Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personal Guard Infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 barockteer

barockteer

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 31 October 2009 - 06:23 AM

Even after removal by Malwarebytes or SpybotSD, Personal Guard virus reappears. If the file folder in c:/Program Files is manually removed, it reappears a minute or two later. No other infections found at this time. Any help VERY GRATEFULLY APPRECIATED.

-barockteer


DDS (Ver_09-10-26.01) - NTFSx86
Run by Tony at 6:46:18.95 on Sat 10/31/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.309 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Evoluent\VMouse\EvoMouExec.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Tony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.eham.net/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = hxxp://localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: GoodSearch Toolbar: {4e7bd74f-2b8d-469e-95ba-ed6db186be32} - c:\progra~1\goodse~1\GOODSE~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: GoodSearch Toolbar: {4e7bd74f-2b8d-469e-95ba-ed6db186be32} - c:\progra~1\goodse~1\GOODSE~1.DLL
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_01\bin\jusched.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\evolue~1.lnk - c:\windows\installer\{b302e244-708b-4039-9227-29a4141477f4}\_9798650D203BC37858D4E1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
IE: &Highlight - c:\windows\web\highlight.htm
IE: &Links List - c:\windows\web\urllist.htm
IE: &Web Search - c:\windows\web\selsearch.htm
IE: E&xport to Microsoft Excel - c:\msoffice\office11\EXCEL.EXE/3000
IE: I&mages List - c:\windows\web\imglist.htm
IE: Open Frame in &New Window - c:\windows\web\frm2new.htm
IE: Zoom &In - c:\windows\web\zoomin.htm
IE: Zoom O&ut - c:\windows\web\zoomout.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\msoffice\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ebay.com\www
Trusted Zone: microsoft.com\office
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! NFL GameChannel StatTracker - hxxp://aud13.sports.sc5.yahoo.com/java/y/nflgcst1016_x.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/plugins/en_US/DjVuControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/13a9a9039b6e16a32317/netzip/RdxIE601.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} - hxxp://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\nasotive.dll c:\windows\system32\jesutoko.dll
SSODL: zurononis - {ba1c7aee-ebb9-4835-ad78-44f980ef0577} - c:\windows\system32\nasotive.dll
SSODL: SysNet - {C2503857-BB6D-4D2E-83BC-344F74D8AB5B} - c:\documents and settings\all users\microsoft adata\sysnet.dll
STS: kupuhivus: {ba1c7aee-ebb9-4835-ad78-44f980ef0577} - c:\windows\system32\nasotive.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tony\applic~1\mozilla\firefox\profiles\edace1ud.default\
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\tony\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-12 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-12 108552]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2009-8-17 2996]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-12 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-16 297752]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPortIO.SYS [2007-10-8 3584]
R2 meprog;meprog;c:\windows\system32\drivers\meProg.sys [2006-10-24 5281]
R2 mplabice;mplabice;c:\windows\system32\drivers\mplabice.sys [2003-3-13 23840]
R3 evomouflt;Evoluent Mouse Filter Service;c:\windows\system32\drivers\evomouflt.sys [2008-3-19 15872]
S3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [2009-2-15 7936]

