- d-----w- c:\program files\PDF995
2009-07-17 16:23 . 2008-08-09 18:01 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-17 15:08 . 2007-11-04 20:48 -------- d-----w- c:\program files\QuickTime
2009-07-17 15:06 . 2007-06-08 22:22 -------- d-----w- c:\program files\Apple Software Update
2009-07-17 14:41 . 2003-01-28 18:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-16 17:22 . 2008-11-28 21:13 -------- d-----w- c:\program files\Java
2009-07-16 17:17 . 2008-01-02 00:49 -------- d-----w- c:\program files\MSECache
2009-07-15 22:17 . 2003-01-12 04:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-14 13:54 . 2003-12-03 16:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 13:54 . 2003-12-03 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 19:03 . 2008-06-14 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 02:46 . 2009-03-26 19:07 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-13 01:33 . 2005-09-06 15:43 -------- d-----w- c:\program files\Lavasoft
2009-07-07 17:53 . 2008-06-14 17:51 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 17:09 . 2004-08-24 00:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-30 02:50 . 2009-06-30 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-30 02:45 . 2009-06-30 02:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-30 02:45 . 2008-06-14 17:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-30 02:45 . 2008-06-14 17:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2002-08-29 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-08-29 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 20:07 . 2009-06-30 02:50 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-13 19:27 . 2009-06-13 19:27 -------- d-----w- c:\program files\3ivx
2009-06-13 19:27 . 2009-06-13 19:27 -------- d-----w- c:\program files\Flip Video
2009-06-13 19:27 . 2009-06-13 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2009-06-03 19:09 . 2003-12-03 17:43 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2008-07-18 15:58 345600 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2009-07-01 155136]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-30 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-16 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-5-17 884838]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-30 02:45 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Modem-On-Hold.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Modem-On-Hold.lnk
backup=c:\windows\pss\Dell Modem-On-Hold.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Creative Service for CDROM Access"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)
"LiveUpdate"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"aawservice"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"DSBrokerService"=3 (0x3)
"IDriverT"=3 (0x3)
"FlipShare Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Tom\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Documents and Settings\\Tom\\temp\\TeamViewer3\\TeamViewer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [7/12/2009 9:37 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/14/2008 1:51 PM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/14/2008 1:51 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/31/2009 8:38 AM 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/19/2009 6:19 PM 298776]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\Drivers\RioUsb.sys --> c:\windows\system32\Drivers\RioUsb.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\DNINDIS5.sys [5/17/2007 4:22 PM 17149]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 NMUSB;NMUSB;c:\windows\SYSTEM32\DRIVERS\Nmusb.sys [1/15/2004 12:38 PM 40625]
S3 RIOXDRV;SONICblue Rio generic driver XP+;c:\windows\SYSTEM32\DRIVERS\RIOXDRV.sys [12/25/2003 5:17 PM 18304]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\SYSTEM32\DRIVERS\WPN111.sys [5/17/2007 4:22 PM 384608]
S4 FlipShare Service;FlipShare Service;c:\program files\Flip Video\FlipShare\FlipShareService.exe [2/17/2009 3:59 PM 451904]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: fidelity.com
Trusted Zone: usaa.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} - hxxp://ib.armstrong.com/ib/databases/actimage30717.cab
DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} - hxxp://66.119.139.74/cabs/zinst.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 15:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2263892695-3353682049-2362166560-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{175AF4D7-9CF3-F457-BF0E37CACC73FC6B}\{467C247B-D237-138A-478D2C475DF76751}\{0F112251-81FD-FF65-E1D4489D8D443FBC}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2742423D-9B2C-E1F8-2204FBC3D18DB555}\{88A68896-609D-936A-26F31FA12C544D88}\{4CDB3AFE-271E-9455-9E26AF69AD97A138}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-30 15:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-30 19:49

Pre-Run: 29,264,654,336 bytes free
Post-Run: 29,244,428,288 bytes free

274 --- E O F --- 2009-07-29 00:21




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 31, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 30, 2009 22:40:15
Records in database: 2564753
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 155992
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 05:38:24

No malware has been detected. The scan area is clean.

The selected area was scanned.




