Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32.Trojan.TDSS, UACInit.dll


  • This topic is locked This topic is locked
14 replies to this topic

#1 Buterf1y78

Buterf1y78

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 16 July 2009 - 04:01 PM

I was sent over here by boopme (topic referenced here http://www.bleepingcomputer.com/forums/topic241736.html) who has been trying to help me for a few days. The virus first hit last Friday 7/10/09. My brother assisted me by clearing out most of it and making my computer functional but now every time my computer boots up Ad-Aware finds malware immediately. So we are pretty sure that it is a root kit and backdoor trojan. I have tried several things with boopme's help and kept running either into a wall where I couldn't perform the task (rootrepeal would not run) or it just couldn't clear it out entirely. So he asked me to post these HJT logs here:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 16:58:14.93 on Thu 07/16/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.547 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Cobian Backup 9\Cobian.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = cdn;*.local
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {E1BACF55-35E1-4E47-9247-2D48660E5545} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
Trusted Zone: dfcufinancial.com\secure
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094947169906
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185589495343
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - hxxp://www.snapfish.com/SnapfishUpload.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://meijer.lifepics.com/net/Uploader/ImageUploader3.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yvwrctl.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
Filter: text/html - {ac39af46-49ac-4059-82bb-fc95df2a889d} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: jkhhe - c:\windows\system32\jkhhe.dll
AppInit_DLLs: avgrsstx.dll upvith.dll
SEH: {FB703367-5B9A-4F41-B5C6-85F618DD9A57} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3y9h9p7e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3y9h9p7e.default\extensions\{e94b2711-9908-4cbd-8766-2d7c34924b99}\components\Engine.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-29 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-11 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-11 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2009-3-12 18864]
S2 fbrzk;fbrzk;\??\c:\windows\system32\drivers\durbpdjo.sys --> c:\windows\system32\drivers\durbpdjo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-29 24652]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2007-5-25 96256]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-16 16:40 <DIR> --d----- c:\program files\Cobian Backup 9
2009-07-16 16:14 34,304 a------- c:\windows\system32\drivers\root.sys
2009-07-16 01:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-16 01:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-16 01:43 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-07-16 01:42 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-15 23:29 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-07-15 23:20 <DIR> --d----- c:\windows\ERUNT
2009-07-15 23:19 1,688 a------- c:\windows\system32\AUTOEXEC.NT
2009-07-15 23:13 <DIR> --d----- C:\SDFix
2009-07-15 22:55 <DIR> --d----- c:\program files\Mal
2009-07-15 08:53 <DIR> --d----- c:\program files\SpyRobot
2009-07-13 20:56 <DIR> --d----- C:\!KillBox
2009-07-11 15:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 15:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-11 15:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 08:28 <DIR> --d----- c:\windows\system32\NtmsData

==================== Find3M ====================

2009-07-04 09:30 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-01 21:26 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-11 19:26 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2005-10-15 11:29 353,696 a--sh--- c:\windows\system32\ehhkj.bak2

============= FINISH: 16:59:43.93 ===============

Attached Files


Edited by Buterf1y78, 16 July 2009 - 04:07 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:22 AM

Posted 16 July 2009 - 07:42 PM

Hello Buterf1y78,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:22 AM

Posted 17 July 2009 - 03:46 PM

Hello Buterf1y78,

Please follow all directions in order given.

1.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

2.
Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply:
Combofix.txt
Gmer.log
DDS.txt
How is your computer running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 17 July 2009 - 08:16 PM

Thanks for you help! Here is how things went for me.
While awaiting your directions, I noticed that I would get error messages saying that Internet Explorer was forced to close and asking if I wanted to send a report to Microsoft. This is odd because during all that time I had unplugged my internet connection and also, we use firefox not Internet Explorer as our browser. So now on to what happened with you directions.
I downloaded ComboFix but it wouldn't run when double clicked so I renamed it Winlogon (a trick I had learned from my previous post with boopme) and then it worked. Only a few seconds into the can I got the following error message with a red circle with a white X in it at the left:

route.exe - Application Error
The instruction at "0x7c901e76" referenced memory at "0x00000000." The memory could not be "read." Click on OK to terminate the program.

I clicked OK and just a few seconds later a similar message came up:

ROUTE.exe - Application Error
The instruction at "0x7c901e76" referenced memory at "0x00000000." The memory could not be "read." Click on OK to terminate the program.

