Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing Search Engine Hyjacker


  • This topic is locked This topic is locked
16 replies to this topic

#1 jeffy13

jeffy13

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 28 December 2009 - 05:10 PM

Hello. I am new to this so I hope I give you all the information you need to help solve this miserable problem. I am currently running Microsoft Vista and IE 8. Any search I do when I click on one of the results I get redirected to some bogus seach site. I have tried several spyware and malare removal tools but nothing helps. I have attached DSS log files and Rootrepel log file for your review. I appreciate any help in resolving this issue. Thanks.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 16:13:44.52 on Mon 12/28/2009
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.901 [GMT -5:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbacoms.exe
C:\Windows\system32\lxbfcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://msn.com/
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uWindow Title =
mWindow Title =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iRiver Updater] \Updater.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-28 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-28 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-12-28 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-28 138680]
R2 lxba_device;lxba_device;c:\windows\system32\lxbacoms.exe -service --> c:\windows\system32\lxbacoms.exe -service [?]
R2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe -service --> c:\windows\system32\lxbfcoms.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-28 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-28 352920]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-7-14 1443584]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-28 1153368]
S2 TermServiceQWAVE;Terminal Services TermServiceQWAVE;c:\windows\system32\7b296fb0-376b-497e-b012-9c450e1b7327-2p-0p.exe srv --> c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0p.exe srv [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-2-14 21504]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-12-28 16:41:50 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-28 16:41:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-28 13:40:16 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-12-28 13:40:16 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-28 13:17:51 0 d---a-w- c:\programdata\TEMP
2009-12-27 15:10:09 0 d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2009-12-27 15:10:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 15:10:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 15:10:03 0 d-----w- c:\programdata\Malwarebytes
2009-12-27 15:10:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-27 14:58:55 0 ----a-w- c:\windows\system32\8104297.jun
2009-12-27 14:58:49 0 d-----w- c:\program files\Browser Hijack Recover
2009-12-22 02:25:31 349 --s-a-w- c:\windows\system32\3433494232.dat
2009-12-21 16:26:10 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-21 06:29:23 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-12-21 06:29:23 270848 ----a-w- c:\windows\system32\schannel.dll
2009-12-10 15:02:19 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2009-12-08 22:39:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-08 22:39:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-08 22:39:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 22:07:38 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-06 19:56:36 0 d-----w- c:\users\owner\appdata\roaming\StreamTorrent
2009-12-06 19:56:35 0 d-----w- c:\program files\StreamTorrent 1.0
2009-12-05 20:11:59 0 d-----w- c:\program files\VideoLAN
2009-12-01 15:29:16 0 d-----w- C:\My Music
2009-11-30 11:48:03 0 d-----w- c:\programdata\Real
2009-11-30 01:56:04 0 d--h--w- C:\VJVod_Cache
2009-11-29 19:41:49 0 d-----w- c:\windows\system32\Nagasoft

==================== Find3M ====================

2009-11-28 14:26:42 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-28 14:26:42 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-28 14:26:40 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-23 05:28:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-23 05:28:49 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-23 05:28:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-22 02:11:44 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-08 21:08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-02-14 20:31:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 16:15:43.77 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:12 PM

Posted 07 January 2010 - 08:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 jeffy13

jeffy13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 11 January 2010 - 01:53 PM

Here u go...thanks for the help.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 13:46:40.26 on Mon 01/11/2010
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.995 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\lxbacoms.exe
C:\Windows\system32\lxbfcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Documents\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://msn.com/
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uWindow Title =
mWindow Title =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Google Updater] "c:\program files\google\google updater\GoogleUpdater.exe" -systray -startup
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\PR16.DLL,avgrsstx.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-2 161800]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-1-1 3968]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-2 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-2 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-2 360584]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-2 285392]
R2 lxba_device;lxba_device;c:\windows\system32\lxbacoms.exe -service --> c:\windows\system32\lxbacoms.exe -service [?]
R2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe -service --> c:\windows\system32\lxbfcoms.exe -service [?]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-7-14 1443584]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 133104]
S2 TermServiceQWAVE;Terminal Services TermServiceQWAVE;c:\windows\system32\7b296fb0-376b-497e-b012-9c450e1b7327-2p-0p.exe srv --> c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0p.exe srv [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-2-14 21504]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S4 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-1-2 906520]

