Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Antivirus Pro 2010, now upon startup goes to strange websites


  • This topic is locked This topic is locked
15 replies to this topic

#1 taun36

taun36

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 23 September 2009 - 04:33 PM

Had Antivirus Pro 2010. Installed SDFix and OTM. The warnings stopped popping up, but when I start up the computer, Internet Explorer automatically opens and goes to strange websites. Also, cannot use search engines because a new screen for "bestcompanysearch" comes up. Tried to install MalwareBytes Anti-Maware, but it will not run.
DDS (Ver_09-07-30.01) - NTFSx86
Run by Dell at 14:56:56.59 on Wed 09/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.384 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Search & Destroy\TeaTimer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
svchost
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\search & destroy\SDHelper.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\pdfforgeToolbarIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {9167DA98-6F9B-46F1-991D-826CAE46CAB6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [MCAgentExe] c:\program files\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [D-Link AirPremier AG Utility] c:\program files\d-link\airpremier ag utility\AirPMCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Name of App] c:\program files\samsung\fw liveupdate\FWManager.exe r
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SearchSettings] c:\program files\pdfforge toolbar\SearchSettings.exe
mRun: [Rgixoseq] rundll32.exe "c:\windows\axixicedojodohuj.dll",Startup
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: &AOL Radio Toolbar Search - c:\documents and settings\all users\application data\aol radio toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217884775953
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {1C1548FC-429F-4CAE-A234-03800DFEF10F} = 65.38.128.2,65.38.128.3
TCP: {5A38A204-4DF4-44A2-BC86-D403D8EBE638} = 65.38.128.2,65.38.128.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli msbipz.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-9 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-9 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-9 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-15 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-15 297752]
R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2003-7-8 94208]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
R2 SSIPDDP;SSIPDDP Parallel port device driver;c:\windows\system32\drivers\SSIPDDP.SYS [2003-11-1 55296]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2006-5-11 472096]
R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2003-7-8 225375]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-7-8 23296]
S2 .Net CLR;Microsoft .Net Framework COM+ Support;c:\windows\system32\svchost.exe -k ".Net CLR" [2002-8-29 14336]

=============== Created Last 30 ================

2009-09-23 13:23 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-23 13:23 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-23 13:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 13:21 0 a------- C:\backup.reg
2009-09-23 13:21 61,440 a------- c:\windows\system32\drivers\vadsp.sys
2009-09-23 13:14 <DIR> --d----- c:\program files\Search & Destroy
2009-09-23 13:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-23 10:52 <DIR> --d----- C:\SDFix
2009-09-23 10:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-22 15:30 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-09-22 15:21 <DIR> --d----- c:\windows\ERUNT
2009-09-22 14:20 0 a------- c:\windows\Qteyowel.bin
2009-09-22 14:15 120 a------- c:\windows\Ytazipejoxir.dat
2009-09-21 13:50 2,184 a------- c:\windows\system32\wpa.dbl
2009-09-21 13:46 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-20 11:46 17,529 a------- c:\docume~1\dell\applic~1\huvug.pif
2009-09-20 11:46 16,800 a------- c:\docume~1\dell\applic~1\qeqe.com
2009-09-20 11:46 14,190 a------- c:\docume~1\dell\applic~1\isuqaka.dll
2009-09-10 14:03 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-08-28 14:04 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 14:04 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 03:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 07:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 07:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 11:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 11:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 11:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 11:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 11:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 11:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 11:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 11:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 11:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 11:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 11:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 11:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 05:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-11 13:38 1,570,816 a------- c:\docume~1\dell\applic~1\tsdnwin.dll
2008-08-19 09:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080420080811\index.dat
2008-08-19 09:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 14:58:16.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:57 AM

Posted 23 September 2009 - 06:15 PM

Hello taun36,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 taun36

taun36
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 24 September 2009 - 02:24 PM

fireman4it--I think I have it figured out. I finally got the Malwarebytes Anti-Malware program to run and it removed quite a few things. The computer "seems" to be ok...for now. Thank you for any time you have spent looking into it.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:57 AM

Posted 25 September 2009 - 10:47 PM

Hello taun36,

Are you experiencing any sign or symptoms of infection? IF so please follow the directions below so we can make sure you are clean.