The only change was the uppercase ROUTE as opposed to route. I clicked OK and it continued the scan. After a few minutes a screen popped up that said it had detected malware and asked me to make a note of the following:

C:\WINDOWS\system32\drivers\hjgruibtmwvche.sys
C:\WINDOWS\system32\hjgruiaacwdtng.dll
C:\WINDOWS\system32\hjgruiyndwigxq.dat
C:\WINDOWS\system32\hjgruissijqfusc.dll
C:\WINDOWS\system32\hjguihxhdrmyv.dat
C:\WINDOWS\system32\drivers\UACpordedakiowachqng.sys
C:\WINDOWS\system32\UACrkdvdqypbmrnasquh.dll
C:\WINDOWS\system32\UACwjfrrfbljtokupptu.dll
C:\WINDOWS\system32\UACnxnhcupjebrbvtlnl.dat
C:\WINDOWS\system32\UACoejqkmvuwxxqufwnd.dll
C:\WINDOWS\system32\UACfegfiuoilebtdikrl.dll
C:\WINDOWS\system32\UACupladjlojdjiwjbpa.db
C:\WINDOWS\system32\UACiqxayrbxmwwkbkajm.dll

The computer restarted and the ComboFix started up and went through Stages 1-6,6A,7-19,19B,20-32,32A,33-50 and then said it was deleting files. It was an extremely long list and I could keep track of them all and then when I came back to check on the scan the computer was a black screen with only the mouse arrow (I could still move it) on it. I waiting about 10 min and then figured it was frozen so I restarted the computer. The restart triggered CHKDSK so I let that run and after finishing all its scans it rebooted the computer again (on its own) and reran CHKDSK this time it did a second reboot and started up fine. I looked for ComboFix.txt but couldn't find it. It never gave me a log so I wasn't sure what to do and went on to the next step and downloaded/ran GMER. Here is the GMER log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-17 21:04:11
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF781F87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF781FBFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs F0801400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo@imagepath \systemroot\system32\drivers\hjgruibtmwvche.sys
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\main
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\main@aid 10002
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\main\delete
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\main\injector
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\main\tasks
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\modules
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruibtmwvche.sys
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\modules@hjgruicmd.dll \systemroot\system32\hjgruiaacwdtng.dll
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\modules@hjgruilog.dat \systemroot\system32\hjgruiyndwigxq.dat
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\modules@hjgruiwsp.dll \systemroot\system32\hjgruissjqfusc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\hjgruilnnatbbo\modules@hjgrui.dat \systemroot\system32\hjgruihxhdrmyv.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACpordedakiowachqng.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACpordedakiowachqng.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACrkdvdqypbmrnasquh.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACwjfrrfbljtokupptu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACnxnhcupjebrbvtlnl.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACoejqkmvuwxxqufwnd.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACfegfiuoilebtdikrl.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACupladjlojdjiwjbpa.db
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACiqxayrbxmwwkbkajm.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\avgrsstx.dll

---- EOF - GMER 1.0.15 ----


Let me know what you would like me to do next or if you have any other questions about how these steps went. Thanks again for all the help!

EDIT: Sorry just noticed that you asked for DDS.txt is this the one from the previous post if not where do I get that? Thanks again.

EDIT #2: Sorry for this but came to check on computer this evening and there is a Resident Shield alert that says Multiple threat detection. It listed two threats here is the info for both (same for both threats):
File: C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1558\A0125688.sys
Infection: Virus identified Packed.Monder
Result: Infected
My choices are to "Remove selected infections", "Remove all unhealed infections", or "Close" . There is also a bot that is unchecked that says "Remove threat as Power User". Under that there is the following info:
Process name: C:\WINDOWS\system32\svchost.exe
Process ID: 1156
Detected on open.
I left this be until I hear from you not sure which button to click. Thanks again.

Edit#3: Woke up this morning and AVG ran a scheduled scan overnight (I forgort to turn these off). It found and healed 9 infections. Just figured I would give you that info also.

Edited by Buterf1y78, 18 July 2009 - 09:22 AM.


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:22 AM

Posted 19 July 2009 - 06:08 PM

Hello Buterf1y78,

1.
  • Click on yourStart Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
  • When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.

