Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot access any URL that contains "windowsupdate"


  • This topic is locked This topic is locked
10 replies to this topic

#1 LostInTheForrest

LostInTheForrest

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 27 March 2010 - 09:50 PM

I can access any website/URL except if it contains "windowsupdate".
Creating this topic on bleepingcomputer.com even resulted in an "Internet Explorer cannot display the webpage" error at the time I clicked on the Post New Topic button when I tried it from the infected computer. So I had to create this topic from one of my other computers.

Internet Explorer 8.0:
Trying to go to http://windowsupdate.microsoft.com results in a "Internet Explorer cannot display the webpage" error.

Searching in Google for "windowsupdate" results in a "Internet Explorer cannot display the webpage" error.

Searching with any other search (e.g. Bing or Yahoo) engine gives the same result.

If I replace any of the letters of "windowsupdate" in the search engine's URL to it's hexadecimal value, then the search is successful. E.g. http://www.google.com/search?hl=en&q=windows%75pdate (I replaced the "U" with "%75".)


Firefox:
Trying to go to http://windowsupdate.microsoft.com results in a "The connection was reset - The connection to the server was reset while the page was loading." error

Searching in Google for "windowsupdate" updates the URL to the URL with the search criteria but then keeps the page the way is was.


Searching with any other search (e.g. Bing or Yahoo) engine gives the same result.


If I enter 207.46.18.94 (the IP address of windowsupdate.microsoft.com) then it redirects (as it use to be before and as it is on all my other computers) to http://update.microsoft.com/windowsupdate/v6/default.aspx. But since this URL contains "windowsupdate", I'm getting an "Internet Explorer cannot display the webpage" error again.


Despite having AVG (Free edition) and Ad-Aware installed on my computer, and running Malwarebytes and SUPERAntiSpyware daily, I'm getting new malware/virus infections almost daily. Mostly fake virus alerts as XP Guardian 2010 (av.exe) and XP Security (ave.exe).
The malware/viruses disables my Windows Firewall, and services as for example Security Center and Automatic Updates. See below for malware and viruses detected by Malwarebytes' and AVG.
Internet Explorer pops up randomly with www.google.com/webhp.


GMER kept on crashing on me. Sometimes after an hour, sometimes after 5 minutes, but I never got it to finish the scan to the end. So I ran a scan and then stopped it after 10 minutes so I at least could save a log.

I run Windows XP (with Service Pack 3). Windows XP Firewall is On, and I also have a firewall on my Linksys router.



Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/27/2010

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/24/2010

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/22/2010

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/21/2010

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/18/2010

Files Infected:
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP2\A0002002.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/17/2010

Files Infected:
C:\WINDOWS\system32\drivers\gduuhzf.sys (Rootkit.Agent) -> Delete on reboot.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/16/2010

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\popmwgym (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\atnwfr\wmdnsftav.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\_81.tmp (Adware.Savenow) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\nd.sys (Trojan.Ndiswrap) -> Quarantined and deleted successfully.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/15/2010

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drivers\gduuhzf.sys (Rootkit.Agent) -> Delete on reboot.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/13/2010

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drivers\gduuhzf.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/12/2010

Memory Modules Infected:
C:\WINDOWS\system32\duyojaye.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lowaroyu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Windows Server\xetpmk.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\Iasex.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\fpggpd.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ias (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a3ba40a2-74f1-52bd-f434-00b15a2c8953} (Trojan.Downloader) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ba40a2-74f1-52bd-f434-00b15a2c8953} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3ba40a2-74f1-52bd-f434-00b15a2c8953} (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a3ba40a2-74f1-52bd-f434-00b15a2c8953} (Trojan.Downloader) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remote system protection (Trojan.Downloader) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gdf498gtudsigjnsod8guifjgfhfhf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoyonidasu (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4b0d6fd4-3bb3-4522-9300-35c6860955e4}\NameServer (Trojan.DNSChanger) -> Data: 217.23.14.75,4.2.2.1,74.84.119.150 97.64.179.250 -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\duyojaye.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hodaluho.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lofiketo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowaroyu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Windows Server\xetpmk.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\Iasex.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\fpggpd.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\r31sa8olc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\qbdh4.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\snreyh.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\TMPBDAC.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\asr64_ldm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\dhdhtrdhdrtr5y (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\fqhwx.exe (Malware.Packer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\22669556.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\10DRDK67\xekgqer[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4K78BPTK\etqrnbbym[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FO7ONM9G\admwk[1].htm (Malware.Packer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IG2M16K3\yekhhiijfg[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TLGT9SCX\tfllijwxgu[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YKDGDYQJ\tjgcdnnak[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z9MCZZ5O\iolylzjjg[1].htm (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Templates\memory.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lodivoyo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nodoveki.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seagate.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gduuhzf.sys (Rootkit.Agent) -> Delete on reboot.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/6/2010

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aisamryq (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aisamryq (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\ovcndu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/4/2010

Files Infected:
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141516.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Application Data\Move Networks\MoveMediaPlayer_07103010.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Move Networks\MoveMediaPlayer_07103010.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/4/2010

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.


Detected by Malwarebytes' Anti-Malware 1.44
Date: 3/2/2010

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.