1.
One or more of the identified infections is a Rootkit and/or Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

2.
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

3.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Things to include in your next reply:
How is your machine running? Do you still require our assistance?
DDS.txt
Attach.txt
Rootrepeal log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:57 AM

Posted 26 September 2009 - 10:04 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :(

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 taun36

taun36
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 28 September 2009 - 01:45 PM

The computer is running better. I ran the tests that you requeste--the results are below:


DDS (Ver_09-09-24.01) - NTFSx86
Run by Dell at 12:06:18.84 on Mon 09/28/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.353 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
svchost
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Search & Destroy\TeaTimer.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\search~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\pdfforgeToolbarIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {9167DA98-6F9B-46F1-991D-826CAE46CAB6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [MCAgentExe] c:\program files\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [D-Link AirPremier AG Utility] c:\program files\d-link\airpremier ag utility\AirPMCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Name of App] c:\program files\samsung\fw liveupdate\FWManager.exe r
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SearchSettings] c:\program files\pdfforge toolbar\SearchSettings.exe
mRun: [Rgixoseq] rundll32.exe "c:\windows\axixicedojodohuj.dll",Startup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: &AOL Radio Toolbar Search - c:\documents and settings\all users\application data\aol radio toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\search~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217884775953
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {1C1548FC-429F-4CAE-A234-03800DFEF10F} = 65.38.128.2,65.38.128.3
TCP: {5A38A204-4DF4-44A2-BC86-D403D8EBE638} = 65.38.128.2,65.38.128.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-9 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-9 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-9 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-15 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-15 297752]
R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2003-7-8 94208]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
R2 SSIPDDP;SSIPDDP Parallel port device driver;c:\windows\system32\drivers\SSIPDDP.SYS [2003-11-1 55296]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2006-5-11 472096]
R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2003-7-8 225375]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-7-8 23296]

=============== Created Last 30 ================

2009-09-25 11:37 21,504 a------- c:\windows\jestertb.dll
2009-09-23 16:34 <DIR> --d----- c:\docume~1\dell\applic~1\Malwarebytes
2009-09-23 13:23 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-23 13:23 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-23 13:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 13:21 0 a------- C:\backup.reg
2009-09-23 13:21 61,440 a------- c:\windows\system32\drivers\vadsp.sys
2009-09-23 13:14 <DIR> --d----- c:\program files\Search & Destroy
2009-09-23 13:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-23 10:52 <DIR> --d----- C:\SDFix
2009-09-23 10:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-22 15:30 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-09-22 15:21 <DIR> --d----- c:\windows\ERUNT
2009-09-22 14:20 0 a------- c:\windows\Qteyowel.bin
2009-09-22 14:15 120 a------- c:\windows\Ytazipejoxir.dat
2009-09-21 13:50 2,184 a------- c:\windows\system32\wpa.dbl
2009-09-21 13:46 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-20 11:51 0 a------- c:\windows\system32\uactmp.db
2009-09-20 11:46 17,529 a------- c:\docume~1\dell\applic~1\huvug.pif
2009-09-20 11:46 16,800 a------- c:\docume~1\dell\applic~1\qeqe.com
2009-09-20 11:46 14,190 a------- c:\docume~1\dell\applic~1\isuqaka.dll
2009-09-10 14:03 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-08-28 14:04 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 14:04 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 03:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 07:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 07:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 11:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 11:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 11:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 11:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 11:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 11:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 11:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 11:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 11:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 11:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 11:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 11:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 05:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-11 13:38 1,570,816 a------- c:\docume~1\dell\applic~1\tsdnwin.dll
2008-08-19 09:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080420080811\index.dat
2008-08-19 09:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 12:07:46.15 ===============


Thanks again for your help

Attached Files



#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:57 AM

Posted 29 September 2009 - 07:02 PM

Hello taun36,

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 taun36

taun36
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 30 September 2009 - 01:51 PM

Hi fireman4it,

Following are the results of ComboFix:

ComboFix 09-09-29.04 - Dell 09/30/2009 12:19.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.542 [GMT -6:00]
Running from: c:\documents and settings\Dell\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dell\Application Data\huvug.pif
c:\documents and settings\Dell\Application Data\isuqaka.dll
c:\documents and settings\Dell\Application Data\qeqe.com
c:\documents and settings\Dell\Application Data\xife.lib
c:\documents and settings\Dell\Cookies\titavu.com
c:\documents and settings\Dell\Local Settings\Application Data\defudisuqi.bat
c:\documents and settings\Dell\Local Settings\Application Data\ikes.dl
c:\documents and settings\Dell\Local Settings\Application Data\ozevezaveh._dl
c:\documents and settings\Dell\Local Settings\Application Data\yxyq.exe
c:\documents and settings\Dell\Local Settings\Temporary Internet Files\dilowo.reg
c:\documents and settings\Dell\Local Settings\Temporary Internet Files\kebuzisi.dl
c:\documents and settings\Dell\Local Settings\Temporary Internet Files\kega.lib
c:\documents and settings\Dell\Local Settings\Temporary Internet Files\qucafaho.inf
c:\program files\pdfforge Toolbar\SeARchsettings.dll
c:\recycler\S-1-5-21-861567501-1604221776-725345543-1003
c:\windows\axixicedojodohuj.dll
c:\windows\Installer\1d1f8a8.msp
c:\windows\Installer\7ff4d.msi
c:\windows\Installer\89cd5.msp
c:\windows\jestertb.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\system32\Drivers\vadsp.sys
c:\windows\system32\NWCWorkstation.dll
c:\windows\system32\uactmp.db
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_.NET_CLR
-------\Legacy_NWCWORKSTATION


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-30 18:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-30 18:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-23 22:34 . 2009-09-23 22:34 -------- d-----w- c:\documents and settings\Dell\Application Data\Malwarebytes
2009-09-23 19:23 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-23 19:23 . 2009-09-23 22:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 19:23 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-23 19:21 . 2009-09-23 19:21 0 ----a-w- C:\backup.reg
2009-09-23 19:14 . 2009-09-24 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-23 19:14 . 2009-09-23 19:42 -------- d-----w- c:\program files\Search & Destroy
2009-09-23 16:52 . 2009-09-23 18:52 -------- d-----w- C:\SDFix
2009-09-23 16:24 . 2009-09-23 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 21:30 . 2009-09-22 21:30 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-09-22 21:21 . 2009-09-22 21:21 -------- d-----w- c:\windows\ERUNT
2009-09-22 20:20 . 2009-09-30 17:36 0 ----a-w- c:\windows\Qteyowel.bin
2009-09-22 20:15 . 2009-09-30 17:36 120 ----a-w- c:\windows\Ytazipejoxir.dat
2009-09-22 20:15 . 2009-09-30 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-21 20:06 . 2009-09-21 20:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-09-21 19:46 . 2009-09-29 20:18 -------- d-----w- C:\$AVG8.VAULT$
2009-09-21 18:38 . 2009-09-21 18:38 15265 ----a-w- c:\documents and settings\Dell\Local Settings\Application Data\izozi.dat
2009-09-21 16:46 . 2009-09-21 16:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-20 17:44 . 2009-09-20 17:44 -------- d-----w- c:\documents and settings\Dell\Local Settings\Application Data\{53F3CC18-71A5-4485-8E10-CB942605CCB7}
2009-09-10 20:03 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 18:24 . 2009-07-23 20:29 -------- d-----w- c:\program files\pdfforge Toolbar
2009-09-29 17:19 . 2008-10-01 14:26 -------- d-----w- c:\program files\Winamp Remote
2009-09-21 18:23 . 2008-08-09 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-28 20:04 . 2008-08-09 22:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 20:04 . 2008-08-09 22:27 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 20:04 . 2008-08-09 22:27 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:01 . 2002-08-29 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 05:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-06-23 17:33 915456 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{B922D405-6D13-4A2B-AE89-08A030DA4402}"= "c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll" [2009-06-25 688640]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{b922d405-6d13-4a2b-ae89-08a030da4402}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-03 68856]
"SpybotSD TeaTimer"="c:\program files\Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-07-08 151597]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2002-12-13 225280]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 139264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2008-07-07 675935]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-12 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2009-06-13 998400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 20:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/9/2008 4:27 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [8/9/2008 4:27 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/15/2008 2:23 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/15/2008 2:24 PM 297752]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 1:00 AM 316992]
R2 SSIPDDP;SSIPDDP Parallel port device driver;c:\windows\SYSTEM32\DRIVERS\SSIPDDP.SYS [11/1/2003 3:47 PM 55296]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [5/11/2006 1:11 PM 472096]
R3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [7/8/2003 9:01 AM 23296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
.Net CLR REG_MULTI_SZ .Net CLR

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-09-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-03 14:40]