2.
Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

3.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Things to include in your next reply:
Combofix.txt
DDS Txt
No need for Attach.txt
How is your computer running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 19 July 2009 - 07:46 PM

OK everything ran great this time! Computer seems to be running fine but I have disabled my AVG and my Ad-Aware so it won't catch anything at the moment. Should I turn those protections back on? And if I do and they find something then what? Do I let them clean the computer or hold off until you say so? Thanks for all the help. Here is my logs:

ComboFix 09-07-19.03 - Owner 07/19/2009 20:34.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.625 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\recycler\S-1-5-21-675391433-2836155277-696999150-1003
C:\WinLogon
c:\winlogon\CF19317.exe
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_MSNCACHE
-------\Legacy_PCMSTUB
-------\Legacy_SOPIDKC
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.

2009-07-16 20:40 . 2009-07-16 20:41 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-16 20:14 . 2009-07-16 20:14 34304 ----a-w- c:\windows\system32\drivers\root.sys
2009-07-16 05:44 . 2009-07-16 14:09 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 05:44 . 2009-07-16 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-16 05:43 . 2009-07-16 05:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-16 05:43 . 2009-07-16 05:43 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-16 05:42 . 2009-07-16 05:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-16 03:29 . 2009-07-16 03:29 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-16 03:20 . 2009-07-16 03:20 -------- d-----w- c:\windows\ERUNT
2009-07-16 02:55 . 2009-07-16 05:05 -------- d-----w- c:\program files\Mal
2009-07-16 02:14 . 2009-07-16 02:15 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-16 01:31 . 2009-07-16 01:31 -------- d-----w- c:\program files\7-Zip
2009-07-15 12:53 . 2009-07-15 12:53 -------- d-----w- c:\program files\SpyRobot
2009-07-14 00:56 . 2009-07-18 04:02 -------- d-----w- C:\!KillBox
2009-07-13 17:33 . 2009-07-13 17:33 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-07-11 19:21 . 2009-07-11 19:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-11 19:20 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 19:20 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 19:20 . 2009-07-11 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 14:32 . 2009-07-11 14:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-11 12:28 . 2009-07-11 20:56 -------- d-----w- c:\windows\system32\NtmsData
2009-07-08 13:32 . 2009-07-04 13:30 2167576 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgresf.dll
2009-07-04 13:31 . 2009-06-21 12:46 3298072 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\setup.exe
2009-06-26 13:49 . 2009-07-04 13:30 2054424 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcorex.dll
2009-06-21 12:47 . 2009-06-21 12:46 829208 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcfgx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 22:08 . 2005-11-21 02:40 -------- d-----w- c:\program files\Viewpoint
2009-07-17 22:08 . 2005-11-21 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-17 06:10 . 2004-04-02 09:52 -------- d-----w- c:\program files\Quicken
2009-07-15 12:53 . 2005-09-02 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-15 12:52 . 2005-09-02 03:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-11 11:52 . 2004-04-03 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-11 11:52 . 2004-04-03 08:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-09 02:26 . 2009-06-18 01:17 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-07-07 01:17 . 2009-06-18 01:17 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-07-07 01:17 . 2009-06-18 01:17 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-07-04 13:30 . 2008-10-11 20:42 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 01:17 . 2009-06-18 01:17 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-07-02 01:17 . 2009-06-18 01:17 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-07-02 01:17 . 2009-06-18 01:17 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-06-30 01:30 . 2009-06-18 01:17 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-06-30 01:30 . 2009-06-18 01:17 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-06-30 01:30 . 2009-06-18 01:17 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-06-30 01:30 . 2009-06-02 01:26 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-06-30 01:28 . 2009-06-02 01:23 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-06-30 01:27 . 2009-06-02 01:23 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-06-30 01:27 . 2009-06-18 01:17 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-06-30 01:27 . 2009-06-18 01:17 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-06-30 01:19 . 2009-06-18 01:17 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-06-30 01:18 . 2009-06-18 01:17 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-06-30 01:18 . 2009-06-18 01:17 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-06-30 00:08 . 2007-04-25 04:13 -------- d-----w- c:\program files\Quicken WillMaker Plus 2007
2009-06-29 01:15 . 2004-04-02 10:00 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-21 12:47 . 2008-10-11 20:42 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-21 12:45 . 2009-06-12 12:11 1454360 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.dll
2009-06-16 14:36 . 2004-04-29 23:02 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-04-29 21:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-11 07:17 . 2008-10-11 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-06-03 19:09 . 2003-05-31 00:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 01:26 . 2009-06-02 01:26 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-06-02 01:26 . 2009-04-30 12:22 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-11 23:26 . 2009-02-01 14:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 15:32 . 2004-04-29 23:03 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 01:15 . 2009-04-30 01:17 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-30 01:15 . 2009-04-30 01:15 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-29 04:46 . 2004-01-22 07:16 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-13 12:54 . 2008-12-05 03:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 23:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\11095314

