Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bravesentry Trojan Found with Spybot - URGENT!!


  • This topic is locked This topic is locked
37 replies to this topic

#1 super goku

super goku

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 06 January 2010 - 08:55 PM

Hello,

Please help, this is my work computer and all of a sudden it freezes on me. Hotmail does not work (I can login to my account but there is no functionality while it will work on another computer).

Please help me as I cannot lose my files.

HighjackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:52 PM, on 06/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\program files\analog devices\soundmax\smax4 .exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Intuit\QuickBooks Client Manager\QBCMAgent.exe
C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\program files\analog devices\core\smax4pnp .exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\System32\svchost.exe
c:\docume~1\assaad~1.zei\locals~1\temp\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\ati technologies\ati.ace\cli .exe
c:\program files\ahead\incd\incd .exe
c:\program files\cyberlink dvd solution\powerdvd\pdvdserv .exe
c:\program files\ani\aniwzcs2 service\wzcsldr2 .exe
c:\program files\common files\real\update_ob\realsched .exe
c:\program files\adobe\acrobat 7.0\distillr\acrotray .exe
c:\program files\ati technologies\ati.ace\cli.exe
c:\windows\system32\xgmocif .exe
c:\program files\spybot - search & destroy\teatimer .exe
c:\program files\windows live\messenger\msnmsgr .exe
c:\progra~1\yahoo!\messen~1\yahoom~1 .exe
c:\program files\intuit\quickbooks client manager\qbcmagent .exe
C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
c:\program files\d-link\rangebooster g wua-2340\airpluscfg .exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
c:\docume~1\assaad~1.zei\locals~1\temp\wmpscfgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\bhqtnw.exe \s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\program files\analog devices\soundmax\smax4 .exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QBCMAgent] C:\Program Files\Intuit\QuickBooks Client Manager\QBCMAgent.exe
O4 - HKLM\..\Run: [D-Link RangeBooster G WUA-2340] C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [DelPnPDirver] C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
O4 - HKLM\..\Run: [xgmocif] C:\WINDOWS\system32\xgmocif.exe \u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_1_0 -reboot 1
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.sexblacksex.com/"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-776561741-261903793-682003330-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'QBDataServiceUser18')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~3\QBDBMgrN.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

--
End of file - 13369 bytes


Thank you,
Goku

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:00 PM

Posted 06 January 2010 - 09:40 PM

Hello super goku,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 06 January 2010 - 10:08 PM

Thank you very much!

I am waiting for your instructions...

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:00 PM

Posted 07 January 2010 - 03:44 PM

Hello super goku,

1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

2.
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

3.
We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Processes
    explorer.exe

    :FILES
    c:\docume~1\assaad~1.zei\locals~1\temp\wmpscfgs.exe
    c:\program files\internet explorer\wmpscfgs.exe
    c:\windows\system32\xgmocif .exe
    C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\bhqtnw.exe

    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "xgmocif"=-
    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\WINDOWS\system32\userinit.exe"
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    [-HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}]

    :Commands
    [Reboot]
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

4.
Please download Malwarebytes Anti-Malware (v1.43) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

5.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.


Things to include in your next reply:
OTM log
MBAM log
DDS.tx
Attach.txt
How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 07 January 2010 - 11:58 PM

OTM Log:
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
c:\docume~1\assaad~1.zei\locals~1\temp\wmpscfgs.exe moved successfully.
c:\program files\internet explorer\wmpscfgs.exe moved successfully.
c:\windows\system32\xgmocif .exe moved successfully.
File/Folder C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\bhqtnw.exe not found.
========== REGISTRY ==========
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\\"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"|"" /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xgmocif deleted successfully.
HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon\\"Userinit"|"C:\WINDOWS\system32\userinit.exe" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.4.0 log created on 01072010_230331


MBAM log
Malwarebytes' Anti-Malware 1.44
Database version: 3513
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

07/01/2010 11:25:58 PM
mbam-log-2010-01-07 (23-25-58).txt

Scan type: Quick Scan
Objects scanned: 133532
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 8
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
C:\Program Files\Yahoo!\Messenger\yahoom~1 .exe (Trojan.Agent) -> Unloaded process successfully.
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe (Trojan.Agent) -> Unloaded process successfully.
c:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\Local Settings\Temp\wmpscfgs.exe (Trojan.Agent) -> Unloaded process successfully.
c:\program files\internet explorer\wmpscfgs.exe (Trojan.Agent) -> Unloaded process successfully.
c:\program files\analog devices\SoundMAX\smax4 .exe (Trojan.Agent) -> Unloaded process successfully.
c:\program files\ati technologies\ATI.ACE\cli.exe (Trojan.Agent) -> Unloaded process successfully.
c:\Program Files\Yahoo!\Messenger\yahoom~1 .exe (Trojan.Agent) -> Unloaded process successfully.
c:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\Local Settings\Temp\wmpscfgs.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7d5dd829-6c90-42c5-b54c-2afa82f988ba} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatemgr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soundmax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aticcc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\NeroCheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nerofiltercheck (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\bhqtnw.exe \s) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Yahoo!\Messenger\yahoom~1 .exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\Local Settings\Temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\internet explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\analog devices\SoundMAX\smax4 .exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\ati technologies\ATI.ACE\cli.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NeroCheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\hdashcut.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xgmocif.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\hdashcut .exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\hdashcut.exe (Trojan.Agent) -> Quarantined and deleted successfully.