DDS (Ver_09-06-26.01) - NTFSx86
Run by Tom at 9:50:28.87 on Fri 07/31/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.149 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FileHippo.com\UpdateChecker.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [FileHippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
mPolicies-explorer: <NO NAME> =
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: fidelity.com
Trusted Zone: usaa.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} - hxxp://download.mcafee.com/molbin/Shared/MGBrwFld.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134700855750
DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} - hxxp://www.nanoscan.com/cabs/nanoinst.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs5b.instantservice.com/jars/customerxsigned33.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} - hxxp://ib.armstrong.com/ib/databases/actimage30717.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} - hxxp://66.119.139.74/cabs/zinst.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-12 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-14 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-14 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-14 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-31 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-19 298776]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-5-17 17149]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-5-17 384608]
S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\drivers\riousb.sys --> c:\windows\system32\drivers\RioUsb.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [2004-1-15 40625]
S3 RIOXDRV;SONICblue Rio generic driver XP+;c:\windows\system32\drivers\RIOXDRV.sys [2003-12-25 18304]
S4 FlipShare Service;FlipShare Service;c:\program files\flip video\flipshare\FlipShareService.exe [2009-2-17 451904]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-1-26 1174152]

=============== Created Last 30 ================

2009-07-30 15:16 219,648 a------- c:\windows\PEV.exe
2009-07-30 15:16 161,792 a------- c:\windows\SWREG.exe
2009-07-30 15:16 98,816 a------- c:\windows\sed.exe
2009-07-29 09:14 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-22 15:38 <DIR> --d----- c:\program files\SyncToy 2.0
2009-07-18 19:16 <DIR> --d----- c:\documents and settings\tom\Tracing
2009-07-18 19:14 <DIR> --d----- c:\program files\Microsoft
2009-07-18 19:14 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-18 18:29 <DIR> --d----- c:\program files\iTunes
2009-07-18 18:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-18 18:28 <DIR> --d----- c:\program files\Bonjour
2009-07-18 11:46 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-18 08:01 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-18 08:01 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-17 20:10 336 a------- c:\program files\temp995.bat
2009-07-17 11:44 <DIR> --d----- c:\windows\system32\Adobe
2009-07-17 11:39 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-17 10:29 <DIR> --d----- c:\program files\FileHippo.com
2009-07-17 10:05 <DIR> --d----- c:\program files\SpywareBlaster
2009-07-16 13:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-16 13:17 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-07-15 18:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 18:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-15 18:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 17:56 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-14 16:02 <DIR> a-dshr-- C:\cmdcons
2009-07-14 12:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-14 12:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-14 12:20 <DIR> --d----- c:\docume~1\tom\applic~1\SUPERAntiSpyware.com
2009-07-13 23:02 <DIR> --d----- c:\docume~1\tom\applic~1\Malwarebytes
2009-07-13 09:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-12 21:52 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-12 21:37 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-12 21:33 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}

==================== Find3M ====================

2009-07-23 14:34 110,056 a------- c:\docume~1\tom\applic~1\GDIPFONTCACHEV1.DAT
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-07 13:53 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 07:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 22:45 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2008-07-19 15:31 531 a------- c:\documents and settings\tom\Reset.cmd
2004-06-14 16:00 13,824 a------- c:\documents and settings\tom\cnmss Canon MP780 Series Printer (Local).exe
2008-07-19 16:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071920080720\index.dat

============= FINISH: 9:51:27.68 ===============

Attached Files



#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:30 PM

Posted 31 July 2009 - 10:16 AM

Hi jigster,


The only problem I have is in updating Malwarebytes and SuperAntiSpyware which is probably a different issue


We will deal with that later.

There is one important file is missing, we need to restore this file and check if the system still remains a clean one. If not, we need the XP installation disc or copy that file from the other computer.

Do you have XP installation disc handy or the same OS computer (XP Home Edition)around? Specify that info in your next reply. Thanks.



Step1

Go Start > Run and copy/paste the following bold command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\proquota.exe" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply. Thanks.

#7 jigster

jigster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 31 July 2009 - 10:56 AM

Yes, I have "Reinstallation CD Microsoft Windows XP Home Edition Including Service Pack 1". And here is Log.txt...

----a-w- 45,056 2002-08-29 11:00:00 C:\I386\PROQUOTA.EXE
-c----w- 50,176 2004-08-04 05:56:56 C:\WINDOWS\$NtServicePackUninstall$\proquota.exe
----a-w- 50,176 2008-04-14 09:42:34 C:\WINDOWS\ServicePackFiles\i386\proquota.exe
----a-w- 50,176 2004-08-04 07:56:55 C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\proquota.exe
----a-w- 50,176 2008-04-14 00:12:32 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe

Entries: 5 (5)
Directories: 0 Files: 5
Bytes: 245,760 Blocks: 480

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:30 PM

Posted 31 July 2009 - 11:12 AM

Hi jiqster,



Well done! :thumbup2: Let's check the file and make sure it's a legit one.