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=3 (0x3)
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/29/2009 9:17 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/11/2008 4:42 PM 335752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 10:28 AM 298776]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [3/12/2009 3:04 PM 18864]
S2 fbrzk;fbrzk;\??\c:\windows\system32\drivers\durbpdjo.sys --> c:\windows\system32\drivers\durbpdjo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [5/25/2007 8:21 PM 96256]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:17]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{FB703367-5B9A-4F41-B5C6-85F618DD9A57} - (no file)
Notify-jkhhe - c:\windows\system32\jkhhe.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = cdn;*.local
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: dfcufinancial.com\secure
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y9h9p7e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y9h9p7e.default\extensions\{e94b2711-9908-4cbd-8766-2d7c34924b99}\components\Engine.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 20:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-20 20:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-20 00:48

Pre-Run: 85,802,733,568 bytes free
Post-Run: 85,692,567,552 bytes free

219 --- E O F --- 2009-07-15 14:24





DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 20:51:50.14 on Sun 07/19/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.548 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = cdn;*.local
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
Trusted Zone: dfcufinancial.com\secure
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094947169906
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185589495343
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - hxxp://www.snapfish.com/SnapfishUpload.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://meijer.lifepics.com/net/Uploader/ImageUploader3.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yvwrctl.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3y9h9p7e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3y9h9p7e.default\extensions\{e94b2711-9908-4cbd-8766-2d7c34924b99}\components\Engine.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-29 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-11 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-11 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 298776]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2009-3-12 18864]
S2 fbrzk;fbrzk;\??\c:\windows\system32\drivers\durbpdjo.sys --> c:\windows\system32\drivers\durbpdjo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2007-5-25 96256]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-19 20:47 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-19 20:28 219,648 a------- c:\windows\PEV.exe
2009-07-19 20:28 161,792 a------- c:\windows\SWREG.exe
2009-07-19 20:28 98,816 a------- c:\windows\sed.exe
2009-07-16 16:40 <DIR> --d----- c:\program files\Cobian Backup 9
2009-07-16 16:14 34,304 a------- c:\windows\system32\drivers\root.sys
2009-07-16 01:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-16 01:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-16 01:43 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-07-16 01:42 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-15 23:29 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-07-15 23:20 <DIR> --d----- c:\windows\ERUNT
2009-07-15 23:19 1,688 a------- c:\windows\system32\AUTOEXEC.NT
2009-07-15 22:55 <DIR> --d----- c:\program files\Mal
2009-07-15 08:53 <DIR> --d----- c:\program files\SpyRobot
2009-07-13 20:56 <DIR> --d----- C:\!KillBox
2009-07-11 15:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 15:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-11 15:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 08:28 <DIR> --d----- c:\windows\system32\NtmsData

==================== Find3M ====================

2009-07-04 09:30 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-01 21:26 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-11 19:26 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll

============= FINISH: 20:52:08.10 ===============

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:22 AM

Posted 20 July 2009 - 04:01 PM

Hello Buterf1y78,

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS:
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

Driver::
mrtRate
fbrzk

File::
c:\windows\system32\drivers\durbpdjo.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\drivers\durbpdjo.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Things to include in your next reply:
Combofix .txt
Jotti report
Eset report
A new DDS.txt
How is your computer running now
You can turn AVG back on when You have finished all the above steps.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 20 July 2009 - 04:27 PM

Here is combofix log:

ComboFix 09-07-20.01 - Owner 07/20/2009 17:15.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.595 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\durbpdjo.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FBRZK
-------\Legacy_MRTRATE
-------\Service_fbrzk
-------\Service_mrtRate


((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.