DDS.tx

DDS (Ver_09-12-01.01) - NTFSx86
Run by Assaad at 23:53:44.90 on 07/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2046.1340 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\windows live\messenger\msnmsgr .exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
c:\program files\analog devices\core\smax4pnp .exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\docume~1\assaad~1.zei\locals~1\temp\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\cyberlink dvd solution\powerdvd\pdvdserv .exe
c:\program files\ani\aniwzcs2 service\wzcsldr2 .exe
c:\program files\d-link\rangebooster g wua-2340\airpluscfg .exe
c:\program files\intuit\quickbooks client manager\qbcmagent .exe
C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
c:\progra~1\yahoo!\messen~1\yahoom~1 .exe
c:\program files\common files\real\update_ob\realsched .exe
c:\program files\ahead\incd\incd .exe
c:\program files\adobe\acrobat 7.0\distillr\acrotray .exe
c:\docume~1\assaad~1.zei\locals~1\temp\wmpscfgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\Desktop\Bleeping Computer Fix\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://ca.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.sexblacksex.com/"
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [QBCMAgent] c:\program files\intuit\quickbooks client manager\QBCMAgent.exe
mRun: [D-Link RangeBooster G WUA-2340] c:\program files\d-link\rangebooster g wua-2340\AirPlusCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [DelPnPDirver] c:\program files\panasonic\panasonic kx-p7100\DelPnPD.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli scecli scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-11-8 38448]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-20 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-20 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-31 360584]
R1 KPSYSDRV;KPSYSDRV;c:\windows\system32\drivers\Kpsysdrv.sys [2009-12-31 17016]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-31 285392]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~3\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~3\QBDBMgrN.exe -hvQuickBooksDB18 [?]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2009-8-28 386784]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-8-28 57440]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\rangebooster g wua-2340\jswutil\jswpsapi.exe [2009-8-28 356434]

=============== Created Last 30 ================

2010-01-08 04:31:50 40960 ----a-w- c:\documents and settings\assaad.zein-860ef8bdfc\hdashcut.exe
2010-01-08 04:31:50 40960 ----a-w- c:\documents and settings\assaad.zein-860ef8bdfc\hdashcut .exe
2010-01-08 04:13:51 0 d-----w- c:\docume~1\assaad~1.zei\applic~1\Malwarebytes
2010-01-08 04:13:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 04:13:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-08 04:13:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 04:13:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 04:03:31 0 d-----w- C:\_OTM
2009-12-31 21:33:32 0 d-----w- c:\docume~1\assaad~1.zei\applic~1\AVS4YOU
2009-12-31 21:33:32 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-12-31 21:30:36 0 d-----w- c:\program files\common files\AVSMedia
2009-12-31 21:30:27 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-12-31 21:30:27 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-12-31 21:30:27 0 d-----w- c:\program files\AVS4YOU
2009-12-31 20:50:00 45 -c--a-w- c:\windows\KXP7100W.BAK
2009-12-31 20:50:00 45 ----a-w- c:\windows\Kxp7100w.ini
2009-12-31 20:50:00 34893 ----a-w- c:\windows\system32\KPLANMON.DLL
2009-12-31 20:50:00 31428 ----a-w- c:\windows\system32\Kpprtmon.dll
2009-12-31 20:50:00 28672 ----a-w- c:\windows\system32\Usb2pvm.dll
2009-12-31 20:50:00 17016 ----a-w- c:\windows\system32\drivers\Kpsysdrv.sys
2009-12-31 20:50:00 122880 ----a-w- c:\windows\system32\Kpwslib.dll
2009-12-31 20:50:00 1106 ----a-w- c:\windows\system32\Kpwsgdi.ini
2009-12-31 20:50:00 10475 ----a-w- c:\windows\system32\Kpprtui.dll
2009-12-31 20:27:05 0 d--h--w- C:\$AVG
2009-12-31 20:26:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-31 20:26:45 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-12-31 20:26:36 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-31 20:20:45 0 d-----w- C:\AVG FREE 9.0
2009-12-31 18:06:08 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-12-31 17:58:28 0 d-----w- c:\program files\Microsoft Visual Studio 8
2009-12-12 19:53:24 0 ----a-w- c:\windows\system32\WSSPOOL.TMP

==================== Find3M ====================

2010-01-07 14:13:05 45056 ----a-w- c:\windows\system32\hdashcut.exe
2010-01-07 01:24:27 87608 -c--a-w- c:\docume~1\assaad~1.zei\applic~1\inst.exe
2010-01-07 01:24:26 47360 -c--a-w- c:\docume~1\assaad~1.zei\applic~1\pcouffin.sys
2009-12-31 20:26:51 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-31 20:26:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-17 23:08:49 47360 -c--a-w- c:\windows\system32\drivers\pcouffin.sys
2009-10-29 19:14:26 159902 -c--a-w- c:\windows\T4 - T5 Common File - 2008 Uninstaller.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 -c--a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 -c--a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 -c--a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2007-12-30 17:39:38 2293848 -c--a-w- c:\program files\FLV PlayerFCSetup.exe
2007-12-30 17:39:18 3928264 -c--a-w- c:\program files\FLV PlayerRCATSetup.exe
2007-12-30 17:37:57 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe
2007-07-12 02:56:15 0 -c--a-w- c:\program files\gditst
2004-03-11 17:27:22 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
2009-01-24 18:43:59 16384 -csha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-01-24 18:43:59 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-01-24 18:43:47 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012420090125\index.dat
2009-01-24 18:43:59 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 23:54:06.57 ===============


Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 01/07/2007 1:48:08 AM
System Uptime: 01/07/2010 11:33:43 PM (-4200 hours ago)