Step2

Please go to Virus Total .

Copy /paste the below bold files path into the text box next to the Browse button at the top of the page.

C:\WINDOWS\ServicePackFiles\i386\proquota.exe

If the file was analyzed before click Reanalyse file now button.

and repeat the process with the following.

C:\WINDOWS\$NtServicePackUninstall$\proquota.exe


Click Send File button and copy "Scanner results", and paste the contents into your next reply. Thanks

#9 jigster

jigster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 31 July 2009 - 11:51 AM

Hi Sundavis, Partly successful. Virus Total would not let me paste the file names into the text box (or type the name in), but I was able to use the browse button to enter the first file. Unfortunately, I was not able to browse to the second file...it must be hidden. I'll keep trying to find it. In the meantime, here are the results of the first file...


File proquota.exe received on 2009.07.31 16:38:11 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/41 (2.44%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.31 -
AhnLab-V3 5.0.0.2 2009.07.31 -
AntiVir 7.9.0.238 2009.07.31 -
Antiy-AVL 2.0.3.7 2009.07.31 -
Authentium 5.1.2.4 2009.07.31 -
Avast 4.8.1335.0 2009.07.30 -
AVG 8.5.0.406 2009.07.31 -
BitDefender 7.2 2009.07.31 -
CAT-QuickHeal 10.00 2009.07.30 -
ClamAV 0.94.1 2009.07.31 -
Comodo 1824 2009.07.31 -
DrWeb 5.0.0.12182 2009.07.31 -
eSafe 7.0.17.0 2009.07.30 -
eTrust-Vet 31.6.6649 2009.07.31 -
F-Prot 4.4.4.56 2009.07.30 -
F-Secure 8.0.14470.0 2009.07.31 -
Fortinet 3.120.0.0 2009.07.31 -
GData 19 2009.07.31 -
Ikarus T3.1.1.64.0 2009.07.31 -
Jiangmin 11.0.800 2009.07.31 -
K7AntiVirus 7.10.807 2009.07.31 -
Kaspersky 7.0.0.125 2009.07.31 -
McAfee 5693 2009.07.30 -
McAfee+Artemis 5693 2009.07.30 -
McAfee-GW-Edition 6.8.5 2009.07.31 Heuristic.LooksLike.Trojan.Luder.Patched.H
Microsoft 1.4903 2009.07.31 -
NOD32 4294 2009.07.31 -
Norman 6.01.09 2009.07.31 -
nProtect 2009.1.8.0 2009.07.31 -
Panda 10.0.0.14 2009.07.31 -
PCTools 4.4.2.0 2009.07.31 -
Prevx 3.0 2009.07.31 -
Rising 21.40.44.00 2009.07.31 -
Sophos 4.44.0 2009.07.31 -
Sunbelt 3.2.1858.2 2009.07.31 -
Symantec 1.4.4.12 2009.07.31 -
TheHacker 6.3.4.3.374 2009.07.30 -
TrendMicro 8.950.0.1094 2009.07.31 -
VBA32 3.12.10.9 2009.07.31 -
ViRobot 2009.7.31.1863 2009.07.31 -
VirusBuster 4.6.5.0 2009.07.31 -
Additional information
File size: 50176 bytes
MD5...: f6465a2eef75468988a4fcf124148fa8
SHA1..: 7e9e1e961253bd96edf7380db2f6a6523d49c375
SHA256: ab37f4bf8360e484a147fc06bf1f78c716842bf6d0edc09591eafb89b896c801
ssdeep: 768:bBCE36hfZJxrlgM/LZ3lsZSXiCoDotlc9iF5XQW2fA8aKXZhyMoIFVSR:bv3
6hfZJxrl3Z3mSmMtlc8bXOyMVVS

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3b3c
timedatestamp.....: 0x4802519e (Sun Apr 13 18:31:58 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9b26 0x9c00 6.59 85cf541232399c762bf81ad39e7e4643
.data 0xb000 0x20d4 0xa00 4.05 bbe275705ec96e0e4c89af7138e536ef
.rsrc 0xe000 0x1998 0x1a00 3.92 1d855ebbc66ae12f747c84aaf7703cc6