=============== Created Last 30 ================

2009-10-31 10:28:07 0 d-----w- c:\program files\Personal Guard 2009
2009-10-31 01:36:37 0 d-----w- c:\docume~1\tony\applic~1\Malwarebytes
2009-10-31 01:36:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-31 01:36:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-31 01:36:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 01:36:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 01:23:48 382976 ----a-w- c:\windows\system32\winsc.exe
2009-10-31 00:27:54 0 d-----w- c:\windows\ie8updates
2009-10-31 00:26:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-31 00:26:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-31 00:26:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-31 00:26:06 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-10-31 00:26:05 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-31 00:25:59 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-10-31 00:12:10 51197 ----a-w- c:\windows\spoov.exe
2009-10-31 00:12:10 47872 ----a-w- c:\windows\certsystem.exe
2009-10-31 00:12:10 38352 ----a-w- c:\windows\regred.exe
2009-10-31 00:12:10 33149 ----a-w- c:\windows\usexplorer.exe
2009-10-31 00:12:10 28320 ----a-w- c:\windows\securits.com
2009-10-31 00:12:10 18941 ----a-w- c:\windows\microsoftdef.dll
2009-10-31 00:12:08 0 d-----w- c:\documents and settings\all users\Microsoft AData
2009-10-31 00:11:45 0 d-sh--w- c:\documents and settings\tony\PrivacIE
2009-10-31 00:09:44 0 d-sh--w- c:\documents and settings\tony\IETldCache
2009-10-31 00:03:41 0 dc-h--w- c:\windows\ie8
2009-10-26 20:49:51 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-26 15:59:17 0 ---ha-w- c:\windows\system32\Copy of hapeweze.dll
2009-10-11 21:49:11 0 d-----w- c:\program files\Citrix
2009-10-11 21:48:40 70984 ----a-w- c:\documents and settings\tony\g2mdlhlpx.exe
2009-10-09 12:23:33 0 d-----w- C:\dx4w802
2009-10-02 20:18:29 0 d-----w- c:\program files\GnuWin32

==================== Find3M ====================

2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-29 13:44:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-08-29 08:08:21 1208832 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-08-29 08:08:20 5940224 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-08-29 08:08:20 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-08-29 08:08:18 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-08-29 08:08:17 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-08-29 08:08:13 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 09:01:48 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-05 00:44:46 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2003-03-11 06:58:32 207758 ----a-w- c:\program files\INSTALL.LOG
2009-07-25 09:22:02 0 --sha-w- c:\windows\system32\doyojefi.dll
2009-07-25 09:22:02 0 --sha-w- c:\windows\system32\nupehewo.dll

============= FINISH: 6:47:39.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:34 PM

Posted 31 October 2009 - 09:49 AM

Hi barockteer,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 31 October 2009 - 03:00 PM

Farbar-

Took a very long time to run, like 1.5 hrs. However, now it seems PersonalGuard is gone and not reappearing. Is there anything else I need to do? Waiting for you to give the 'ALL CLEAR' before I start some houscleaning...