Motherboard: ASUSTek Computer INC. | | M2NPV-VM
Processor: AMD Athlon™ 64 Processor 3500+ | Socket AM2 | 2204/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 260.931 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 233 GiB total, 65.139 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1033: 10/10/2009 6:21:43 PM - System Checkpoint
RP1034: 11/10/2009 7:38:23 PM - System Checkpoint
RP1035: 12/10/2009 8:21:43 PM - System Checkpoint
RP1036: 13/10/2009 2:07:26 PM - Installed Java™ 6 Update 15
RP1037: 13/10/2009 9:21:42 AM - System Checkpoint
RP1038: 14/10/2009 11:18:12 AM - System Checkpoint
RP1039: 15/10/2009 2:50:00 AM - Software Distribution Service 3.0
RP1040: 16/10/2009 3:20:16 AM - System Checkpoint
RP1041: 17/10/2009 4:20:15 AM - System Checkpoint
RP1042: 17/10/2009 9:14:15 AM - Avg8 Update
RP1043: 18/10/2009 9:52:21 AM - System Checkpoint
RP1044: 19/10/2009 1:07:53 AM - Cleaned registry with Windows Live OneCare safety scanner
RP1045: 20/10/2009 1:20:16 AM - System Checkpoint
RP1046: 21/10/2009 2:19:33 AM - System Checkpoint
RP1047: 21/10/2009 9:14:17 AM - Avg8 Update
RP1048: 22/10/2009 9:31:30 AM - System Checkpoint
RP1049: 23/10/2009 10:19:34 AM - System Checkpoint
RP1050: 24/10/2009 10:29:12 AM - System Checkpoint
RP1051: 25/10/2009 1:05:16 PM - System Checkpoint
RP1052: 26/10/2009 5:32:21 PM - System Checkpoint
RP1053: 27/10/2009 5:37:04 PM - System Checkpoint
RP1054: 28/10/2009 7:00:54 PM - System Checkpoint
RP1055: 29/10/2009 8:07:35 PM - System Checkpoint
RP1056: 30/10/2009 8:51:20 PM - System Checkpoint
RP1057: 31/10/2009 10:06:36 PM - System Checkpoint
RP1058: 01/11/2009 10:49:33 PM - System Checkpoint
RP1059: 02/11/2009 11:41:45 PM - System Checkpoint
RP1060: 03/11/2009 9:56:31 AM - Avg8 Update
RP1061: 04/11/2009 4:00:15 AM - Software Distribution Service 3.0
RP1062: 05/11/2009 4:34:20 AM - System Checkpoint
RP1063: 06/11/2009 5:34:20 AM - System Checkpoint
RP1064: 06/11/2009 10:38:24 AM - Avg8 Update
RP1065: 07/11/2009 11:21:37 AM - System Checkpoint
RP1066: 08/11/2009 11:00:21 AM - System Checkpoint
RP1067: 09/11/2009 11:08:09 AM - System Checkpoint
RP1068: 10/11/2009 11:43:15 AM - System Checkpoint
RP1069: 11/11/2009 3:02:45 PM - System Checkpoint
RP1070: 12/11/2009 3:00:25 AM - Software Distribution Service 3.0
RP1071: 13/11/2009 3:23:35 AM - System Checkpoint
RP1072: 14/11/2009 3:42:31 AM - System Checkpoint
RP1073: 15/11/2009 4:15:48 AM - System Checkpoint
RP1074: 16/11/2009 5:15:49 AM - System Checkpoint
RP1075: 17/11/2009 5:41:31 AM - System Checkpoint
RP1076: 18/11/2009 6:14:41 AM - System Checkpoint
RP1077: 19/11/2009 7:14:25 AM - System Checkpoint
RP1078: 20/11/2009 8:14:23 AM - System Checkpoint
RP1079: 21/11/2009 9:14:23 AM - System Checkpoint
RP1080: 22/11/2009 10:13:21 AM - System Checkpoint
RP1081: 23/11/2009 12:11:42 PM - System Checkpoint
RP1082: 24/11/2009 12:13:21 PM - System Checkpoint
RP1083: 25/11/2009 3:00:15 AM - Software Distribution Service 3.0
RP1084: 26/11/2009 3:44:11 AM - System Checkpoint
RP1085: 26/11/2009 8:39:37 AM - Avg8 Update
RP1086: 27/11/2009 9:35:58 AM - System Checkpoint
RP1087: 28/11/2009 9:44:12 AM - System Checkpoint
RP1088: 29/11/2009 10:23:24 AM - System Checkpoint
RP1089: 30/11/2009 11:35:39 AM - System Checkpoint
RP1090: 01/11/2009 10:46:11 AM - System Checkpoint
RP1091: 02/12/2009 12:35:59 PM - System Checkpoint
RP1092: 03/12/2009 12:38:18 PM - System Checkpoint
RP1093: 04/12/2009 1:15:03 PM - System Checkpoint
RP1094: 05/12/2009 1:19:30 PM - System Checkpoint
RP1095: 06/12/2009 2:18:20 PM - System Checkpoint
RP1096: 07/12/2009 2:38:19 PM - System Checkpoint
RP1097: 08/12/2009 3:38:15 PM - System Checkpoint
RP1098: 09/12/2009 3:00:19 AM - Software Distribution Service 3.0
RP1099: 10/12/2009 3:23:40 AM - System Checkpoint
RP1100: 10/12/2009 8:54:08 AM - Avg8 Update
RP1101: 11/12/2009 12:38:39 PM - System Checkpoint
RP1102: 12/12/2009 8:54:12 AM - Avg8 Update
RP1103: 12/12/2009 8:54:31 AM - Avg8 Update
RP1104: 13/12/2009 9:23:41 AM - System Checkpoint
RP1105: 14/12/2009 12:55:15 PM - System Checkpoint
RP1106: 15/12/2009 1:09:18 PM - System Checkpoint
RP1107: 16/12/2009 1:11:24 PM - System Checkpoint
RP1108: 17/12/2009 2:04:55 PM - System Checkpoint
RP1109: 18/12/2009 3:04:55 PM - System Checkpoint
RP1110: 19/12/2009 3:00:22 AM - Software Distribution Service 3.0
RP1111: 20/12/2009 3:16:15 AM - System Checkpoint
RP1112: 21/12/2009 4:16:15 AM - System Checkpoint
RP1113: 22/12/2009 9:48:33 AM - Avg8 Update
RP1114: 23/12/2009 10:15:22 AM - System Checkpoint
RP1115: 24/12/2009 1:00:51 PM - System Checkpoint
RP1116: 25/12/2009 3:48:49 PM - System Checkpoint
RP1117: 26/12/2009 5:55:33 PM - System Checkpoint
RP1118: 27/12/2009 6:57:28 PM - System Checkpoint
RP1119: 28/12/2009 9:11:18 AM - Avg8 Update
RP1120: 29/12/2009 9:59:18 AM - System Checkpoint
RP1121: 30/12/2009 2:27:52 PM - System Checkpoint
RP1122: 31/12/2009 12:56:23 PM - Installed Microsoft Office Enterprise 2007
RP1123: 31/12/2009 1:06:07 PM - Printer Driver Send To Microsoft OneNote Driver Installed
RP1124: 31/12/2009 1:12:40 PM - Printer Driver Send To Microsoft OneNote Driver Installed
RP1125: 31/12/2009 1:43:27 PM - Unsigned printer driver Panasonic KX-P7100 installed.
RP1126: 31/12/2009 2:08:42 PM - Software Distribution Service 3.0
RP1127: 31/12/2009 3:09:11 PM - Printer Driver Panasonic KX-P7100 Installed
RP1128: 31/12/2009 3:26:27 PM - Installed AVG Free 9.0
RP1129: 31/12/2009 3:33:20 PM - Unsigned printer driver Panasonic KX-P7100 installed.
RP1130: 31/12/2009 3:50:31 PM - Printer Driver Panasonic KX-P7100 Installed
RP1131: 31/12/2009 4:05:01 PM - Unsigned printer driver Panasonic KX-P7100 installed.
RP1132: 31/12/2009 4:05:50 PM - Printer Driver Panasonic KX-P7100 Installed
RP1133: 31/12/2009 5:12:16 PM - Avg8 Update
RP1134: 01/01/2010 3:00:23 AM - Software Distribution Service 3.0
RP1135: 02/01/2010 7:05:41 AM - System Checkpoint
RP1136: 02/01/2010 6:34:41 PM - Installed Java™ 6 Update 17
RP1137: 03/01/2010 8:31:55 PM - System Checkpoint
RP1138: 04/01/2010 8:32:59 PM - System Checkpoint
RP1139: 05/01/2010 10:05:35 PM - System Checkpoint
RP1140: 06/01/2010 8:26:14 PM - Removed Ad-Aware
RP1141: 07/01/2010 9:42:31 PM - System Checkpoint