=============== Created Last 30 ================

2010-01-03 16:57:53 0 d-----w- c:\programdata\Google Updater
2010-01-03 16:42:12 0 d-----w- c:\windows\pss
2010-01-02 17:20:13 0 d--h--w- C:\$AVG
2010-01-02 17:20:10 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-02 17:20:10 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-02 17:20:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-02 17:20:04 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-02 17:20:00 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-02 17:19:44 0 d-----w- c:\programdata\avg9
2010-01-02 17:17:00 0 ---ha-w- c:\windows\system32\wupd.dat
2010-01-02 17:16:59 36352 ---ha-w- c:\windows\system32\wexe.exe
2010-01-02 03:39:43 6429 ----a-w- c:\windows\system32\WORK.DAT
2010-01-01 23:07:22 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-12-31 23:58:20 0 d-----w- c:\program files\common files\Symantec Shared
2009-12-31 23:52:39 0 d-----w- c:\programdata\Symantec
2009-12-31 23:52:39 0 d-----w- c:\programdata\Norton
2009-12-31 23:52:38 0 d-----w- c:\programdata\NortonInstaller
2009-12-31 23:50:54 0 d-----w- c:\windows\system32\Adobe
2009-12-30 05:26:02 239046927 ----a-w- c:\windows\MEMORY.DMP
2009-12-30 05:23:46 54016 ----a-w- c:\windows\system32\drivers\ghyx.sys
2009-12-28 16:41:50 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-28 16:41:50 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-28 13:40:16 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-28 13:17:51 0 d---a-w- c:\programdata\TEMP
2009-12-27 15:10:09 0 d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2009-12-27 15:10:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 15:10:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 15:10:03 0 d-----w- c:\programdata\Malwarebytes
2009-12-27 15:10:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-27 14:58:55 0 ----a-w- c:\windows\system32\8104297.jun
2009-12-27 14:58:49 0 d-----w- c:\program files\Browser Hijack Recover
2009-12-22 02:25:31 349 --s-a-w- c:\windows\system32\3433494232.dat
2009-12-21 16:26:10 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-21 06:29:23 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-12-21 06:29:23 270848 ----a-w- c:\windows\system32\schannel.dll

==================== Find3M ====================

2009-11-28 14:26:42 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-28 14:26:42 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-28 14:26:40 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-23 05:28:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-23 05:28:49 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-23 05:28:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-22 02:11:44 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2009-02-14 20:31:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 13:49:16.39 ===============

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:12 AM

Posted 12 January 2010 - 02:29 PM

Hello and welcome from me as well! :(

Please provide a rootkit scan as well so that we get a better impression of what si going on on your PC:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 jeffy13

jeffy13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 13 January 2010 - 03:15 PM

This is what I got. Was getting the blue screen of death after running gmer though.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-13 15:14:19
Windows 6.0.6002 Service Pack 2
Running: 4i9q1s49.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kwlcapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 84DE5618

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:12 AM

Posted 13 January 2010 - 03:29 PM

Hi,

you have a rather nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to clean, please run Combofix and provide a log in your next reply:
Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 jeffy13

jeffy13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 17 January 2010 - 02:12 PM

Thank you for the help. I ran combofix as you can see. here is the log. How can I protect myself from future attacks like this? I am very careful when surfing the net and have a firewall and AVG antivirus running.


ComboFix 10-01-16.04 - Owner 01/17/2010 13:49:17.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.859 [GMT -5:00]
Running from: c:\users\Owner\Documents\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\users\Owner\AppData\Roaming\inst.exe
c:\windows\system32\3433494232.dat
c:\windows\system32\Drivers\ghyx.sys
c:\windows\system32\wexe.exe
c:\windows\system32\WORK.DAT
c:\windows\system32\wupd.dat

Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-17 18:56 . 2010-01-17 18:58 -------- d-----w- c:\users\Owner\AppData\Local\temp
2010-01-17 18:56 . 2010-01-17 18:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-16 22:49 . 2010-01-16 22:49 -------- d-----w- c:\program files\Veetle
2010-01-13 20:25 . 2010-01-13 20:25 -------- d-----w- c:\users\Owner\AppData\Roaming\IObit
2010-01-13 20:25 . 2010-01-13 20:25 -------- d-----w- c:\program files\IObit
2010-01-13 01:05 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 01:05 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 16:52 . 2010-01-12 16:52 -------- d-----w- c:\program files\Trend Micro
2010-01-02 17:20 . 2010-01-02 18:27 -------- d-----w- C:\$AVG
2010-01-02 17:20 . 2010-01-02 17:20 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-02 17:20 . 2010-01-02 17:20 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-02 17:20 . 2010-01-02 17:20 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-02 17:20 . 2010-01-02 17:20 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-02 17:20 . 2010-01-02 17:20 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-02 17:20 . 2010-01-17 15:34 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-02 17:19 . 2010-01-13 19:24 -------- d-----w- c:\programdata\avg9
2010-01-01 23:07 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-12-31 23:58 . 2009-12-31 23:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 23:52 . 2010-01-01 00:09 -------- d-----w- c:\programdata\Norton
2009-12-31 23:52 . 2010-01-01 00:09 -------- d-----w- c:\programdata\Symantec
2009-12-31 23:52 . 2009-12-31 23:52 -------- d-----w- c:\programdata\NortonInstaller
2009-12-31 23:50 . 2009-12-31 23:53 -------- d-----w- c:\windows\system32\Adobe
2009-12-30 05:21 . 2009-12-30 05:26 -------- d-----w- c:\users\Owner\AppData\Local\vuwfew
2009-12-28 16:41 . 2010-01-01 22:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-28 13:40 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-28 13:40 . 2009-12-28 13:40 -------- d-----w- c:\program files\Alwil Software
2009-12-28 13:27 . 2009-12-28 13:27 -------- d-----w- c:\users\Owner\AppData\Local\Threat Expert
2009-12-28 04:21 . 2009-12-28 04:57 -------- d-----w- c:\users\Owner\AppData\Local\wakxig
2009-12-27 15:10 . 2009-12-27 15:10 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2009-12-27 15:10 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 15:10 . 2010-01-12 07:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-27 15:10 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 15:10 . 2009-12-27 15:10 -------- d-----w- c:\programdata\Malwarebytes
2009-12-27 14:58 . 2009-12-27 15:03 -------- d-----w- c:\program files\Browser Hijack Recover
2009-12-26 21:13 . 2009-12-27 15:19 -------- d-----w- c:\users\Owner\AppData\Local\fqvdzo
2009-12-21 22:52 . 2009-12-21 22:52 -------- d-----w- c:\users\Owner\AppData\Local\HP
2009-12-21 16:26 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-21 06:29 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2009-12-21 06:29 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 03:43 . 2009-12-05 20:12 -------- d-----w- c:\users\Owner\AppData\Roaming\vlc
2010-01-16 08:15 . 2009-02-16 06:41 -------- d-----w- c:\users\Owner\AppData\Roaming\uTorrent
2010-01-13 09:22 . 2009-11-23 16:45 -------- d-----w- c:\program files\Google
2010-01-13 01:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-12 07:40 . 2010-01-12 07:40 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-02 18:14 . 2010-01-02 18:15 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-02 18:14 . 2010-01-02 18:15 3966744 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-01-02 17:19 . 2010-01-14 13:18 1260312 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-01-02 17:19 . 2010-01-02 18:15 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-01-02 17:19 . 2010-01-02 18:15 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2010-01-02 17:19 . 2010-01-02 18:15 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-01-02 17:19 . 2010-01-02 18:15 916248 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-01-02 17:19 . 2009-03-19 20:32 -------- d-----w- c:\program files\AVG
2009-12-26 21:14 . 2009-11-28 18:27 -------- d-----w- c:\program files\CDex
2009-12-22 02:09 . 2009-08-16 21:29 -------- d-----w- c:\users\Owner\AppData\Roaming\HpUpdate
2009-12-18 03:00 . 2009-12-18 03:00 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-10 15:02 . 2009-12-10 15:01 -------- d-----w- c:\program files\Java
2009-12-10 15:00 . 2009-12-10 15:00 -------- d-----w- c:\program files\Common Files\Java
2009-12-08 22:38 . 2009-11-24 15:32 -------- d-----w- c:\programdata\Microsoft Help
2009-12-06 19:56 . 2009-12-06 19:56 -------- d-----w- c:\users\Owner\AppData\Roaming\StreamTorrent
2009-12-06 19:56 . 2009-12-06 19:56 -------- d-----w- c:\program files\StreamTorrent 1.0
2009-12-05 20:11 . 2009-12-05 20:11 -------- d-----w- c:\program files\VideoLAN
2009-12-04 04:19 . 2009-11-23 16:49 143976 ----a-w- c:\users\Owner\AppData\Roaming\Move Networks\uninstall.exe
2009-12-04 04:19 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Owner\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-12-04 04:19 . 2009-02-16 06:50 -------- d-----w- c:\users\Owner\AppData\Roaming\Move Networks
2009-11-30 21:13 . 2009-11-30 21:13 -------- d-----w- c:\users\Owner\AppData\Roaming\DivX
2009-11-30 11:48 . 2009-02-16 06:57 -------- d-----w- c:\program files\Common Files\Real
2009-11-30 11:40 . 2009-11-30 11:40 402952 ----a-w- c:\users\Owner\AppData\Roaming\Real\RealPlayer\setup\AU_setup11.exe
2009-11-29 07:41 . 2009-02-14 18:26 74872 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-29 04:54 . 2009-02-14 21:24 -------- d-----w- c:\program files\Microsoft Works
2009-11-28 07:01 . 2009-10-12 21:03 -------- d-----w- c:\programdata\DriverCure
2009-11-26 17:48 . 2009-11-26 17:48 -------- d-----w- c:\programdata\TVU Networks
2009-11-26 15:24 . 2009-02-16 06:40 -------- d-----w- c:\programdata\NOS
2009-11-26 00:02 . 2009-06-09 22:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-26 00:00 . 2009-11-26 00:00 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-25 14:04 . 2009-03-02 16:51 -------- d-----w- c:\program files\Yahoo!
2009-11-24 15:36 . 2009-11-24 15:36 -------- d-----w- c:\programdata\{B3C2C1CD-6B77-4A96-B670-F734AC2A1CBC}
2009-11-24 15:36 . 2009-11-24 15:35 -------- d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2009-11-24 15:33 . 2009-11-24 15:33 -------- d-----w- c:\program files\Microsoft.NET
2009-11-24 07:00 . 2009-10-12 21:03 -------- d-----w- c:\users\Owner\AppData\Roaming\DriverCure
2009-11-23 16:49 . 2009-08-13 19:21 4187512 ----a-w- c:\users\Owner\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
2009-11-23 16:41 . 2009-07-31 18:09 -------- d-----w- c:\program files\Restaurant Rush
2009-11-23 16:37 . 2009-03-02 06:14 -------- d-----w- c:\program files\DivX
2009-11-23 05:29 . 2009-11-23 05:29 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-23 05:28 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-23 05:28 . 2009-11-23 05:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-23 05:28 . 2009-11-23 05:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-22 02:39 . 2009-11-22 02:36 -------- d-----w- c:\program files\Lexmark X5100 Series
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-21 06:40 . 2009-12-08 22:08 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 22:08 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-08 22:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-08 22:08 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 12:31 . 2009-12-08 22:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-08 22:39 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-08 22:39 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-03 01:42 . 2009-10-09 22:55 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 14:00 2048 ----a-w- c:\windows\system32\tzres.dll
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-25 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-25 133656]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-02 2033432]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-30 198160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
2004-07-01 21:20 212992 ----a-w- C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-11-30 11:48 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:9b,85,b8,80,1b,6b,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2832544419-416718390-671984932-1000]
"EnableNotificationsRef"=dword:00000001