-Barockteer

combofix.txt pasted below

ComboFix 09-10-30.01 - Tony 10/31/2009 12:49.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.357 [GMT -4:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Microsoft AData
c:\documents and settings\All Users\Microsoft AData\sysnet.dll
c:\documents and settings\All Users\Microsoft AData\t.sid
c:\documents and settings\Tony\Desktop\Personal Guard 2009.lnk
c:\documents and settings\Tony\Start Menu\Programs\Personal Guard 2009
c:\program files\INSTALL.LOG
c:\program files\Personal Guard 2009
c:\program files\Personal Guard 2009\config.scf
c:\program files\Personal Guard 2009\mmbase.sdb
c:\program files\Personal Guard 2009\personalguard.exe
c:\program files\Personal Guard 2009\q.sdb
c:\program files\Personal Guard 2009\uninstalls.exe
c:\program files\Personal Guard 2009\vvbase.sdb
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\microsoftdef.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\FTPx.dll
c:\windows\system32\MabryObj.dll
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-31 15:07 . 2009-10-31 15:07 382976 ----a-w- c:\windows\system32\winsc.exe
2009-10-31 05:04 . 2009-10-31 05:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-31 01:36 . 2009-10-31 01:36 -------- d-----w- c:\documents and settings\Tony\Application Data\Malwarebytes
2009-10-31 01:36 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-31 01:36 . 2009-10-31 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-31 01:36 . 2009-10-31 01:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 01:36 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 00:27 . 2009-10-31 00:27 -------- d-----w- c:\windows\ie8updates
2009-10-31 00:26 . 2009-08-29 08:08 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-31 00:26 . 2009-08-29 08:08 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-31 00:26 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-31 00:26 . 2009-08-29 08:08 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-10-31 00:26 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-31 00:25 . 2009-08-29 08:08 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-10-31 00:12 . 2009-10-31 15:07 38352 ----a-w- c:\windows\regred.exe
2009-10-31 00:12 . 2009-10-31 15:07 33149 ----a-w- c:\windows\usexplorer.exe
2009-10-31 00:12 . 2009-10-31 15:07 47872 ----a-w- c:\windows\certsystem.exe
2009-10-31 00:12 . 2009-10-31 15:07 28320 ----a-w- c:\windows\securits.com
2009-10-31 00:12 . 2009-10-31 15:07 51197 ----a-w- c:\windows\spoov.exe
2009-10-31 00:11 . 2009-10-31 00:11 -------- d-sh--w- c:\documents and settings\Tony\PrivacIE
2009-10-31 00:10 . 2009-10-31 00:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-31 00:09 . 2009-10-31 00:09 -------- d-sh--w- c:\documents and settings\Tony\IETldCache
2009-10-31 00:03 . 2009-10-31 00:06 -------- dc-h--w- c:\windows\ie8
2009-10-26 20:49 . 2009-10-26 23:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-26 15:59 . 2009-07-25 09:22 0 ---ha-w- c:\windows\system32\Copy of hapeweze.dll
2009-10-11 21:49 . 2009-10-11 21:49 -------- d-----w- c:\program files\Citrix
2009-10-11 21:48 . 2009-10-11 21:48 70984 ----a-w- c:\documents and settings\Tony\g2mdlhlpx.exe
2009-10-09 12:23 . 2009-10-09 12:23 -------- d-----w- C:\dx4w802
2009-10-02 20:18 . 2009-10-02 20:18 -------- d-----w- c:\program files\GnuWin32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 02:52 . 2008-02-04 16:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-30 22:46 . 2003-03-16 17:25 -------- d-----w- c:\program files\Street Atlas USA 7.0
2009-10-29 20:42 . 2003-05-21 02:36 -------- d-----w- c:\program files\TrustedQSL
2009-10-29 20:40 . 2007-10-09 00:47 -------- d-----w- c:\program files\N1MM logger
2009-10-26 22:19 . 2003-07-02 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-24 01:03 . 2009-09-13 13:24 -------- d-----w- c:\documents and settings\Tony\Application Data\Power Sound Editor Free
2009-10-22 21:44 . 2008-07-14 23:05 -------- d-----w- c:\documents and settings\Tony\Application Data\U3
2009-10-19 22:24 . 2003-03-11 06:54 -------- d-----w- c:\program files\QUICKENW
2009-10-07 23:11 . 2008-10-04 22:22 -------- d-----w- c:\program files\IG miniVNA
2009-10-02 20:50 . 2003-03-15 22:54 -------- d-----w- c:\program files\dx4w407