( 5 imports )
> SHELL32.dll: -, Shell_NotifyIconW
> COMCTL32.dll: -
> ADVAPI32.dll: GetAce, RegNotifyChangeKeyValue, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, SetSecurityInfo, GetSecurityInfo
> KERNEL32.dll: FlushFileBuffers, GetEnvironmentStrings, GetSystemInfo, LocalFree, GetCurrentProcess, lstrcpyW, ExpandEnvironmentStringsW, LocalReAlloc, LocalAlloc, lstrlenW, FindNextFileW, CompareStringW, FindClose, lstrcmpiW, GetLastError, FindFirstFileW, SetLastError, LeaveCriticalSection, EnterCriticalSection, ExitThread, GetEnvironmentVariableW, SetEvent, FindCloseChangeNotification, Sleep, WaitForMultipleObjects, FindNextChangeNotification, CloseHandle, CreateEventW, FindFirstChangeNotificationW, ResumeThread, SetThreadPriority, CreateThread, WaitForSingleObject, InitializeCriticalSection, SetProcessShutdownParameters, OpenEventW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoA, GetCommandLineA, GetVersionExA, ExitProcess, GetProcAddress, GetModuleHandleA, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, VirtualProtect, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapDestroy, HeapCreate, VirtualFree, HeapFree, LoadLibraryA, GetACP, GetOEMCP, GetCPInfo, HeapAlloc, VirtualAlloc, HeapReAlloc, RtlUnwind, InterlockedExchange, VirtualQuery, SetFilePointer, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetStdHandle, GetLocaleInfoA
> USER32.dll: LoadStringW, SendMessageW, SetWindowPos, GetDesktopWindow, GetParent, GetSystemMetrics, GetWindowLongW, GetWindowRect, SetForegroundWindow, CheckDlgButton, GetClientRect, EndDialog, PostMessageW, GetDlgItem, IsDlgButtonChecked, SendDlgItemMessageW, SetDlgItemTextW, KillTimer, SetTimer, LoadImageW, DialogBoxParamW, MessageBoxW, DefWindowProcW, LoadIconW, PostQuitMessage, DispatchMessageW, TranslateMessage, GetMessageW, CreateWindowExW, RegisterClassW

( 0 exports )

PDFiD.: -
RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=f6465a2eef75468988a4fcf124148fa8' target='_blank'>http://www.threatexpert.com/report.aspx?md5=f6465a2eef75468988a4fcf124148fa8</a>


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:30 PM

Posted 31 July 2009 - 12:13 PM

Hi jiqster,


  • Goto Start Menu > Search > Click All Files and Folders,
  • scroll down to the Advanced Options which is the last option,
  • click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
  • Press Search " proquota.exe" , then the following file paths should be displayed as follows:

C:\I386\PROQUOTA.EXE
C:\WINDOWS\$NtServicePackUninstall$\proquota.exe
C:\WINDOWS\ServicePackFiles\i386\proquota.exe
C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\proquota.exe
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe


Right click the proquota.exe from the file path C:\WINDOWS\$NtServicePackUninstall$\proquota.exe

Copy and paste the file to your desktop and use the browse button to navigate to this file uploading for scan.

By the way, can you scan the first file again from Jotti's Scan? The first result is not what i'm expecting. Thanks

#11 jigster

jigster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 31 July 2009 - 01:43 PM

I found C:\WINDOWS\$NtServicePackUninstall$\proquota.exe using the search technique you supplied, copied it to the desktop and scanned it with Virus Total. Here is that result followed by the Jotti's Scan of both files...