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [1/2/2010 12:20 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/2/2010 12:20 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/2/2010 12:20 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/2/2010 12:19 PM 285392]
R2 lxba_device;lxba_device;c:\windows\system32\lxbacoms.exe -service --> c:\windows\system32\lxbacoms.exe -service [?]
R2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe -service --> c:\windows\system32\lxbfcoms.exe -service [?]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [7/14/2009 8:44 PM 1443584]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 11:59 AM 133104]
S2 TermServiceQWAVE;Terminal Services TermServiceQWAVE;c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0p.exe srv --> c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0p.exe srv [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2/14/2009 2:53 PM 21504]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [11/2/2006 5:25 AM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [11/2/2006 5:25 AM 251904]
S4 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/2/2010 12:19 PM 906520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-05-15 22:08 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-17 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-01-13 18:48]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 16:58]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 16:58]

2010-01-17 c:\windows\Tasks\User_Feed_Synchronization-{F4D4EE6A-991F-4F55-8DCA-62B8E9B73146}.job
- c:\windows\system32\msfeedssync.exe [2009-12-08 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
mWindow Title =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-Google Updater - c:\program files\Google\Google Updater\GoogleUpdater.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 13:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\lxbacoms.exe
c:\windows\system32\lxbfcoms.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-01-17 14:04:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 19:04

Pre-Run: 94,208,970,752 bytes free
Post-Run: 93,796,556,800 bytes free

- - End Of File - - BB22ADC297CC3CAFA814E354D4728481

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:12 AM

Posted 17 January 2010 - 02:34 PM

Hi,

there a couple of entries left, I would like to remove first. I will later help you make your PC more secure. The most important part in it, is to keep your PC up to date.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0p.exe

Driver::
TermServiceQWAVE


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 jeffy13

jeffy13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 17 January 2010 - 06:11 PM

Thanks for the quick response. Here's the log.

ComboFix 10-01-16.04 - Owner 01/17/2010 17:53:22.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1187 [GMT -5:00]
Running from: c:\users\Owner\Documents\Downloads\ComboFix.exe
Command switches used :: c:\users\Owner\Documents\Downloads\cfscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0p.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TermServiceQWAVE