==== Installed Programs ======================

2003 Personal Taxprep T1/TP1
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
AMD Processor Driver
ANIO Service
ANIWZCS2 Service
ASUS ATI Driver
ASUS Enhanced Display Driver
AsusUpdate
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Free 9.0
Compatibility Pack for the 2007 Office system
Corporate Taxprep 32
Corporate Taxprep Version 2.0 - 2004
Critical Update for Windows Media Player 11 (KB959772)
DesignPro 5.4 Limited Edition
DirectVobSub (remove only)
DVD Solution
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
InCD
Java™ 6 Update 15
Junk Mail filter update
Lease Agreements
LiveUpdate 1.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Multimedia Launcher
Nero OEM
Norton Ghost
NVIDIA Drivers
OGA Notifier 2.0.0048.0
Panasonic KX-P7100
Paragon Drive Backup 8.5 Professional
PDF Password Cracker Pro v3.0
PowerDVD
PowerProducer
ProFile
QBFC3.0b
QuickBooks Client Manager Version 1
QuickBooks Enterprise Solutions: Accountant Edition 8.0
QuickBooks Premier Accountant: Multicurrency Edition
QuickBooks Premier: Accountant Edition 2009
QuickBooks Pro 2008
QuickBooks Pro 2009
QuickBooks Pro Edition 2007
RangeBooster G WUA-2340
RealPlayer
Recovery for Word
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Simply Accounting 2005 Pro
Simply Accounting v8.5
SoundMAX
SpeedFan (remove only)
Spybot - Search & Destroy
SpywareBlaster 4.2
SupportSoft Assisted Service
T4
T4-T4A-T5 Printer Common Files
T4 - 2005
T4 - 2006
T4 - T5 Common File
T4 - T5 Common File - 2006
T4 - T5 Common File - 2008
T5 - 2005
T5 - 2006
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb976884)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VeryPDF PDF2Word v3.0
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
WinRAR archiver
WinRAS 2009.01vf
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

31/12/2009 4:42:21 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ctfmon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
31/12/2009 3:12:57 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service SymSnapService with arguments "" in order to run the server: {A62FB47E-2A72-44A7-B83D-16FB51636AAC}
31/12/2009 3:01:24 PM, error: Service Control Manager [7034] - The ATK Keyboard Service service terminated unexpectedly. It has done this 1 time(s).
31/12/2009 3:00:49 PM, error: Service Control Manager [7034] - The QuickBooks Database Manager Service service terminated unexpectedly. It has done this 1 time(s).
31/12/2009 3:00:40 PM, error: Service Control Manager [7034] - The QuickBooksDB18 service terminated unexpectedly. It has done this 1 time(s).
31/12/2009 12:21:23 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
31/12/2009 1:51:59 PM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
31/12/2009 1:51:55 PM, error: Service Control Manager [7034] - The Symantec SymSnap VSS Provider service terminated unexpectedly. It has done this 1 time(s).
31/12/2009 1:34:13 PM, error: Print [6161] - The document Test Page owned by Assaad failed to print on printer HP LaserJet 4Si. Data type: NT EMF 1.008. Size of the spool file in bytes: 106944. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\ZEIN-860EF8BDFC. Win32 error code returned by the print processor: 2 (0x2).
31/12/2009 1:33:34 PM, error: Print [6161] - The document Microsoft Word - Document1 owned by Assaad failed to print on printer HP LaserJet 4Si. Data type: NT EMF 1.008. Size of the spool file in bytes: 131072. Number of bytes printed: 0. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\ZEIN-860EF8BDFC. Win32 error code returned by the print processor: 2 (0x2).
07/01/2010 8:27:48 AM, error: Dhcp [1002] - The IP address lease 192.168.0.104 for the Network Card with network address 0022B0ECEE2C has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
06/01/2010 2:07:47 PM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
06/01/2010 2:07:46 PM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
06/01/2010 2:07:46 PM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
06/01/2010 2:07:46 PM, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
04/01/2010 8:10:47 PM, error: Service Control Manager [7034] - The HTTP SSL service terminated unexpectedly. It has done this 1 time(s).
04/01/2010 8:10:37 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
03/01/2010 7:00:36 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0022B0ECEE2C. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
03/01/2010 7:00:28 PM, error: Dhcp [1002] - The IP address lease 192.168.0.105 for the Network Card with network address 0022B0ECEE2C has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
03/01/2010 12:59:51 PM, error: Dhcp [1002] - The IP address lease 192.168.0.103 for the Network Card with network address 0022B0ECEE2C has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
02/01/2010 6:24:38 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s).
02/01/2010 6:18:41 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
02/01/2010 2:56:58 AM, error: Dhcp [1002] - The IP address lease 192.168.0.108 for the Network Card with network address 0022B0ECEE2C has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
01/01/2010 3:20:32 AM, error: Dhcp [1002] - The IP address lease 192.168.0.100 for the Network Card with network address 0022B0ECEE2C has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================


********************* Error Messages upon restarting Windows!!*************************

Please find 2 error messages that pop up on my screen when Windows restarts

Error 1:
HDAshCut.exe - Strong name validation failed.

"Strong name validation failed for assembly 'C:\Windows\system32\HDAShCut.exe'. The file may have been tampered with or it was partially signed but not fully signed with the correct private key.