2009-09-27 22:09 . 2009-09-27 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2009-09-27 22:06 . 2009-09-27 22:06 -------- d-----w- c:\documents and settings\Tony\Application Data\Afreet
2009-09-27 22:06 . 2008-02-04 16:23 -------- d-----w- c:\program files\Afreet
2009-09-13 13:24 . 2009-09-13 13:23 -------- d-----w- c:\program files\Power Sound Editor Free
2009-09-13 12:21 . 2009-09-12 20:03 -------- d-----w- c:\documents and settings\Tony\Application Data\Move Networks
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 13:44 . 2008-08-13 02:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-29 13:44 . 2008-08-13 02:22 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-29 13:44 . 2008-08-13 02:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-29 08:08 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 18:30 . 2003-03-13 17:56 71968 ----a-w- c:\documents and settings\Tony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 23:30 . 2009-08-17 23:30 2996 ----a-w- c:\windows\system32\drivers\hwinterface.sys
2009-08-05 09:01 . 2002-08-29 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 1980-01-01 06:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 1980-01-01 06:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-25 09:22 . 2009-07-25 09:22 0 --sha-w- c:\windows\SYSTEM32\doyojefi.dll
2009-07-25 09:22 . 2009-07-25 09:22 0 --sha-w- c:\windows\SYSTEM32\nupehewo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-05-11 684032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-3 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Evoluent Mouse Manager.lnk - c:\windows\Installer\{B302E244-708B-4039-9227-29A4141477F4}\_9798650D203BC37858D4E1.exe [2009-8-10 1150]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 13:44 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector Express\\PDX.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/12/2008 10:22 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [8/12/2008 10:22 PM 108552]
R1 hwinterface;hwinterface;c:\windows\SYSTEM32\DRIVERS\hwinterface.sys [8/17/2009 7:30 PM 2996]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/12/2008 10:21 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2008 8:09 AM 297752]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\SYSTEM32\DRIVERS\DLPortIO.SYS [10/8/2007 9:20 PM 3584]
R2 meprog;meprog;c:\windows\SYSTEM32\DRIVERS\meProg.sys [10/24/2006 8:24 PM 5281]
R2 mplabice;mplabice;c:\windows\SYSTEM32\DRIVERS\mplabice.sys [3/13/2003 10:14 PM 23840]
R3 evomouflt;Evoluent Mouse Filter Service;c:\windows\SYSTEM32\DRIVERS\evomouflt.sys [3/19/2008 11:56 AM 15872]
R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\SYSTEM32\DRIVERS\inidvd.sys [2/15/2009 9:32 AM 7936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-07-15 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.eham.net/
uInternet Settings,ProxyOverride = hxxp://localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Highlight - c:\windows\WEB\highlight.htm
IE: &Links List - c:\windows\WEB\urllist.htm
IE: E&xport to Microsoft Excel - c:\msoffice\OFFICE11\EXCEL.EXE/3000
IE: I&mages List - c:\windows\Web\imglist.htm
IE: Open Frame in &New Window - c:\windows\WEB\frm2new.htm
IE: Zoom &In - c:\windows\WEB\zoomin.htm
IE: Zoom O&ut - c:\windows\WEB\zoomout.htm
Trusted Zone: ebay.com\www
Trusted Zone: microsoft.com\office
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\edace1ud.default\
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Tony\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
SharedTaskScheduler-{ba1c7aee-ebb9-4835-ad78-44f980ef0577} - c:\windows\system32\nasotive.dll
SSODL-zurononis-{ba1c7aee-ebb9-4835-ad78-44f980ef0577} - c:\windows\system32\nasotive.dll
SSODL-SysNet-{C2503857-BB6D-4D2E-83BC-344F74D8AB5B} - c:\documents and settings\All Users\Microsoft AData\sysnet.dll
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe
AddRemove-exPressit S.E. 2.1 - c:\program files\exPressit S.E. 2.1\UninstallerData\Uninstall exPressit S.E. 2.1.exe
AddRemove-goodsearch - c:\program files\goodsearch\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 13:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??h???x???@???X???????????@???P???? ?w? ?w)??p????????(???y????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
Completion time: 2009-10-31 13:42
ComboFix-quarantined-files.txt 2009-10-31 17:42