((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-17 22:57 . 2010-01-17 22:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-17 22:57 . 2010-01-17 22:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-17 19:04 . 2010-01-17 22:59 -------- d-----w- c:\users\Owner\AppData\Local\temp
2010-01-13 20:25 . 2010-01-13 20:25 -------- d-----w- c:\users\Owner\AppData\Roaming\IObit
2010-01-13 20:25 . 2010-01-13 20:25 -------- d-----w- c:\program files\IObit
2010-01-13 01:05 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 01:05 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 16:52 . 2010-01-12 16:52 -------- d-----w- c:\program files\Trend Micro
2010-01-02 17:20 . 2010-01-02 18:27 -------- d-----w- C:\$AVG
2010-01-02 17:20 . 2010-01-02 17:20 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-02 17:20 . 2010-01-02 17:20 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-02 17:20 . 2010-01-02 17:20 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-02 17:20 . 2010-01-02 17:20 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-02 17:20 . 2010-01-02 17:20 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-02 17:20 . 2010-01-17 22:35 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-02 17:19 . 2010-01-13 19:24 -------- d-----w- c:\programdata\avg9
2010-01-01 23:07 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-12-31 23:58 . 2009-12-31 23:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 23:52 . 2010-01-01 00:09 -------- d-----w- c:\programdata\Norton
2009-12-31 23:52 . 2010-01-01 00:09 -------- d-----w- c:\programdata\Symantec
2009-12-31 23:52 . 2009-12-31 23:52 -------- d-----w- c:\programdata\NortonInstaller
2009-12-31 23:50 . 2009-12-31 23:53 -------- d-----w- c:\windows\system32\Adobe
2009-12-30 05:21 . 2009-12-30 05:26 -------- d-----w- c:\users\Owner\AppData\Local\vuwfew
2009-12-28 16:41 . 2010-01-01 22:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-28 13:40 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-28 13:40 . 2009-12-28 13:40 -------- d-----w- c:\program files\Alwil Software
2009-12-28 13:27 . 2009-12-28 13:27 -------- d-----w- c:\users\Owner\AppData\Local\Threat Expert
2009-12-28 04:21 . 2009-12-28 04:57 -------- d-----w- c:\users\Owner\AppData\Local\wakxig
2009-12-27 15:10 . 2009-12-27 15:10 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2009-12-27 15:10 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 15:10 . 2010-01-12 07:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-27 15:10 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 15:10 . 2009-12-27 15:10 -------- d-----w- c:\programdata\Malwarebytes
2009-12-27 14:58 . 2009-12-27 15:03 -------- d-----w- c:\program files\Browser Hijack Recover
2009-12-26 21:13 . 2009-12-27 15:19 -------- d-----w- c:\users\Owner\AppData\Local\fqvdzo
2009-12-21 22:52 . 2009-12-21 22:52 -------- d-----w- c:\users\Owner\AppData\Local\HP
2009-12-21 16:26 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-21 06:29 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2009-12-21 06:29 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 22:52 . 2009-02-16 06:41 -------- d-----w- c:\users\Owner\AppData\Roaming\uTorrent
2010-01-17 22:43 . 2009-12-05 20:12 -------- d-----w- c:\users\Owner\AppData\Roaming\vlc
2010-01-13 09:22 . 2009-11-23 16:45 -------- d-----w- c:\program files\Google
2010-01-13 01:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-12 07:40 . 2010-01-12 07:40 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-02 18:14 . 2010-01-02 18:15 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-02 18:14 . 2010-01-02 18:15 3966744 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-01-02 17:19 . 2010-01-14 13:18 1260312 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-01-02 17:19 . 2010-01-02 18:15 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-01-02 17:19 . 2010-01-02 18:15 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2010-01-02 17:19 . 2010-01-02 18:15 2033432 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-01-02 17:19 . 2010-01-02 18:15 916248 ----a-w- c:\programdata\avg9\update\backup\avgcfgx.dll
2010-01-02 17:19 . 2009-03-19 20:32 -------- d-----w- c:\program files\AVG
2009-12-26 21:14 . 2009-11-28 18:27 -------- d-----w- c:\program files\CDex