Error 2: HDAshCut.exe - Common Language Runtime Debugging Services

Application has generated an exception that could not be handled.
Process id=0xfe0 (4064), Thread id=0xfe4 (4068).

Click ok to terminate the application
Click CANCEL to debug the application

Edited by super goku, 08 January 2010 - 12:17 AM.


#6 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 08 January 2010 - 08:12 AM

Hello,

Out of the blue, AVG Resident Shield alert gives me the following detection:

Accessed file is infected.
File name: C:\Program Files\Analog Devics\SoundMAX\smax4exe

Threat name: Trojan horse Generic16.WTC
Detected on open


**Since you had told me not to do anything, i simply closed the message box.

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:00 PM

Posted 08 January 2010 - 05:37 PM

Hello super goku,

Seems we have a little more work to do.

1.
We need to execute an OTM script
  • Double click the icon on your desktop.
  • Paste the following code under the area. Do not include the word "Code".
    CODE
    :Processes
    explorer.exe

    :Files
    c:\docume~1\assaad~1.zei\locals~1\temp\wmpscfgs.exe
    c:\program files\internet explorer\wmpscfgs.exe
    c:\progra~1\yahoo!\messen~1\yahoom~1 .exe
    c:\documents and settings\assaad.zein-860ef8bdfc\hdashcut.exe
    c:\windows\system32\hdashcut.exe
    c:\docume~1\assaad~1.zei\applic~1\inst.exe

    :Reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{44226DFF-747E-4edc-B30C-78752E50CD0C}]
    [-HKEY_CLASSES_ROOT\CLSID\{44226DFF-747E-4edc-B30C-78752E50CD0C}]
    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\WINDOWS\system32\userinit.exe,"

    :Commands
    [Reboot]
    [Emptytemp]
  • Push the large button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

2.
Please update Malwarebytes Anti-Malware and run a Full Scan. Please post the resulting log in your next reply.

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

4.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.


Things to include in your next reply:
OTM log
MBAM log
Gmer.log
DDS.txt
No need for attach.txt this time

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 09 January 2010 - 08:11 AM

Hello.

1-OTM Log
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
c:\docume~1\assaad~1.zei\locals~1\temp\wmpscfgs.exe moved successfully.
c:\program files\internet explorer\wmpscfgs.exe moved successfully.
File/Folder c:\progra~1\yahoo!\messen~1\yahoom~1 .exe not found.
c:\documents and settings\assaad.zein-860ef8bdfc\hdashcut.exe moved successfully.
c:\windows\system32\hdashcut.exe moved successfully.
c:\docume~1\assaad~1.zei\applic~1\inst.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\Shockwave Updater deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{44226DFF-747E-4edc-B30C-78752E50CD0C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44226DFF-747E-4edc-B30C-78752E50CD0C}\ not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{44226DFF-747E-4edc-B30C-78752E50CD0C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44226DFF-747E-4edc-B30C-78752E50CD0C}\ not found.
HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon\\"Userinit"|"C:\WINDOWS\system32\userinit.exe," /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3396233 bytes

User: All Users

User: Assaad

User: Assaad.ZEIN-860EF8BDFC
->Temp folder emptied: 1542719 bytes
->Temporary Internet Files folder emptied: 8503073 bytes
->Java cache emptied: 47512416 bytes

User: ASSAAD~1~ZEI

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 144862 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: QBDataServiceUser18
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2437583 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 147967 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 13488940 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 74.00 mb


OTM by OldTimer - Version 3.1.4.0 log created on 01082010_202030

Files moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_27c.dat moved successfully.

Registry entries deleted on Reboot...


2-MBAM log
Malwarebytes' Anti-Malware 1.44
Database version: 3515
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

08/01/2010 9:17:39 PM
mbam-log-2010-01-08 (21-17-23).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 241294
Time elapsed: 44 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 38

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acrobat assistant 7.0 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\incd (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soundmaxpnp (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aniwzcs2service (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\Update_OB\realsched.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tkbellexe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remotecontrol (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d-link rangebooster g wua-2340 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qbcmagent (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgtray.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\hdashcut .exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{AE1067AC-CCDF-454E-AB20-E136A02A69AD}\RP1133\A0196176.old (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{AE1067AC-CCDF-454E-AB20-E136A02A69AD}\RP1134\A0196432.rbf (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{AE1067AC-CCDF-454E-AB20-E136A02A69AD}\RP1141\A0199141.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{AE1067AC-CCDF-454E-AB20-E136A02A69AD}\RP1141\A0199142.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{AE1067AC-CCDF-454E-AB20-E136A02A69AD}\RP1141\A0199143.exe (Trojan.Agent) -> No action taken.
C:\_OTM\MovedFiles\01082010_202030\c_documents and settings\assaad.zein-860ef8bdfc\hdashcut.exe (Trojan.Agent) -> No action taken.
C:\_OTM\MovedFiles\01082010_202030\c_docume~1\assaad~1.zei\locals~1\temp\wmpscfgs.exe (Trojan.Agent) -> No action taken.
C:\_OTM\MovedFiles\01082010_202030\c_program files\internet explorer\wmpscfgs.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\adobeupdatemanager.exe.delme68 (Trojan.Agent) -> No action taken.
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Ahead\InCD\incd.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\Core\smax4pnp.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Analog Devices\SoundMAX\smax4.exe (Trojan.Agent) -> No action taken.
C:\Program Files\ANI\ANIWZCS2 Service\wzcsldr2.exe (Trojan.Agent) -> No action taken.
C:\Program Files\ATI Technologies\ATI.ACE\hdashcut .exe (Trojan.Agent) -> No action taken.
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe.delme236 (Trojan.Agent) -> No action taken.
C:\Program Files\Common Files\Real\Update_OB\hdashcut .exe (Trojan.Agent) -> No action taken.
C:\Program Files\Common Files\Real\Update_OB\realsched.exe (Trojan.Agent) -> No action taken.
C:\Program Files\CyberLink DVD Solution\PowerDVD\pdvdserv.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Windows Live\Messenger\msnmsgr .exe.delme56 (Trojan.Agent) -> No action taken.
C:\Program Files\Spybot - Search & Destroy\teatimer.exe.delme72 (Trojan.Agent) -> No action taken.
C:\Program Files\D-Link\RangeBooster G WUA-2340\airpluscfg.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Intuit\QuickBooks Client Manager\qbcmagent.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Yahoo!\Messenger\yahoom~1.exe.delme398 (Trojan.Agent) -> No action taken.