2009-07-16 20:40 . 2009-07-16 20:41 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-16 20:14 . 2009-07-16 20:14 34304 ----a-w- c:\windows\system32\drivers\root.sys
2009-07-16 05:44 . 2009-07-16 14:09 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 05:44 . 2009-07-16 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-16 05:43 . 2009-07-16 05:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-16 05:43 . 2009-07-16 05:43 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-16 05:42 . 2009-07-16 05:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-16 03:29 . 2009-07-16 03:29 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-16 03:20 . 2009-07-16 03:20 -------- d-----w- c:\windows\ERUNT
2009-07-16 02:55 . 2009-07-16 05:05 -------- d-----w- c:\program files\Mal
2009-07-16 02:14 . 2009-07-16 02:15 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-16 01:31 . 2009-07-16 01:31 -------- d-----w- c:\program files\7-Zip
2009-07-15 12:53 . 2009-07-15 12:53 -------- d-----w- c:\program files\SpyRobot
2009-07-14 00:56 . 2009-07-18 04:02 -------- d-----w- C:\!KillBox
2009-07-13 17:33 . 2009-07-13 17:33 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-07-11 12:28 . 2009-07-11 20:56 -------- d-----w- c:\windows\system32\NtmsData
2009-07-08 13:32 . 2009-07-04 13:30 2167576 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgresf.dll
2009-07-04 13:31 . 2009-06-21 12:46 3298072 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\setup.exe
2009-06-26 13:49 . 2009-07-04 13:30 2054424 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcorex.dll
2009-06-21 12:47 . 2009-06-21 12:46 829208 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcfgx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 22:08 . 2005-11-21 02:40 -------- d-----w- c:\program files\Viewpoint
2009-07-17 22:08 . 2005-11-21 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-17 06:10 . 2004-04-02 09:52 -------- d-----w- c:\program files\Quicken
2009-07-15 12:53 . 2005-09-02 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-15 12:52 . 2005-09-02 03:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-13 17:36 . 2009-07-11 19:20 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-07-11 19:20 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 20:59 . 2009-07-11 19:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 19:21 . 2009-07-11 19:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-11 11:52 . 2004-04-03 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-11 11:52 . 2004-04-03 08:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-09 02:26 . 2009-06-18 01:17 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-07-07 01:17 . 2009-06-18 01:17 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-07-07 01:17 . 2009-06-18 01:17 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-07-04 13:30 . 2008-10-11 20:42 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 01:17 . 2009-06-18 01:17 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-07-02 01:17 . 2009-06-18 01:17 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-07-02 01:17 . 2009-06-18 01:17 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-06-30 01:30 . 2009-06-18 01:17 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-06-30 01:30 . 2009-06-18 01:17 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-06-30 01:30 . 2009-06-18 01:17 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-06-30 01:30 . 2009-06-02 01:26 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-06-30 01:28 . 2009-06-02 01:23 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-06-30 01:27 . 2009-06-02 01:23 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-06-30 01:27 . 2009-06-18 01:17 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-06-30 01:27 . 2009-06-18 01:17 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-06-30 01:19 . 2009-06-18 01:17 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-06-30 01:18 . 2009-06-18 01:17 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-06-30 01:18 . 2009-06-18 01:17 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-06-30 00:08 . 2007-04-25 04:13 -------- d-----w- c:\program files\Quicken WillMaker Plus 2007
2009-06-29 01:15 . 2004-04-02 10:00 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-21 12:47 . 2008-10-11 20:42 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-21 12:45 . 2009-06-12 12:11 1454360 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.dll
2009-06-16 14:36 . 2004-04-29 23:02 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-04-29 21:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-11 07:17 . 2008-10-11 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-06-03 19:09 . 2003-05-31 00:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 01:26 . 2009-06-02 01:26 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-06-02 01:26 . 2009-04-30 12:22 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-11 23:26 . 2009-02-01 14:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 15:32 . 2004-04-29 23:03 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 01:15 . 2009-04-30 01:17 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-30 01:15 . 2009-04-30 01:15 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-29 04:46 . 2004-01-22 07:16 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-13 12:54 . 2008-12-05 03:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 23:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=3 (0x3)
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/29/2009 9:17 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/11/2008 4:42 PM 335752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 10:28 AM 298776]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [3/12/2009 3:04 PM 18864]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [5/25/2007 8:21 PM 96256]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = cdn;*.local
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: dfcufinancial.com\secure
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y9h9p7e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y9h9p7e.default\extensions\{e94b2711-9908-4cbd-8766-2d7c34924b99}\components\Engine.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 17:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-20 17:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-20 21:28
ComboFix2.txt 2009-07-20 00:48

Pre-Run: 85,736,525,824 bytes free
Post-Run: 85,672,235,008 bytes free

209 --- E O F --- 2009-07-15 14:24


I showed all hidden files but was unable to locate the file you requested either in jotti or on my computer alone. I will proceed to the next step while awaiting further instructions regarding the jotti step. Thanks again for all your help! SARA

Here is the ESET log you asked for.