2003-07-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Radio Toolbar Search - c:\documents and settings\All Users\Application Data\AOL Radio Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {1C1548FC-429F-4CAE-A234-03800DFEF10F} = 65.38.128.2,65.38.128.3
TCP: {5A38A204-4DF4-44A2-BC86-D403D8EBE638} = 65.38.128.2,65.38.128.3
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)
URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-MCAgentExe - c:\program files\McAfee.com\Agent\mcagent.exe
HKLM-Run-MCUpdateExe - c:\progra~1\McAfee.com\Agent\McUpdate.exe
HKLM-Run-D-Link AirPremier AG Utility - c:\program files\D-Link\AirPremier AG Utility\AirPMCFG.exe
HKLM-Run-ANIWZCS2Service - c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
HKLM-Run-Rgixoseq - c:\windows\axixicedojodohuj.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 12:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??x???x???P???X???????????P???P???? ?w? ?w)??p????????(???{????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2788)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee.com\VSO\mcvsrte.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Winamp Remote\bin\Orb.exe
.
**************************************************************************
.
Completion time: 2009-09-30 12:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-30 18:32

Pre-Run: 374,813,196,288 bytes free
Post-Run: 374,901,252,096 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

246 --- E O F --- 2009-09-13 18:39




The computer restarted--I'm guessing that is not good.

Thanks again for your help.

Taun

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:57 AM

Posted 01 October 2009 - 04:57 PM

Hello taun36,

The computer restarted--I'm guessing that is not good.

It is ok Combofix restarts computer to get rid on any files that it needs to.


1.
Revealin hidden files

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

2.
Use Windows Explorer to find and delete these files:

c:\windows\Qteyowel.bin
c:\windows\Ytazipejoxir.dat
c:\documents and settings\Dell\Local Settings\Application Data\izozi.dat
:

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete



3.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

4.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
5.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.


Things to include in your next reply:
Eset log
DDS.txt
Attach.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 taun36

taun36
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 02 October 2009 - 03:42 PM

Hello,

The computer seems to running fine. Following are the results of the scans you requested:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Dell at 14:27:02.93 on Fri 10/02/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.273 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Dell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\search~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\pdfforgeToolbarIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {9167DA98-6F9B-46F1-991D-826CAE46CAB6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Name of App] c:\program files\samsung\fw liveupdate\FWManager.exe r
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SearchSettings] c:\program files\pdfforge toolbar\SearchSettings.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: &AOL Radio Toolbar Search - c:\documents and settings\all users\application data\aol radio toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\search~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217884775953
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {1C1548FC-429F-4CAE-A234-03800DFEF10F} = 65.38.128.2,65.38.128.3
TCP: {5A38A204-4DF4-44A2-BC86-D403D8EBE638} = 65.38.128.2,65.38.128.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-9 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-9 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-9 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-15 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-15 297752]
R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2003-7-8 94208]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
R2 SSIPDDP;SSIPDDP Parallel port device driver;c:\windows\system32\drivers\SSIPDDP.SYS [2003-11-1 55296]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2006-5-11 472096]
R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2003-7-8 225375]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-7-8 23296]

=============== Created Last 30 ================

2009-10-02 12:18 <DIR> --d----- c:\program files\ESET
2009-10-02 11:49 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-30 12:24 50,176 a------- c:\windows\system32\proquota.exe
2009-09-30 12:24 50,176 a------- c:\windows\system32\dllcache\proquota.exe
2009-09-30 12:18 <DIR> a-dshr-- C:\cmdcons
2009-09-30 12:14 229,888 a------- c:\windows\PEV.exe
2009-09-30 12:14 161,792 a------- c:\windows\SWREG.exe
2009-09-30 12:14 98,816 a------- c:\windows\sed.exe
2009-09-23 16:34 <DIR> --d----- c:\docume~1\dell\applic~1\Malwarebytes
2009-09-23 13:23 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-23 13:23 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-23 13:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 13:21 0 a------- C:\backup.reg
2009-09-23 13:14 <DIR> --d----- c:\program files\Search & Destroy
2009-09-23 13:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-23 10:52 <DIR> --d----- C:\SDFix
2009-09-23 10:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-22 15:30 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-09-22 15:21 <DIR> --d----- c:\windows\ERUNT
2009-09-21 13:50 2,184 a------- c:\windows\system32\wpa.dbl
2009-09-21 13:46 <DIR> --d----- C:\$AVG8.VAULT$
2009-09-10 14:03 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-02 11:49 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-28 14:04 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 14:04 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 03:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 07:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 07:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2008-08-11 13:38 1,570,816 a------- c:\docume~1\dell\applic~1\tsdnwin.dll
2008-08-19 09:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080420080811\index.dat
2008-08-19 09:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 14:28:08.53 ===============
Have a good weekend:)

Attached Files



#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:57 AM

Posted 03 October 2009 - 11:55 PM

Hello taun36,

Thanks for the logs. We have a little more work to do.