3-Gmer.log
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-08 23:36:56
Windows 5.1.2600 Service Pack 3
Running: 8uvkux6z.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwxiapod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- EOF - GMER 1.0.15 ----


4-DDS.txt

DDS (Ver_09-12-01.01) - NTFSx86
Run by Assaad at 8:01:56.43 on 09/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2046.1342 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\program files\quicktime\qttask .exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\dllhost.exe
c:\program files\analog devices\core\smax4pnp .exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\docume~1\assaad~1.zei\locals~1\temp\wmpscfgs.exe
c:\program files\cyberlink dvd solution\powerdvd\pdvdserv .exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\ahead\incd\incd .exe
c:\program files\d-link\rangebooster g wua-2340\airpluscfg .exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\Desktop\Bleeping Computer Fix\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://ca.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [QBCMAgent] c:\program files\intuit\quickbooks client manager\QBCMAgent.exe
mRun: [D-Link RangeBooster G WUA-2340] c:\program files\d-link\rangebooster g wua-2340\AirPlusCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [DelPnPDirver] c:\program files\panasonic\panasonic kx-p7100\DelPnPD.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli scecli scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-11-8 38448]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-20 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-20 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-31 360584]
R1 KPSYSDRV;KPSYSDRV;c:\windows\system32\drivers\Kpsysdrv.sys [2009-12-31 17016]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-31 285392]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~3\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~3\QBDBMgrN.exe -hvQuickBooksDB18 [?]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2009-8-28 386784]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-8-28 57440]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\rangebooster g wua-2340\jswutil\jswpsapi.exe [2009-8-28 356434]

=============== Created Last 30 ================

2010-01-09 13:01:24 1298542 ----a-w- c:\documents and settings\assaad.zein-860ef8bdfc\hdashcut.exe
2010-01-09 04:38:48 40960 ----a-w- c:\documents and settings\assaad.zein-860ef8bdfc\hdashcut .exe
2010-01-08 04:13:51 0 d-----w- c:\docume~1\assaad~1.zei\applic~1\Malwarebytes
2010-01-08 04:13:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 04:13:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-08 04:13:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 04:13:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 04:03:31 0 d-----w- C:\_OTM
2009-12-31 21:33:32 0 d-----w- c:\docume~1\assaad~1.zei\applic~1\AVS4YOU
2009-12-31 21:33:32 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-12-31 21:30:36 0 d-----w- c:\program files\common files\AVSMedia
2009-12-31 21:30:27 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-12-31 21:30:27 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-12-31 21:30:27 0 d-----w- c:\program files\AVS4YOU
2009-12-31 20:50:00 45 -c--a-w- c:\windows\KXP7100W.BAK
2009-12-31 20:50:00 45 ----a-w- c:\windows\Kxp7100w.ini
2009-12-31 20:50:00 34893 ----a-w- c:\windows\system32\KPLANMON.DLL
2009-12-31 20:50:00 31428 ----a-w- c:\windows\system32\Kpprtmon.dll
2009-12-31 20:50:00 28672 ----a-w- c:\windows\system32\Usb2pvm.dll
2009-12-31 20:50:00 17016 ----a-w- c:\windows\system32\drivers\Kpsysdrv.sys
2009-12-31 20:50:00 122880 ----a-w- c:\windows\system32\Kpwslib.dll
2009-12-31 20:50:00 1106 ----a-w- c:\windows\system32\Kpwsgdi.ini
2009-12-31 20:50:00 10475 ----a-w- c:\windows\system32\Kpprtui.dll
2009-12-31 20:27:05 0 d--h--w- C:\$AVG
2009-12-31 20:26:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-31 20:26:45 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-12-31 20:26:36 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-31 20:20:45 0 d-----w- C:\AVG FREE 9.0
2009-12-31 18:06:08 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-12-31 17:58:28 0 d-----w- c:\program files\Microsoft Visual Studio 8

==================== Find3M ====================

2010-01-07 01:24:26 47360 -c--a-w- c:\docume~1\assaad~1.zei\applic~1\pcouffin.sys
2009-12-31 20:26:51 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-31 20:26:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-17 23:08:49 47360 -c--a-w- c:\windows\system32\drivers\pcouffin.sys
2009-10-29 19:14:26 159902 -c--a-w- c:\windows\T4 - T5 Common File - 2008 Uninstaller.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 -c--a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 -c--a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 -c--a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2007-12-30 17:39:38 2293848 -c--a-w- c:\program files\FLV PlayerFCSetup.exe
2007-12-30 17:39:18 3928264 -c--a-w- c:\program files\FLV PlayerRCATSetup.exe
2007-12-30 17:37:57 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe
2007-07-12 02:56:15 0 -c--a-w- c:\program files\gditst
2004-03-11 17:27:22 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
2009-01-24 18:43:59 16384 -csha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-01-24 18:43:59 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-01-24 18:43:47 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012420090125\index.dat

============= FINISH: 8:02:38.50 ===============



Do I have something bad?


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:00 PM

Posted 09 January 2010 - 09:57 PM

Hello super goku,

QUOTE
Do I have something bad?

At this point I don't think so but we need to run a few other scanners to find out.

1.
I see in your Malwarebytes' Anti-Malware log "no action taken". This is caused from not clicking on "Remove Selected" and rebooting the machine if required to finish the job. Some files that are to be deleted need to be deleted before the machine restarts.

Please update Malwarebytes' Anti-Malware and run a Full scan. This time make sure you click "Remove Selected" and reboot if asked.

2.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

3.
We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
4.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Things to include in your next reply:
How is your machine running now? Any signs or symptoms of infection?
MBAM log
ESET log
RootRepeal log
DDS.txt
No need for Attach.txt

Edited by fireman4it, 09 January 2010 - 09:57 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 09 January 2010 - 10:41 PM

Thank you for your reply...

just one question...in the Malwarebytes' Anti-Malware list...there is one program that I use for my work. If I remove it, will I lose the software?