File proquota.exe received on 2009.07.31 18:35:55 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/41 (2.44%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 60 and 85 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.31 -
AhnLab-V3 5.0.0.2 2009.07.31 -
AntiVir 7.9.0.238 2009.07.31 -
Antiy-AVL 2.0.3.7 2009.07.31 -
Authentium 5.1.2.4 2009.07.31 -
Avast 4.8.1335.0 2009.07.30 -
AVG 8.5.0.406 2009.07.31 -
BitDefender 7.2 2009.07.31 -
CAT-QuickHeal 10.00 2009.07.30 -
ClamAV 0.94.1 2009.07.31 -
Comodo 1826 2009.07.31 -
DrWeb 5.0.0.12182 2009.07.31 -
eSafe 7.0.17.0 2009.07.30 -
eTrust-Vet 31.6.6649 2009.07.31 -
F-Prot 4.4.4.56 2009.07.30 -
F-Secure 8.0.14470.0 2009.07.31 -
Fortinet 3.120.0.0 2009.07.31 -
GData 19 2009.07.31 -
Ikarus T3.1.1.64.0 2009.07.31 -
Jiangmin 11.0.800 2009.07.31 -
K7AntiVirus 7.10.807 2009.07.31 -
Kaspersky 7.0.0.125 2009.07.31 -
McAfee 5693 2009.07.30 -
McAfee+Artemis 5694 2009.07.31 -
McAfee-GW-Edition 6.8.5 2009.07.31 Heuristic.LooksLike.Trojan.Luder.Patched.H
Microsoft 1.4903 2009.07.31 -
NOD32 4294 2009.07.31 -
Norman 6.01.09 2009.07.31 -
nProtect 2009.1.8.0 2009.07.31 -
Panda 10.0.0.14 2009.07.31 -
PCTools 4.4.2.0 2009.07.31 -
Prevx 3.0 2009.07.31 -
Rising 21.40.44.00 2009.07.31 -
Sophos 4.44.0 2009.07.31 -
Sunbelt 3.2.1858.2 2009.07.31 -
Symantec 1.4.4.12 2009.07.31 -
TheHacker 6.3.4.3.374 2009.07.30 -
TrendMicro 8.950.0.1094 2009.07.31 -
VBA32 3.12.10.9 2009.07.31 -
ViRobot 2009.7.31.1863 2009.07.31 -
VirusBuster 4.6.5.0 2009.07.31 -
Additional information
File size: 50176 bytes
MD5...: 4d9d45a4370e0c2ad00c362b7118e2a4
SHA1..: 26a78e4a24f67cb307d5e87ca2124574f66d66a7
SHA256: 27afd43fefc7a53638596232c27027a9ebe80bdb6e813b36ca25cb4956f0d160
ssdeep: 1536:a3who4+5mBysA3myWMFiuXE7XkBsp6WGT:c3x5WQVWMFisQespET

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3b14
timedatestamp.....: 0x41107b66 (Wed Aug 04 06:00:06 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9b06 0x9c00 6.58 e9a6cae570979c35162df4fddcc604df
.data 0xb000 0x20d4 0xa00 4.05 2897cac1ef499fc47f3627f5a3dacc4f
.rsrc 0xe000 0x19a8 0x1a00 3.93 e3231dd2b030236a2843d53dd970e6e2

( 5 imports )
> SHELL32.dll: -, Shell_NotifyIconW
> COMCTL32.dll: -
> ADVAPI32.dll: GetAce, RegNotifyChangeKeyValue, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, SetSecurityInfo, GetSecurityInfo
> KERNEL32.dll: FlushFileBuffers, GetEnvironmentStrings, GetSystemInfo, LocalFree, GetCurrentProcess, lstrcpyW, ExpandEnvironmentStringsW, LocalReAlloc, LocalAlloc, lstrlenW, FindNextFileW, CompareStringW, FindClose, lstrcmpiW, GetLastError, FindFirstFileW, SetLastError, LeaveCriticalSection, EnterCriticalSection, ExitThread, GetEnvironmentVariableW, SetEvent, FindCloseChangeNotification, Sleep, WaitForMultipleObjects, FindNextChangeNotification, CloseHandle, CreateEventW, FindFirstChangeNotificationW, ResumeThread, SetThreadPriority, CreateThread, WaitForSingleObject, InitializeCriticalSection, SetProcessShutdownParameters, OpenEventW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoA, GetCommandLineA, GetVersionExA, ExitProcess, GetProcAddress, GetModuleHandleA, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, VirtualProtect, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapDestroy, HeapCreate, VirtualFree, HeapFree, LoadLibraryA, GetACP, GetOEMCP, GetCPInfo, HeapAlloc, VirtualAlloc, HeapReAlloc, RtlUnwind, InterlockedExchange, VirtualQuery, SetFilePointer, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetStdHandle, GetLocaleInfoA
> USER32.dll: LoadStringW, SendMessageW, SetWindowPos, GetDesktopWindow, GetParent, GetSystemMetrics, GetWindowLongW, GetWindowRect, SetForegroundWindow, CheckDlgButton, GetClientRect, EndDialog, PostMessageW, GetDlgItem, IsDlgButtonChecked, SendDlgItemMessageW, SetDlgItemTextW, KillTimer, SetTimer, LoadImageW, DialogBoxParamW, MessageBoxW, DefWindowProcW, LoadIconW, PostQuitMessage, DispatchMessageW, TranslateMessage, GetMessageW, CreateWindowExW, RegisterClassW