C:\!KillBox\UACfegfiuoilebtdikrl.dll( 1) a variant of Win32/Kryptik.PS trojan cleaned by deleting - quarantined
C:\!KillBox\UACiqxayrbxmwwkbkajm.dll( 1) Win32/Olmarik.HQ trojan cleaned by deleting - quarantined
C:\!KillBox\UACiqxayrbxmwwkbkajm.dll( 2) Win32/Olmarik.HQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\birthdaycat.exe Win32/Adware.WinAd application deleted - quarantined
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Program Files\Online Services\Install_AIM.exe Win32/Adware.WBug.A application deleted - quarantined
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1561\A0126293.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1561\A0126294.exe Win32/Adware.WBug.A application deleted - quarantined


Still couldn't find the file for jotti. Turned on AVG should I also turn on Ad-aware. Thanks again for all the help!
SARA

EDIT: Sorry here is the DDS log you wanted


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 21:20:48.95 on Mon 07/20/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.499 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Owner\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = cdn;*.local
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
Trusted Zone: dfcufinancial.com\secure
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094947169906
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185589495343
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - hxxp://www.snapfish.com/SnapfishUpload.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://meijer.lifepics.com/net/Uploader/ImageUploader3.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yvwrctl.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3y9h9p7e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3y9h9p7e.default\extensions\{e94b2711-9908-4cbd-8766-2d7c34924b99}\components\Engine.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-29 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-11 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-11 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2009-3-12 18864]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2007-5-25 96256]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-20 17:41 <DIR> --d----- c:\program files\ESET
2009-07-19 20:47 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-19 20:28 219,648 a------- c:\windows\PEV.exe
2009-07-19 20:28 161,792 a------- c:\windows\SWREG.exe
2009-07-19 20:28 98,816 a------- c:\windows\sed.exe
2009-07-16 16:40 <DIR> --d----- c:\program files\Cobian Backup 9
2009-07-16 16:14 34,304 a------- c:\windows\system32\drivers\root.sys
2009-07-16 01:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-16 01:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-16 01:43 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-07-16 01:42 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-15 23:29 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-07-15 23:20 <DIR> --d----- c:\windows\ERUNT
2009-07-15 23:19 1,688 a------- c:\windows\system32\AUTOEXEC.NT
2009-07-15 22:55 <DIR> --d----- c:\program files\Mal
2009-07-15 08:53 <DIR> --d----- c:\program files\SpyRobot
2009-07-13 20:56 <DIR> --d----- C:\!KillBox
2009-07-11 15:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 15:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-11 15:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 08:28 <DIR> --d----- c:\windows\system32\NtmsData

==================== Find3M ====================

2009-07-04 09:30 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-01 21:26 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-11 19:26 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll

============= FINISH: 21:21:12.84 ===============

Edited by Buterf1y78, 20 July 2009 - 08:12 PM.


#9 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 20 July 2009 - 08:50 PM

Please let me know how to proceed still cannot find file c:\windows\system32\drivers\durbpdjo.sys on my system or with jotti even with files unhidden. Is it possible that ComboFix deleted this file?

My computer is running fine and after turning back on AVG and Ad-Aware they haven't picked up anything as of yet.

Please let me know how I should proceed.

Thanks again for all the help!
SARA

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:22 AM

Posted 22 July 2009 - 05:53 PM

Hello Buterf1y78,

You are doing a great job so far be patient. The light at the end of the tunnel is getting brighter! :thumbup2:

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{ef99bd32-c1fb-11d2-892f-0090271d4f88}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
"{ef99bd32-c1fb-11d2-892f-0090271d4f88}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{ef99bd32-c1fb-11d2-892f-0090271d4f88}"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
"{32683183-48a0-441b-a342-7c2a440a9478}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
"{32683183-48a0-441b-a342-7c2a440a9478}"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
"{4528BBE0-4E08-11D5-AD55-00010333D0AD}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
"{4528BBE0-4E08-11D5-AD55-00010333D0AD}"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

3.
Finally post a new DDS log and any remaining problems.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 22 July 2009 - 06:39 PM

Here is my ComboFix and DDS logs I haven't seen any new problems.