1.
pdfforge Toolbar v1.1 is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know. Read this article:

http://groups.google.com/group/mozilla.sup...cc6bd1e6009abe8

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: pdfforge Toolbar v1.1.

2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Program Files\pdfforge Toolbar

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=-
[-HKEY_CLASSES_ROOT\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InprocServer32]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
"{9167DA98-6F9B-46F1-991D-826CAE46CAB6}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9167DA98-6F9B-46F1-991D-826CAE46CAB6}"=-
[-HKEY_CLASSES_ROOT\CLSID\{9167DA98-6F9B-46F1-991D-826CAE46CAB6}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
"{32683183-48a0-441b-a342-7c2a440a9478}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
"{32683183-48a0-441b-a342-7c2a440a9478}"=-
[-HKEY_CLASSES_ROOT\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\InProcServer32]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.


Things to include in your next reply:
Combofix.txt
DDS.txt
No need for Attach.txt
How is your machine running?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:57 AM

Posted 05 October 2009 - 07:06 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :(

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 taun36

taun36
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 08 October 2009 - 12:01 PM

Hello fireman4it,

Sorry for my delayed response--I've been sick. Attached are the results of the scans:


DDS (Ver_09-09-29.01) - NTFSx86
Run by Dell at 10:42:34.37 on Thu 10/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.530 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\search~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Name of App] c:\program files\samsung\fw liveupdate\FWManager.exe r
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: &AOL Radio Toolbar Search - c:\documents and settings\all users\application data\aol radio toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\search~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217884775953
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {1C1548FC-429F-4CAE-A234-03800DFEF10F} = 65.38.128.2,65.38.128.3
TCP: {5A38A204-4DF4-44A2-BC86-D403D8EBE638} = 65.38.128.2,65.38.128.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-9 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-9 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-9 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-15 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-15 297752]
R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2003-7-8 94208]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
R2 SSIPDDP;SSIPDDP Parallel port device driver;c:\windows\system32\drivers\SSIPDDP.SYS [2003-11-1 55296]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2006-5-11 472096]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-7-8 23296]
S3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2003-7-8 225375]

=============== Created Last 30 ================

2009-10-02 12:18 <DIR> --d----- c:\program files\ESET
2009-10-02 11:49 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-30 12:24 50,176 a------- c:\windows\system32\proquota.exe
2009-09-30 12:24 50,176 a------- c:\windows\system32\dllcache\proquota.exe
2009-09-30 12:18 <DIR> a-dshr-- C:\cmdcons
2009-09-30 12:14 229,888 a------- c:\windows\PEV.exe
2009-09-30 12:14 161,792 a------- c:\windows\SWREG.exe
2009-09-30 12:14 98,816 a------- c:\windows\sed.exe
2009-09-23 16:34 <DIR> --d----- c:\docume~1\dell\applic~1\Malwarebytes
2009-09-23 13:23 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-23 13:23 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-23 13:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 13:21 0 a------- C:\backup.reg
2009-09-23 13:14 <DIR> --d----- c:\program files\Search & Destroy
2009-09-23 13:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-23 10:52 <DIR> --d----- C:\SDFix
2009-09-23 10:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-22 15:30 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-09-22 15:21 <DIR> --d----- c:\windows\ERUNT
2009-09-21 13:50 2,184 a------- c:\windows\system32\wpa.dbl
2009-09-21 13:46 <DIR> --d----- C:\$AVG8.VAULT$
2009-09-10 14:03 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-02 11:49 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-28 14:04 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 14:04 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 03:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 07:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2008-08-11 13:38 1,570,816 a------- c:\docume~1\dell\applic~1\tsdnwin.dll
2008-08-19 09:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080420080811\index.dat
2008-08-19 09:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 10:42:59.00 ===============

The computer seems to be running better than it has in a while--thanks!

Attached Files



#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:57 AM

Posted 09 October 2009 - 10:43 AM

Hello taun36,

1.
New Adobe Reader Installation:
  • Go here and click on AdbeRdr910_en_US.exe to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.
2.
Congradulations your log is clean! :( :(

Uninstall ComboFix
  • Remove Combofix now that we're done with it.

  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.
Please also have a look at the following links, giving some advice and suggestions for preventing future infections:Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
I recommend you regularly visit the Windows Update Site , you where lagging behind on a few of them!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Another recommend, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 taun36

taun36
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 09 October 2009 - 03:54 PM

Thanks for all of your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users