( 0 exports )

PDFiD.: -
RDS...: NSRL Reference Data Set

( Microsoft )

> MSDN Disc 2428.5: proquota.exe
> MSDN Disc 2428.4: proquota.exe
> MSDN Disc 2428.8: proquota.exe
> Operating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: proquota.exe
> Virtual PC for Mac Windows XP Professional Edition: proquota.exe
> Virtual PC for Mac Windows XP Home Edition: proquota.exe

( Gateway )

> Gateway Operating System Windows XP Pro Edition SP2: proquota.exe


ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=4d9d45a4370e0c2ad00c362b7118e2a4' target='_blank'>http://www.threatexpert.com/report.aspx?md5=4d9d45a4370e0c2ad00c362b7118e2a4</a>


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

---------------------------------------------------------------------------
For C:\WINDOWS\ServicePackFiles\i386\proquota.exe


Jotti's malware scan
Filename: proquota.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 31 Jul 2009 20:36:40 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 50176 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: f6465a2eef75468988a4fcf124148fa8
SHA1: 7e9e1e961253bd96edf7380db2f6a6523d49c375







Scanners
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-30 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-30 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing


-----------------------------------------------------------------------------------------------

For C:\WINDOWS\$NtServicePackUninstall$\proquota.exe


Jotti's malware scan
Filename: proquota.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 31 Jul 2009 20:38:45 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 50176 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 4d9d45a4370e0c2ad00c362b7118e2a4
SHA1: 26a78e4a24f67cb307d5e87ca2124574f66d66a7







Scanners
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-30 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing 2009-07-30 Found nothing
2009-07-31 Found nothing 2009-07-31 Found nothing
2009-07-31 Found nothing

#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:30 PM

Posted 31 July 2009 - 06:34 PM

Hi jigster,



You're doing well. :thumbup2: The McAfee-GW-Edition could be a false postive and the file in your system should be a clean one. We are almost there. Please do the following:


Step3
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
FCopy::
C:\WINDOWS\ServicePackFiles\i386\proquota.exe | C:\Windows\system32\proquota.exe


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


After that, please check your MBAM or SuperAntiSpyware if the update problem still persists. If yes, Please uninstall MBAM and reinstall it. Tell me how it goes. Thanks

#13 jigster

jigster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 31 July 2009 - 08:24 PM

Thanks Sundavis...I'll post the latest CF log below. Unfortunately, MBAM and SuperAntiSpyware still don't update. I re-installed MBAM, but still get the same Error Code 732 (0,0)...even with the Firewall and Antivirus off. But, I was more worried about a lurking virus and I feel we're making good headway on that issue. I appreciate all your time!