This is the program that I am affraid of losing:

C:\Program Files\Intuit\QuickBooks Client Manager\qbcmagent.exe (Trojan.Agent) -> No action taken

Thank you
Goku

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:00 PM

Posted 10 January 2010 - 04:31 PM

Hello super goku,

QUOTE
just one question...in the Malwarebytes' Anti-Malware list...there is one program that I use for my work. If I remove it, will I lose the software?

This is the program that I am affraid of losing:

C:\Program Files\Intuit\QuickBooks Client Manager\qbcmagent.exe (Trojan.Agent) -> No action taken

Sometimes even the best malware scanners will detect legitimate files. In this case it looks as if this is a false positive
therefore uncheck this entry before proceeding with the cleanup.

We can further check to see if this file is bad by doing the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Program Files\Intuit\QuickBooks Client Manager\qbcmagent.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Please include this in your next reply along with the other logs.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 11 January 2010 - 07:58 AM

Ok,

1 major problem: RootRepeal would not finish scanning. I kept it all night, from 10pm to 7:45am. The first time I tried scanning, it gave me a blue screen, so i triedd scanning in Safemode but it did not finish (there was no progress information, it was just saying: "Scanning...")


MBAM log - The setting was not set to save the log file so I do not have one. I was not sure if you wanted me to run it again?

ESET log
C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\Local Settings\Temp\wmpscfgs.exe Win32/TrojanDownloader.Unruy.AY trojan cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Internet Explorer\wmpscfgs .exe Win32/TrojanDownloader.Unruy.AY trojan cleaned by deleting (after the next restart) - quarantined
C:\Program Files\Internet Explorer\wmpscfgs.exe Win32/TrojanDownloader.Unruy.AY trojan cleaned by deleting - quarantined


DDS.txt

DDS (Ver_09-12-01.01) - NTFSx86
Run by Assaad at 7:44:21.65 on 11/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2046.1280 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Intuit\QuickBooks Client Manager\QBCMAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\windows live\messenger\msnmsgr .exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\Desktop\Bleeping Computer Fix\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://ca.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QBCMAgent] c:\program files\intuit\quickbooks client manager\QBCMAgent.exe
mRun: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli scecli scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-11-8 38448]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-20 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-20 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-31 360584]
R1 KPSYSDRV;KPSYSDRV;c:\windows\system32\drivers\Kpsysdrv.sys [2009-12-31 17016]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-31 285392]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~3\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~3\QBDBMgrN.exe -hvQuickBooksDB18 [?]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2009-8-28 386784]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-8-28 57440]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\rangebooster g wua-2340\jswutil\jswpsapi.exe [2009-8-28 356434]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-01-11 00:52:04 0 d-----w- c:\program files\ESET
2010-01-09 15:20:31 0 ----a-w- c:\windows\system32\WSSPOOL.TMP
2010-01-08 04:13:51 0 d-----w- c:\docume~1\assaad~1.zei\applic~1\Malwarebytes
2010-01-08 04:13:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 04:13:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-08 04:13:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 04:13:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 04:03:31 0 d-----w- C:\_OTM
2009-12-31 21:33:32 0 d-----w- c:\docume~1\assaad~1.zei\applic~1\AVS4YOU
2009-12-31 21:33:32 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-12-31 21:30:36 0 d-----w- c:\program files\common files\AVSMedia
2009-12-31 21:30:27 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-12-31 21:30:27 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-12-31 21:30:27 0 d-----w- c:\program files\AVS4YOU
2009-12-31 20:50:00 45 -c--a-w- c:\windows\KXP7100W.BAK
2009-12-31 20:50:00 45 ----a-w- c:\windows\Kxp7100w.ini
2009-12-31 20:50:00 34893 ----a-w- c:\windows\system32\KPLANMON.DLL
2009-12-31 20:50:00 31428 ----a-w- c:\windows\system32\Kpprtmon.dll
2009-12-31 20:50:00 28672 ----a-w- c:\windows\system32\Usb2pvm.dll
2009-12-31 20:50:00 17016 ----a-w- c:\windows\system32\drivers\Kpsysdrv.sys
2009-12-31 20:50:00 122880 ----a-w- c:\windows\system32\Kpwslib.dll
2009-12-31 20:50:00 1106 ----a-w- c:\windows\system32\Kpwsgdi.ini
2009-12-31 20:50:00 10475 ----a-w- c:\windows\system32\Kpprtui.dll
2009-12-31 20:27:05 0 d--h--w- C:\$AVG
2009-12-31 20:26:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-31 20:26:45 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-12-31 20:26:36 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-31 20:20:45 0 d-----w- C:\AVG FREE 9.0
2009-12-31 18:06:08 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-12-31 17:58:28 0 d-----w- c:\program files\Microsoft Visual Studio 8

==================== Find3M ====================

2010-01-07 01:24:26 47360 -c--a-w- c:\docume~1\assaad~1.zei\applic~1\pcouffin.sys
2009-12-31 20:26:51 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-31 20:26:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-17 23:08:49 47360 -c--a-w- c:\windows\system32\drivers\pcouffin.sys
2009-10-29 19:14:26 159902 -c--a-w- c:\windows\T4 - T5 Common File - 2008 Uninstaller.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 -c--a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 -c--a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 -c--a-w- c:\windows\system32\httpapi.dll
2007-12-30 17:39:38 2293848 -c--a-w- c:\program files\FLV PlayerFCSetup.exe
2007-12-30 17:39:18 3928264 -c--a-w- c:\program files\FLV PlayerRCATSetup.exe
2007-12-30 17:37:57 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe
2007-07-12 02:56:15 0 -c--a-w- c:\program files\gditst
2004-03-11 17:27:22 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
2009-01-24 18:43:59 16384 -csha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-01-24 18:43:59 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-01-24 18:43:47 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012420090125\index.dat

============= FINISH: 7:44:52.98 ===============


jotti - Found nothing, Avast was not availlable for scanning



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:00 PM

Posted 11 January 2010 - 06:57 PM

Hello super goku,

1.
We need to execute an OTM script
  1. Double click the icon on your desktop.
  2. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Files
    c:\program files\internet explorer\wmpscfgs.exe

    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe_Reader"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"=-

    :commands
    [EmptyTemp]
    [Reboot]
  3. Push the large button.
  4. OTM may ask to reboot the machine. Please do so if asked.
  5. Copy/Paste the contents under the line here in your next reply.
  6. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

2.
Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

3.
New Adobe Reader Installation:
  • Go here and click on the Download button to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

4.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

5.
Please post a new DDS.txt


Things to include in your next reply:
OTM log
DDS.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 super goku

super goku
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 11 January 2010 - 10:44 PM

Hello,

OTM log
All processes killed
========== FILES ==========
File/Folder c:\program files\internet explorer\wmpscfgs.exe not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Adobe_Reader deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard\\ShellNext deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Assaad

User: Assaad.ZEIN-860EF8BDFC
->Temp folder emptied: 847585 bytes
->Temporary Internet Files folder emptied: 7950811 bytes
->Java cache emptied: 0 bytes

User: ASSAAD~1~ZEI

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: QBDataServiceUser18
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 197113 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 9.00 mb


OTM by OldTimer - Version 3.1.4.0 log created on 01112010_222627

Files moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_17a4.dat moved successfully.