ComboFix 09-07-20.01 - Owner 07/22/2009 19:16.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.511 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-20 21:41 . 2009-07-20 21:41 -------- d-----w- c:\program files\ESET
2009-07-16 20:40 . 2009-07-16 20:41 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-16 20:14 . 2009-07-16 20:14 34304 ----a-w- c:\windows\system32\drivers\root.sys
2009-07-16 05:44 . 2009-07-16 14:09 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 05:44 . 2009-07-16 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-16 05:43 . 2009-07-16 05:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-16 05:43 . 2009-07-16 05:43 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-07-16 05:42 . 2009-07-16 05:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-16 03:29 . 2009-07-16 03:29 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-16 03:20 . 2009-07-16 03:20 -------- d-----w- c:\windows\ERUNT
2009-07-16 02:55 . 2009-07-16 05:05 -------- d-----w- c:\program files\Mal
2009-07-16 02:14 . 2009-07-16 02:15 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-16 01:31 . 2009-07-16 01:31 -------- d-----w- c:\program files\7-Zip
2009-07-15 12:53 . 2009-07-15 12:53 -------- d-----w- c:\program files\SpyRobot
2009-07-14 00:56 . 2009-07-20 21:45 -------- d-----w- C:\!KillBox
2009-07-13 17:33 . 2009-07-13 17:33 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-07-11 12:28 . 2009-07-11 20:56 -------- d-----w- c:\windows\system32\NtmsData
2009-07-08 13:32 . 2009-07-04 13:30 2167576 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgresf.dll
2009-06-26 13:49 . 2009-07-04 13:30 2054424 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 22:08 . 2005-11-21 02:40 -------- d-----w- c:\program files\Viewpoint
2009-07-17 22:08 . 2005-11-21 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-17 06:10 . 2004-04-02 09:52 -------- d-----w- c:\program files\Quicken
2009-07-15 12:53 . 2005-09-02 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-15 12:52 . 2005-09-02 03:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-13 17:36 . 2009-07-11 19:20 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-07-11 19:20 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 20:59 . 2009-07-11 19:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 19:21 . 2009-07-11 19:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-11 11:52 . 2004-04-03 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-11 11:52 . 2004-04-03 08:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-09 02:26 . 2009-06-18 01:17 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-07-07 01:17 . 2009-06-18 01:17 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-07-07 01:17 . 2009-06-18 01:17 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-07-04 13:30 . 2008-10-11 20:42 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 01:17 . 2009-06-18 01:17 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-07-02 01:17 . 2009-06-18 01:17 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-07-02 01:17 . 2009-06-18 01:17 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-06-30 01:30 . 2009-06-18 01:17 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-06-30 01:30 . 2009-06-18 01:17 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-06-30 01:30 . 2009-06-18 01:17 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-06-30 01:30 . 2009-06-02 01:26 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-06-30 01:28 . 2009-06-02 01:23 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-06-30 01:27 . 2009-06-02 01:23 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-06-30 01:27 . 2009-06-18 01:17 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-06-30 01:27 . 2009-06-18 01:17 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-06-30 01:19 . 2009-06-18 01:17 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-06-30 01:18 . 2009-06-18 01:17 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-06-30 01:18 . 2009-06-18 01:17 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-06-30 00:08 . 2007-04-25 04:13 -------- d-----w- c:\program files\Quicken WillMaker Plus 2007
2009-06-29 01:15 . 2004-04-02 10:00 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-21 12:47 . 2008-10-11 20:42 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2004-04-29 23:02 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-04-29 21:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-11 07:17 . 2008-10-11 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-06-03 19:09 . 2003-05-31 00:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 01:26 . 2009-06-02 01:26 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-06-02 01:26 . 2009-04-30 12:22 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-11 23:26 . 2009-02-01 14:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 15:32 . 2004-04-29 23:03 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 01:15 . 2009-04-30 01:17 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-30 01:15 . 2009-04-30 01:15 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-29 04:46 . 2004-01-22 07:16 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-13 12:54 . 2008-12-05 03:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 23:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=3 (0x3)
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/29/2009 9:17 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/11/2008 4:42 PM 335752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 10:28 AM 298776]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [3/12/2009 3:04 PM 18864]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [5/25/2007 8:21 PM 96256]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = cdn;*.local
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: dfcufinancial.com\secure
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y9h9p7e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3y9h9p7e.default\extensions\{e94b2711-9908-4cbd-8766-2d7c34924b99}\components\Engine.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 19:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-22 19:23
ComboFix-quarantined-files.txt 2009-07-22 23:23
ComboFix2.txt 2009-07-20 21:28
ComboFix3.txt 2009-07-20 00:48