Pre-Run: 14,432,460,800 bytes free
Post-Run: 14,626,861,056 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - D6D805546E64EA2005015CE37AC22852

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:34 PM

Posted 31 October 2009 - 06:48 PM

Please do the first step too and post the log.

#5 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 31 October 2009 - 07:43 PM

Thanks you very much for your help!

I ran Malwarebytes before combofix. Then I ran Malwarebytes after I ran combofix and it found nothing. Specifically what should I do - run Malwarebytes again, then combofix again?

Here's the log from the last run of Malwarebytes:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/31/2009 7:15:23 PM
mbam-log-2009-10-31 (19-15-23).txt

Scan type: Quick Scan
Objects scanned: 112186
Time elapsed: 7 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 31 October 2009 - 07:52 PM

forgot - here's the log from Malwarebytes before running combofix:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/31/2009 11:04:29 AM
mbam-log-2009-10-31 (11-04-29).txt

Scan type: Quick Scan
Objects scanned: 134485
Time elapsed: 17 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Personal Guard 2009\personalguard.exe (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:34 PM

Posted 01 November 2009 - 06:57 AM

Please give this a little time, read the whole post, follow the instruction as they are to avoid reposting. Step 1 is not done yet. The Malwarebytes is not updated for ages. So please do the step 1 again.

Edited by farbar, 01 November 2009 - 06:58 AM.
spelling


#8 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 01 November 2009 - 07:31 AM

Sorry to be so bad at following directions...

Did the update, here's the log:

Malwarebytes' Anti-Malware 1.41
Database version: 3076
Windows 5.1.2600 Service Pack 3

11/1/2009 7:20:27 AM
mbam-log-2009-11-01 (07-20-27).txt

Scan type: Quick Scan
Objects scanned: 120777
Time elapsed: 8 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-3272229096-383963287-3003089236-1006\Dc1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\certSystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\regred.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\securits.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\spoov.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\usExplorer.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:34 PM

Posted 01 November 2009 - 09:08 AM

It is better now.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

http://www.bleepingcomputer.com/forums/t/268233/personal-guard-infection/

Collect::
c:\windows\system32\winsc.exe
c:\windows\SYSTEM32\doyojefi.dll
c:\windows\SYSTEM32\nupehewo.dll
DDS::
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Trusted Zone: ebay.com\www

Save this as CFScript.txt


Posted Image


Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Important Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


#10 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 01 November 2009 - 10:36 AM

Done. Anything else that needs to be done? THANKS!!

Here is the log:

ComboFix 09-10-30.01 - Tony 11/01/2009 9:44.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.370 [GMT -5:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tony\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