ComboFix 09-07-31.02 - Tom 07/31/2009 20:46.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.311 [GMT -4:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-08-01 00:46 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-01 00:46 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-29 13:19 . 2009-07-31 15:41 117760 ----a-w- c:\documents and settings\Tom\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-29 13:14 . 2009-07-29 13:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-22 19:38 . 2009-07-22 19:38 -------- d-----w- c:\program files\SyncToy 2.0
2009-07-22 19:37 . 2009-07-22 19:37 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-07-18 23:16 . 2009-07-31 19:28 -------- d-----w- c:\documents and settings\Tom\Tracing
2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Microsoft
2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-18 23:13 . 2009-07-18 23:14 -------- d-----w- c:\program files\Windows Live
2009-07-18 22:29 . 2009-07-18 22:30 -------- d-----w- c:\program files\iTunes
2009-07-18 22:29 . 2009-07-18 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-18 22:28 . 2009-07-18 22:28 -------- d-----w- c:\program files\Bonjour
2009-07-18 22:27 . 2009-07-18 22:30 -------- d-----w- c:\program files\Common Files\Apple
2009-07-18 15:46 . 2009-07-18 15:46 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-18 12:01 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-18 00:10 . 2009-07-18 00:10 336 ----a-w- c:\program files\temp995.bat
2009-07-17 15:44 . 2009-07-17 15:44 -------- d-----w- c:\windows\system32\Adobe
2009-07-17 15:39 . 2009-07-17 15:39 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-17 15:06 . 2009-07-17 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-17 14:29 . 2009-07-17 14:29 -------- d-----w- c:\program files\FileHippo.com
2009-07-17 14:05 . 2009-07-19 00:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-17 14:05 . 2009-07-19 00:36 -------- d-----w- c:\program files\SpywareBlaster
2009-07-16 17:23 . 2009-07-16 17:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-16 17:22 . 2009-07-16 17:22 152576 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-16 17:17 . 2009-07-16 17:17 3584 ----a-r- c:\documents and settings\Tom\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-07-16 17:17 . 2009-07-16 17:17 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-07-15 22:20 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 22:20 . 2009-07-15 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 22:20 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-14 16:25 . 2009-07-14 16:26 117760 ----a-w- c:\documents and settings\Administrator.DEN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-14 16:25 . 2009-07-14 16:25 -------- d-----w- c:\documents and settings\Administrator.DEN\Application Data\SUPERAntiSpyware.com
2009-07-14 16:20 . 2009-07-14 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-14 16:20 . 2009-07-29 13:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-14 16:20 . 2009-07-29 13:18 -------- d-----w- c:\documents and settings\Tom\Application Data\SUPERAntiSpyware.com
2009-07-14 03:02 . 2009-07-14 03:02 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes
2009-07-13 19:08 . 2009-07-13 19:08 -------- d-sh--w- c:\documents and settings\Administrator.DEN\PrivacIE
2009-07-13 19:08 . 2009-07-13 19:08 -------- d-sh--w- c:\documents and settings\Administrator.DEN\IETldCache
2009-07-13 18:22 . 2009-07-13 18:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-13 13:25 . 2009-07-13 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-13 01:52 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-13 01:37 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-13 01:33 . 2009-07-13 01:34 -------- d-----w- c:\program files\Google
2009-07-13 01:33 . 2009-07-13 01:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-13 01:33 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-12 03:34 . 2009-07-12 03:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 15:39 . 2008-08-09 18:01 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 19:08 . 2004-04-27 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-22 16:00 . 2005-09-26 16:02 -------- d-----w- c:\program files\TweakNow RegCleaner
2009-07-22 16:00 . 2003-01-31 01:39 -------- d-----w- c:\program files\Common Files\Intuit
2009-07-22 15:59 . 2005-01-16 02:50 -------- d-----w- c:\program files\TaxCut04
2009-07-22 15:58 . 2004-02-13 17:05 -------- d-----w- c:\program files\TaxCut03
2009-07-18 23:16 . 2003-01-18 16:17 110056 ----a-w- c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-18 22:30 . 2006-12-28 19:46 -------- d-----w- c:\program files\iPod
2009-07-18 00:10 . 2008-01-30 15:14 -------- d-----w- c:\program files\PDF995
2009-07-17 15:08 . 2007-11-04 20:48 -------- d-----w- c:\program files\QuickTime
2009-07-17 15:06 . 2007-06-08 22:22 -------- d-----w- c:\program files\Apple Software Update
2009-07-17 14:41 . 2003-01-28 18:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-16 17:22 . 2008-11-28 21:13 -------- d-----w- c:\program files\Java
2009-07-16 17:17 . 2008-01-02 00:49 -------- d-----w- c:\program files\MSECache
2009-07-15 22:17 . 2003-01-12 04:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-14 13:54 . 2003-12-03 16:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 13:54 . 2003-12-03 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 19:03 . 2008-06-14 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 02:46 . 2009-03-26 19:07 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-13 01:33 . 2005-09-06 15:43 -------- d-----w- c:\program files\Lavasoft
2009-07-07 17:53 . 2008-06-14 17:51 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 17:09 . 2004-08-24 00:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-30 02:50 . 2009-06-30 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-30 02:45 . 2009-06-30 02:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-30 02:45 . 2008-06-14 17:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-30 02:45 . 2008-06-14 17:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2002-08-29 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-08-29 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 20:07 . 2009-06-30 02:50 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-13 19:27 . 2009-06-13 19:27 -------- d-----w- c:\program files\3ivx
2009-06-13 19:27 . 2009-06-13 19:27 -------- d-----w- c:\program files\Flip Video
2009-06-13 19:27 . 2009-06-13 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2009-06-03 19:09 . 2003-12-03 17:43 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2008-07-18 15:58 345600 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-30_19.41.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-31 15:40 . 2009-07-31 15:40 16384 c:\windows\temp\Perflib_Perfdata_1a8.dat
+ 2009-07-31 14:43 . 2009-07-31 14:43 15705600 c:\windows\Installer\5f4733.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2009-07-01 155136]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-30 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-16 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-5-17 884838]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-30 02:45 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Modem-On-Hold.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Modem-On-Hold.lnk
backup=c:\windows\pss\Dell Modem-On-Hold.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Creative Service for CDROM Access"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)
"LiveUpdate"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"aawservice"=2 (0x2)
"NVSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"DSBrokerService"=3 (0x3)
"IDriverT"=3 (0x3)
"FlipShare Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Tom\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Documents and Settings\\Tom\\temp\\TeamViewer3\\TeamViewer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [7/12/2009 9:37 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/14/2008 1:51 PM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/14/2008 1:51 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/31/2009 8:38 AM 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/19/2009 6:19 PM 298776]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\DNINDIS5.sys [5/17/2007 4:22 PM 17149]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\SYSTEM32\DRIVERS\WPN111.sys [5/17/2007 4:22 PM 384608]
S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\Drivers\RioUsb.sys --> c:\windows\system32\Drivers\RioUsb.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 NMUSB;NMUSB;c:\windows\SYSTEM32\DRIVERS\Nmusb.sys [1/15/2004 12:38 PM 40625]
S3 RIOXDRV;SONICblue Rio generic driver XP+;c:\windows\SYSTEM32\DRIVERS\RIOXDRV.sys [12/25/2003 5:17 PM 18304]
S4 FlipShare Service;FlipShare Service;c:\program files\Flip Video\FlipShare\FlipShareService.exe [2/17/2009 3:59 PM 451904]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: fidelity.com
Trusted Zone: usaa.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} - hxxp://ib.armstrong.com/ib/databases/actimage30717.cab
DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} - hxxp://66.119.139.74/cabs/zinst.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 20:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2263892695-3353682049-2362166560-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{175AF4D7-9CF3-F457-BF0E37CACC73FC6B}\{467C247B-D237-138A-478D2C475DF76751}\{0F112251-81FD-FF65-E1D4489D8D443FBC}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2742423D-9B2C-E1F8-2204FBC3D18DB555}\{88A68896-609D-936A-26F31FA12C544D88}\{4CDB3AFE-271E-9455-9E26AF69AD97A138}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-01 21:05
ComboFix-quarantined-files.txt 2009-08-01 01:05
ComboFix2.txt 2009-07-30 19:50