2009-12-22 02:09 . 2009-08-16 21:29 -------- d-----w- c:\users\Owner\AppData\Roaming\HpUpdate
2009-12-18 03:00 . 2009-12-18 03:00 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-10 15:02 . 2009-12-10 15:01 -------- d-----w- c:\program files\Java
2009-12-10 15:00 . 2009-12-10 15:00 -------- d-----w- c:\program files\Common Files\Java
2009-12-08 22:38 . 2009-11-24 15:32 -------- d-----w- c:\programdata\Microsoft Help
2009-12-06 19:56 . 2009-12-06 19:56 -------- d-----w- c:\users\Owner\AppData\Roaming\StreamTorrent
2009-12-06 19:56 . 2009-12-06 19:56 -------- d-----w- c:\program files\StreamTorrent 1.0
2009-12-05 20:11 . 2009-12-05 20:11 -------- d-----w- c:\program files\VideoLAN
2009-12-04 04:19 . 2009-11-23 16:49 143976 ----a-w- c:\users\Owner\AppData\Roaming\Move Networks\uninstall.exe
2009-12-04 04:19 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Owner\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-12-04 04:19 . 2009-02-16 06:50 -------- d-----w- c:\users\Owner\AppData\Roaming\Move Networks
2009-11-30 21:13 . 2009-11-30 21:13 -------- d-----w- c:\users\Owner\AppData\Roaming\DivX
2009-11-30 11:48 . 2009-02-16 06:57 -------- d-----w- c:\program files\Common Files\Real
2009-11-30 11:40 . 2009-11-30 11:40 402952 ----a-w- c:\users\Owner\AppData\Roaming\Real\RealPlayer\setup\AU_setup11.exe
2009-11-29 07:41 . 2009-02-14 18:26 74872 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-29 04:54 . 2009-02-14 21:24 -------- d-----w- c:\program files\Microsoft Works
2009-11-28 07:01 . 2009-10-12 21:03 -------- d-----w- c:\programdata\DriverCure
2009-11-26 17:48 . 2009-11-26 17:48 -------- d-----w- c:\programdata\TVU Networks
2009-11-26 15:24 . 2009-02-16 06:40 -------- d-----w- c:\programdata\NOS
2009-11-26 00:02 . 2009-06-09 22:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-26 00:00 . 2009-11-26 00:00 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-25 14:04 . 2009-03-02 16:51 -------- d-----w- c:\program files\Yahoo!
2009-11-24 15:36 . 2009-11-24 15:36 -------- d-----w- c:\programdata\{B3C2C1CD-6B77-4A96-B670-F734AC2A1CBC}
2009-11-24 15:36 . 2009-11-24 15:35 -------- d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2009-11-24 15:33 . 2009-11-24 15:33 -------- d-----w- c:\program files\Microsoft.NET
2009-11-24 07:00 . 2009-10-12 21:03 -------- d-----w- c:\users\Owner\AppData\Roaming\DriverCure
2009-11-23 16:49 . 2009-08-13 19:21 4187512 ----a-w- c:\users\Owner\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
2009-11-23 16:41 . 2009-07-31 18:09 -------- d-----w- c:\program files\Restaurant Rush
2009-11-23 16:37 . 2009-03-02 06:14 -------- d-----w- c:\program files\DivX
2009-11-23 05:29 . 2009-11-23 05:29 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-23 05:28 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-23 05:28 . 2009-11-23 05:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-23 05:28 . 2009-11-23 05:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-22 02:39 . 2009-11-22 02:36 -------- d-----w- c:\program files\Lexmark X5100 Series
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-11-22 02:22 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-21 06:40 . 2009-12-08 22:08 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 22:08 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-08 22:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-08 22:08 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 12:31 . 2009-12-08 22:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-08 22:39 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-08 22:39 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-03 01:42 . 2009-10-09 22:55 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 14:00 2048 ----a-w- c:\windows\system32\tzres.dll
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-25 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-25 133656]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-02 2033432]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-30 198160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
2004-07-01 21:20 212992 ----a-w- C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-11-30 11:48 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:9b,85,b8,80,1b,6b,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2832544419-416718390-671984932-1000]
"EnableNotificationsRef"=dword:00000001