file zipped: c:\windows\SYSTEM32\doyojefi.dll
file zipped: c:\windows\SYSTEM32\nupehewo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Copy of hapeweze.dll
c:\windows\SYSTEM32\doyojefi.dll
c:\windows\system32\FTPx.dll
c:\windows\system32\MabryObj.dll
c:\windows\SYSTEM32\nupehewo.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-10-31 05:04 . 2009-10-31 05:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-31 01:36 . 2009-10-31 01:36 -------- d-----w- c:\documents and settings\Tony\Application Data\Malwarebytes
2009-10-31 01:36 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-31 01:36 . 2009-10-31 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-31 01:36 . 2009-10-31 01:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 01:36 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 00:27 . 2009-10-31 00:27 -------- d-----w- c:\windows\ie8updates
2009-10-31 00:26 . 2009-08-29 08:08 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-31 00:26 . 2009-08-29 08:08 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-31 00:26 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-31 00:26 . 2009-08-29 08:08 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-10-31 00:26 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-31 00:25 . 2009-08-29 08:08 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-10-31 00:11 . 2009-10-31 00:11 -------- d-sh--w- c:\documents and settings\Tony\PrivacIE
2009-10-31 00:10 . 2009-10-31 00:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-31 00:09 . 2009-10-31 00:09 -------- d-sh--w- c:\documents and settings\Tony\IETldCache
2009-10-31 00:03 . 2009-10-31 00:06 -------- dc-h--w- c:\windows\ie8
2009-10-26 20:49 . 2009-10-26 23:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-11 21:49 . 2009-10-11 21:49 -------- d-----w- c:\program files\Citrix
2009-10-11 21:48 . 2009-10-11 21:48 70984 ----a-w- c:\documents and settings\Tony\g2mdlhlpx.exe
2009-10-09 12:23 . 2009-10-09 12:23 -------- d-----w- C:\dx4w802
2009-10-02 20:18 . 2009-10-02 20:18 -------- d-----w- c:\program files\GnuWin32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 02:52 . 2008-02-04 16:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-30 22:46 . 2003-03-16 17:25 -------- d-----w- c:\program files\Street Atlas USA 7.0
2009-10-29 20:42 . 2003-05-21 02:36 -------- d-----w- c:\program files\TrustedQSL
2009-10-29 20:40 . 2007-10-09 00:47 -------- d-----w- c:\program files\N1MM logger
2009-10-26 22:19 . 2003-07-02 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-24 01:03 . 2009-09-13 13:24 -------- d-----w- c:\documents and settings\Tony\Application Data\Power Sound Editor Free
2009-10-22 21:44 . 2008-07-14 23:05 -------- d-----w- c:\documents and settings\Tony\Application Data\U3
2009-10-19 22:24 . 2003-03-11 06:54 -------- d-----w- c:\program files\QUICKENW
2009-10-07 23:11 . 2008-10-04 22:22 -------- d-----w- c:\program files\IG miniVNA
2009-10-02 20:50 . 2003-03-15 22:54 -------- d-----w- c:\program files\dx4w407
2009-09-27 22:09 . 2009-09-27 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2009-09-27 22:06 . 2009-09-27 22:06 -------- d-----w- c:\documents and settings\Tony\Application Data\Afreet
2009-09-27 22:06 . 2008-02-04 16:23 -------- d-----w- c:\program files\Afreet
2009-09-13 13:24 . 2009-09-13 13:23 -------- d-----w- c:\program files\Power Sound Editor Free
2009-09-13 12:21 . 2009-09-12 20:03 -------- d-----w- c:\documents and settings\Tony\Application Data\Move Networks
2009-09-11 14:18 . 2002-08-29 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 13:44 . 2008-08-13 02:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-29 13:44 . 2008-08-13 02:22 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-29 13:44 . 2008-08-13 02:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-29 08:08 . 2004-02-06 22:05 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-08-29 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 18:30 . 2003-03-13 17:56 71968 ----a-w- c:\documents and settings\Tony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 23:30 . 2009-08-17 23:30 2996 ----a-w- c:\windows\system32\drivers\hwinterface.sys
2009-08-05 09:01 . 2002-08-29 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 1980-01-01 06:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 1980-01-01 06:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-31_17.27.36 )))))))))))))))))))))))))))))))))))))))))
.
- 2002-09-03 08:13 . 2009-10-16 07:33 68418 c:\windows\SYSTEM32\PERFC009.DAT
+ 2002-09-03 08:13 . 2009-11-01 12:26 68418 c:\windows\SYSTEM32\PERFC009.DAT
- 2007-12-13 10:32 . 2007-12-13 10:32 40960 c:\windows\Installer\{647E6B9D-58A1-42B4-955C-BC6CD4F0E9FE}\NewShortcut4_64B93B3632B54973AFD05BA9081F8980.exe
+ 2007-12-13 10:32 . 2009-10-31 20:46 40960 c:\windows\Installer\{647E6B9D-58A1-42B4-955C-BC6CD4F0E9FE}\NewShortcut4_64B93B3632B54973AFD05BA9081F8980.exe
+ 2007-12-13 10:32 . 2009-10-31 20:46 40960 c:\windows\Installer\{647E6B9D-58A1-42B4-955C-BC6CD4F0E9FE}\New_Shortcut_S5784.exe
- 2007-12-13 10:32 . 2007-12-13 10:32 40960 c:\windows\Installer\{647E6B9D-58A1-42B4-955C-BC6CD4F0E9FE}\New_Shortcut_S5784.exe
- 2007-12-13 10:32 . 2007-12-13 10:32 40960 c:\windows\Installer\{647E6B9D-58A1-42B4-955C-BC6CD4F0E9FE}\New_Shortcut_S5781.exe
+ 2007-12-13 10:32 . 2009-10-31 20:46 40960 c:\windows\Installer\{647E6B9D-58A1-42B4-955C-BC6CD4F0E9FE}\New_Shortcut_S5781.exe
+ 2002-09-03 08:13 . 2009-11-01 12:26 436030 c:\windows\SYSTEM32\PERFH009.DAT
- 2002-09-03 08:13 . 2009-10-16 07:33 436030 c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-05-11 684032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-3 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Evoluent Mouse Manager.lnk - c:\windows\Installer\{B302E244-708B-4039-9227-29A4141477F4}\_9798650D203BC37858D4E1.exe [2009-8-10 1150]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 13:44 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector Express\\PDX.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/12/2008 9:22 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [8/12/2008 9:22 PM 108552]
R1 hwinterface;hwinterface;c:\windows\SYSTEM32\DRIVERS\hwinterface.sys [8/17/2009 6:30 PM 2996]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/12/2008 9:21 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2008 7:09 AM 297752]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\SYSTEM32\DRIVERS\DLPortIO.SYS [10/8/2007 8:20 PM 3584]
R2 meprog;meprog;c:\windows\SYSTEM32\DRIVERS\meProg.sys [10/24/2006 7:24 PM 5281]
R2 mplabice;mplabice;c:\windows\SYSTEM32\DRIVERS\mplabice.sys [3/13/2003 9:14 PM 23840]
R3 evomouflt;Evoluent Mouse Filter Service;c:\windows\SYSTEM32\DRIVERS\evomouflt.sys [3/19/2008 10:56 AM 15872]
R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\SYSTEM32\DRIVERS\inidvd.sys [2/15/2009 8:32 AM 7936]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-07-15 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.eham.net/
uInternet Settings,ProxyOverride = hxxp://localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Highlight - c:\windows\WEB\highlight.htm
IE: &Links List - c:\windows\WEB\urllist.htm
IE: E&xport to Microsoft Excel - c:\msoffice\OFFICE11\EXCEL.EXE/3000
IE: I&mages List - c:\windows\Web\imglist.htm
IE: Open Frame in &New Window - c:\windows\WEB\frm2new.htm
IE: Zoom &In - c:\windows\WEB\zoomin.htm
IE: Zoom O&ut - c:\windows\WEB\zoomout.htm
Trusted Zone: microsoft.com\office
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\edace1ud.default\
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Tony\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 10:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??h???x???@???X???????????@???P???? ?w? ?w)??p????????(???y????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
Completion time: 2009-11-01 10:32
ComboFix-quarantined-files.txt 2009-11-01 15:31
ComboFix2.txt 2009-10-31 17:42