Pre-Run: 29,022,629,888 bytes free
Post-Run: 29,058,383,872 bytes free

261 --- E O F --- 2009-07-31 14:43

#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:30 PM

Posted 31 July 2009 - 11:37 PM

Hi jigster,


The file is restored successfully. :thumbup2: Let's proceed the next one.
Sometimes, Avg will block antispywares for updating, so make sure MBAM and SuperAntiSpyware in the Trusted area of your Firewall & AV software.
The error code shows your Internet connection is not fully functional or interrupted by something else. Let's do some maintenance and hope it works. Please unplug your internet access and do the following:


Click Start>Run> Type/Paste the following bold into run box and hit enter

ipconfig /flushdns

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

Open IE, select Tools > Internet Options. Select the Connections tab.
  • If you are using LAN, click "LAN Settings" button. If you are using Dial-up or Virtual Private Network connection, select necessary connection and click "Settings" button.
  • Click Lan settings, in the "Proxy Server" area, uncheck the check mark next to Use a proxy server for ....
  • Click OK.
After that, What I'd like you to do is a hard reset with your router if you have one. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). Then change your admin login and password--make it a strong password. You may also want to ask your ISP for help in case there are custom settings that need to be maintained.

After that, plug your internet access and do the following:
  • Open menu Start -> (Settings) -> Control Panel.
  • Double-click on Network connections.
  • Right-click on Local area connection and select Repair.
Check if the update is working now. If still no joy, please do as described in this thread.

Tell me how it goes.

Edited by sundavis, 31 July 2009 - 11:40 PM.


#15 jigster

jigster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 01 August 2009 - 09:13 AM

Hi Sundavis.
Success! I had just a few minutes to work this issue today, so as a first step I read the link you provided (at end of your msg) which suggested Internet Options>Connections>Lan Settings>Auto Detect. Both MBAM and SuperAntiSpyware update fine now! I have not yet completed the other steps you suggested...do you think still necessary? I have dsl with a wireless router and will at the least improve my login and password. At the moment, everything is working great. Many thanks for your expertise and help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users