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [1/2/2010 12:20 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/2/2010 12:20 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\System32\drivers\avgtdix.sys [1/2/2010 12:20 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/2/2010 12:19 PM 285392]
R2 lxba_device;lxba_device;c:\windows\system32\lxbacoms.exe -service --> c:\windows\system32\lxbacoms.exe -service [?]
R2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe -service --> c:\windows\system32\lxbfcoms.exe -service [?]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\System32\drivers\HCW85BDA.sys [7/14/2009 8:44 PM 1443584]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 11:59 AM 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2/14/2009 2:53 PM 21504]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [11/2/2006 5:25 AM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [11/2/2006 5:25 AM 251904]
S4 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/2/2010 12:19 PM 906520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-05-15 22:08 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 16:58]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 16:58]

2010-01-17 c:\windows\Tasks\User_Feed_Synchronization-{F4D4EE6A-991F-4F55-8DCA-62B8E9B73146}.job
- c:\windows\system32\msfeedssync.exe [2009-12-08 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
mWindow Title =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 17:59
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\lxbacoms.exe
c:\windows\system32\lxbfcoms.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-01-17 18:05:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 23:05
ComboFix2.txt 2010-01-17 19:04

Pre-Run: 96,621,670,400 bytes free
Post-Run: 96,591,405,056 bytes free

- - End Of File - - A466B2F536098D83D0490A2D024D6BA1

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:12 AM

Posted 17 January 2010 - 07:05 PM

Hi,

this is looking better, how is your PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 jeffy13

jeffy13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 17 January 2010 - 07:27 PM

everything seems to being running ok. I am concerned about future security so any suggestions would be greatly appreciated. Thanks so much for the help.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:12 AM

Posted 17 January 2010 - 08:26 PM

Hi,

I will give you a list of tips at the end. I would like as little non malware related change to the system as long as we aren't entirely sure it is clean.

Please check for malicious left overs with Eset:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 jeffy13

jeffy13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 17 January 2010 - 11:32 PM

There seems to be more.

C:\Qoobox\Quarantine\C\Windows\System32\wexe.exe.vir a variant of Win32/Agent.QOH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\iaStor.sys.vir Win32/Olmarik.RF virus deleted - quarantined
C:\Users\Owner\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\sdfg.jar-2785680e-6bccbc58.zip multiple threats deleted - quarantined
C:\Users\Owner\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\sdfg.jar-2a5fd9ac-4cfc893e.zip multiple threats deleted - quarantined

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:12 AM

Posted 18 January 2010 - 07:53 AM

Hi,

the items found are files that were previously disabled by other programs. They do not pose a thread. Hence I believe your logs are clean! How is your PC doing?

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Your Adobe Reader is also out of date. Please uninstall it and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

let me know if you run into any problems.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 jeffy13

jeffy13
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 18 January 2010 - 10:28 AM

made the suggested updates and so far everything seems to be running very well. Your help has been tremendous. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users