Registry entries deleted on Reboot...
All processes killed
========== FILES ==========
File/Folder c:\program files\internet explorer\wmpscfgs.exe not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Adobe_Reader deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard\\ShellNext deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Assaad

User: Assaad.ZEIN-860EF8BDFC
->Temp folder emptied: 847585 bytes
->Temporary Internet Files folder emptied: 7950811 bytes
->Java cache emptied: 0 bytes

User: ASSAAD~1~ZEI

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: QBDataServiceUser18
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 197113 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 9.00 mb


OTM by OldTimer - Version 3.1.4.0 log created on 01112010_222627

Files moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_17a4.dat moved successfully.

Registry entries deleted on Reboot...



DDS.txt

DDS (Ver_09-12-01.01) - NTFSx86
Run by Assaad at 22:40:54.87 on 11/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2046.1356 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Intuit\QuickBooks Client Manager\QBCMAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\windows live\messenger\msnmsgr .exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Documents and Settings\Assaad.ZEIN-860EF8BDFC\Desktop\Bleeping Computer Fix\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://ca.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QBCMAgent] c:\program files\intuit\quickbooks client manager\QBCMAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli scecli scecli scecli

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-11-8 38448]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-20 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-20 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-31 360584]
R1 KPSYSDRV;KPSYSDRV;c:\windows\system32\drivers\Kpsysdrv.sys [2009-12-31 17016]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-31 285392]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~3\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~3\QBDBMgrN.exe -hvQuickBooksDB18 [?]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2009-8-28 386784]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-8-28 57440]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\rangebooster g wua-2340\jswutil\jswpsapi.exe [2009-8-28 356434]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-01-12 03:40:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-11 00:52:04 0 d-----w- c:\program files\ESET
2010-01-08 04:13:51 0 d-----w- c:\docume~1\assaad~1.zei\applic~1\Malwarebytes
2010-01-08 04:13:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 04:13:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-08 04:13:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 04:13:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 04:03:31 0 d-----w- C:\_OTM
2009-12-31 21:33:32 0 d-----w- c:\docume~1\assaad~1.zei\applic~1\AVS4YOU
2009-12-31 21:33:32 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-12-31 21:30:36 0 d-----w- c:\program files\common files\AVSMedia
2009-12-31 21:30:27 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-12-31 21:30:27 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-12-31 21:30:27 0 d-----w- c:\program files\AVS4YOU
2009-12-31 20:50:00 45 -c--a-w- c:\windows\KXP7100W.BAK
2009-12-31 20:50:00 45 ----a-w- c:\windows\Kxp7100w.ini
2009-12-31 20:50:00 34893 ----a-w- c:\windows\system32\KPLANMON.DLL
2009-12-31 20:50:00 31428 ----a-w- c:\windows\system32\Kpprtmon.dll
2009-12-31 20:50:00 28672 ----a-w- c:\windows\system32\Usb2pvm.dll
2009-12-31 20:50:00 17016 ----a-w- c:\windows\system32\drivers\Kpsysdrv.sys
2009-12-31 20:50:00 122880 ----a-w- c:\windows\system32\Kpwslib.dll
2009-12-31 20:50:00 1106 ----a-w- c:\windows\system32\Kpwsgdi.ini
2009-12-31 20:50:00 10475 ----a-w- c:\windows\system32\Kpprtui.dll
2009-12-31 20:27:05 0 d--h--w- C:\$AVG
2009-12-31 20:26:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-31 20:26:45 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-12-31 20:26:36 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-31 20:20:45 0 d-----w- C:\AVG FREE 9.0
2009-12-31 18:06:08 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-12-31 17:58:28 0 d-----w- c:\program files\Microsoft Visual Studio 8

==================== Find3M ====================

2010-01-12 03:40:20 411368 -c--a-w- c:\windows\system32\deploytk.dll
2010-01-07 01:24:26 47360 -c--a-w- c:\docume~1\assaad~1.zei\applic~1\pcouffin.sys
2009-12-31 20:26:51 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-31 20:26:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-17 23:08:49 47360 -c--a-w- c:\windows\system32\drivers\pcouffin.sys
2009-10-29 19:14:26 159902 -c--a-w- c:\windows\T4 - T5 Common File - 2008 Uninstaller.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 -c--a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 -c--a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 -c--a-w- c:\windows\system32\httpapi.dll
2007-12-30 17:39:38 2293848 -c--a-w- c:\program files\FLV PlayerFCSetup.exe
2007-12-30 17:39:18 3928264 -c--a-w- c:\program files\FLV PlayerRCATSetup.exe
2007-12-30 17:37:57 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe
2007-07-12 02:56:15 0 -c--a-w- c:\program files\gditst
2004-03-11 17:27:22 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
2009-01-24 18:43:59 16384 -csha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-01-24 18:43:59 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-01-24 18:43:47 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012420090125\index.dat

============= FINISH: 22:41:25.92 ===============


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:00 PM

Posted 12 January 2010 - 04:24 PM

Hello, super goku.
Congratulations! You now appear clean! specool.gif

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Double click the icon on your desktop. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install and maintain an outbound firewall
  2. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  3. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  4. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  5. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    1. Click the "Start Menu" (or Windows Orb)
    2. Click "All Programs"
    3. Click "Windows Update"
    4. On the left, choose "Change Settings"
    5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    7. Click "Check for Updates" in the upper left corner.
    8. Follow the instructions to install the latest updates.
    9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  6. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  7. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users