Pre-Run: 85,544,591,360 bytes free
Post-Run: 85,490,495,488 bytes free

182 --- E O F --- 2009-07-15 14:24



DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 19:45:18.42 on Wed 07/22/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.608 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Owner\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = cdn;*.local
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
Trusted Zone: dfcufinancial.com\secure
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094947169906
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185589495343
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - hxxp://www.snapfish.com/SnapfishUpload.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://meijer.lifepics.com/net/Uploader/ImageUploader3.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yvwrctl.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3y9h9p7e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3y9h9p7e.default\extensions\{e94b2711-9908-4cbd-8766-2d7c34924b99}\components\Engine.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-29 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-11 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-11 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 298776]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2009-3-12 18864]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2007-5-25 96256]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-22 19:44 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-22 19:44 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-20 17:41 <DIR> --d----- c:\program files\ESET
2009-07-19 20:47 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-19 20:28 219,648 a------- c:\windows\PEV.exe
2009-07-19 20:28 161,792 a------- c:\windows\SWREG.exe
2009-07-19 20:28 98,816 a------- c:\windows\sed.exe
2009-07-16 16:40 <DIR> --d----- c:\program files\Cobian Backup 9
2009-07-16 16:14 34,304 a------- c:\windows\system32\drivers\root.sys
2009-07-16 01:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-16 01:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-16 01:43 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-07-16 01:42 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-15 23:29 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-07-15 23:20 <DIR> --d----- c:\windows\ERUNT
2009-07-15 23:19 1,688 a------- c:\windows\system32\AUTOEXEC.NT
2009-07-15 22:55 <DIR> --d----- c:\program files\Mal
2009-07-15 08:53 <DIR> --d----- c:\program files\SpyRobot
2009-07-13 20:56 <DIR> --d----- C:\!KillBox
2009-07-11 15:20 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 15:20 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-11 15:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 08:28 <DIR> --d----- c:\windows\system32\NtmsData

==================== Find3M ====================

2009-07-04 09:30 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-01 21:26 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-11 19:26 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll

============= FINISH: 19:45:56.59 ===============

Thanks so much for all the help! I really appreciate you taking your time to help me and all the patience you have had for me :thumbup2:

Edited by Buterf1y78, 22 July 2009 - 06:40 PM.


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:22 AM

Posted 23 July 2009 - 06:05 PM

1.
Please go to Start>Run type in Notepad.
Copy what is in the code box below into the open Notepad window. On the top toolbar in notepad select file, then save as. In the box that opens type in remservice.bat for the file name. Right below that click the down arrow in the line for "save as" and select All files. Save this to your desktop and close notepad.

@echo off
sc stop "Viewpoint Manager Service"
sc delete "Viewpoint Manager Service"
del remservice.bat 
Exit
Locate the remservice icon on your desktop and double click it. A box will pop up briefly on your screen and disappear, this is normal.

NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


2.
Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
3.
Congradulations your log is clean!

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.
Please also have a look at the following links, giving some advice and suggestions for preventing future infections:Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
I recommend you regularly visit the Windows Update Site , you where lagging behind on a few of them!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Another recommend, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Buterf1y78

Buterf1y78
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 23 July 2009 - 08:56 PM

Thanks again for all the help I really appreciate it! I have already told everyone about the wonderful work you guys do! :thumbup2:

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:22 AM

Posted 24 July 2009 - 10:12 PM

No problem glad we could be of service and happy surfing. :thumbup2:

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:22 AM

Posted 25 July 2009 - 06:19 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users