Pre-Run: 14,632,308,736 bytes free
Post-Run: 14,638,592,000 bytes free

- - End Of File - - 1063E28E25097A2593C0E2F5313623A3
Upload was successful

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:34 PM

Posted 02 November 2009 - 03:59 AM

We are almost there. We have cleaned the active malware. Let's see if ESET finds anything (other than those removed infections in the Quarantine folder of ComboFix or in System Volume Information. These two folders will be emptied next round when we uninstall ComboFix and round off).
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
  • I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the Posted Image button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


#12 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 02 November 2009 - 11:51 AM

Farbar-

here are the results of the ESET scan. Also, can you suggest good firewall and antivirus software? Obviously it seems my free stuff isn't doing the job...

Thanks again.

C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2441\A0336341.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2441\A0336342.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined


and here is the log file:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2f3130135ef93946a4aaa20150583805
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-02 02:16:37
# local_time=2009-11-02 09:16:37 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1028 16777173 100 95 0 37647063 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 100 74 14844762 24511320 0 0
# scanned=145262
# found=4
# cleaned=4
# scan_time=8620
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2441\A0336341.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2441\A0336342.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:34 PM

Posted 02 November 2009 - 01:47 PM

Everything looks good. :(

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.


To answer your question if you want to use paid antivirus I recommend Kaspersky and ESET Nod32 and after them BitDefender does a pretty good job. If you purchase the Internet Security version of them it has also a firewall.

If you don't have any question I wish you happy surfing. :(

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:34 PM

Posted 12 November 2009 - 06:47 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users