Detected by AVG virus scan:
Detection date: 3/16/2010
Detection name: Trojan horse Dropper.Agent.QYV
Object name: C:\Documents and Settings\Owner\Local Settings\Temp\wjnb.exe:\winzip.exe

Detected by AVG Resident Shield:
Infection Object Result Detection time Object Type Process
Trojan horse Cryptic.CL C:\WINDOWS\Temp\heqgeq.exe Moved to Virus Vault 3/25/2010, 10:43:35 PM file C:\WINDOWS\system32\svchost.exe
Virus identified Win32/Patched.CG C:\WINDOWS\system32\drivers\atapi.sys Object is white-listed (critical/system file that should not be removed) 3/24/2010, 8:48:59 PM file System
Trojan horse Generic17.NOH C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP5\A0005201.exe Moved to Virus Vault 3/24/2010, 7:52:06 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Runtime packed fsg C:\WINDOWS\Temp\SDFix_Filecheck\the.imaging.factory.multikeygen.exe 3/22/2010, 9:16:42 PM file C:\SDFix\apps\UnRAR.exe
Trojan horse Cryptic.BY C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0005118.exe Moved to Virus Vault 3/21/2010, 11:43:24 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Cryptic.BY C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0005117.exe Object is inaccessible. 3/21/2010, 8:48:33 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Cryptic.BY C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0005117.exe Moved to Virus Vault 3/21/2010, 7:59:53 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Cryptic.BY C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP4\A0005092.exe Moved to Virus Vault 3/21/2010, 7:39:45 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Cryptic.BY C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe Moved to Virus Vault 3/21/2010, 6:51:48 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Trojan horse Cryptic.BY C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe Moved to Virus Vault 3/21/2010, 6:51:46 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Trojan horse Rootkit-Agent.EG C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP2\A0002002.sys Moved to Virus Vault 3/18/2010, 6:23:00 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Runtime packed fsg C:\WINDOWS\Temp\SDFix_Filecheck\the.imaging.factory.multikeygen.exe 3/18/2010, 1:10:12 AM file C:\SDFix\apps\UnRAR.exe
Trojan horse VB.VJE D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0000002.exe Moved to Virus Vault 3/17/2010, 12:22:12 AM file C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
Trojan horse VB.VJE D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0000003.exe Moved to Virus Vault 3/17/2010, 12:22:12 AM file C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
Trojan horse VB.VJE D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0000004.exe Moved to Virus Vault 3/17/2010, 12:22:12 AM file C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
Trojan horse VB.VJE D:\i386\Apps\App29910\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:14:37 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App26163\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:14:30 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App25433\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:14:30 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App32136\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:38 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App29507\oeminfo\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:37 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App29507\emver\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:37 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App23330\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:28 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App22216\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:28 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App21287\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:25 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App20164\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:24 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App18467\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:21 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App15472\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:17 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App12499\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:03 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App12072\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:03 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App10402\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:12:02 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App03011\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:11:42 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse VB.VJE D:\i386\Apps\App01980\oobeconfig.exe Moved to Virus Vault 3/16/2010, 10:11:38 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse Cryptic.BG C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe Moved to Virus Vault 3/16/2010, 8:44:29 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Trojan horse Agent2.AKQT C:\WINDOWS\system32\kbdatat4.dll Moved to Virus Vault 3/16/2010, 5:53:02 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Generic16.CFQI C:\WINDOWS\system32\kbupdate.dll Infected 3/16/2010, 10:33:14 AM file C:\DOCUME~1\Owner\LOCALS~1\Temp\_81.tmp
Virus found JS/Pakes C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WHGQX76L\kav6[1].htm Moved to Virus Vault 3/15/2010, 6:05:27 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Virus found JS/Pakes C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WHGQX76L\kav6[1].htm Infected 3/15/2010, 5:32:23 PM file C:\Program Files\Internet Explorer\iexplore.exe
Trojan horse Small.BUL C:\WINDOWS\system32\seagate.sys Moved to Virus Vault 3/12/2010, 7:45:22 PM file C:\Program Files\Malwarebytes' Anti-Malware\VjRD5b5jQ.exe
Trojan horse Small.BUH C:\WINDOWS\system32\6to4v32.dll Moved to Virus Vault 3/12/2010, 7:43:58 PM file C:\Program Files\Malwarebytes' Anti-Malware\VjRD5b5jQ.exe
Trojan horse Generic17.AII C:\Documents and Settings\Owner\Local Settings\Temp\580013804.exe Moved to Virus Vault 3/12/2010, 7:43:04 PM file C:\WINDOWS\explorer.exe
Trojan horse Generic17.AII C:\Documents and Settings\Owner\Local Settings\Temp\2582333504.exe Moved to Virus Vault 3/12/2010, 5:16:06 PM file C:\WINDOWS\explorer.exe
Trojan horse Generic17.AII C:\Documents and Settings\Owner\Local Settings\Temp\1798990470.exe Moved to Virus Vault 3/12/2010, 2:44:35 PM file C:\WINDOWS\explorer.exe
Trojan horse Small.BUH C:\WINDOWS\system32\6to4v32.dll Infected 3/12/2010, 2:44:10 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Generic17.AII C:\Documents and Settings\Owner\Local Settings\Temp\3309764450.exe Moved to Virus Vault 3/12/2010, 2:11:13 PM file C:\WINDOWS\explorer.exe
Trojan horse Small.BUH C:\WINDOWS\system32\6to4v32.dll Infected 3/12/2010, 2:10:51 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Small.BUH C:\WINDOWS\system32\6to4v32.dll Infected 3/12/2010, 1:19:12 PM file C:\Program Files\Dr. Guard\drguard.exe
Trojan horse SHeur3.CVM C:\Documents and Settings\Owner\Local Settings\Temp\TMPB0EA.exe Infected 3/12/2010, 1:05:45 PM file C:\DOCUME~1\Owner\LOCALS~1\Temp\rjcddtg.exe
Trojan horse Rootkit-Agent.EG C:\WINDOWS\system32\drivers\gduuhzf.sys Infected 3/12/2010, 1:05:39 PM file System
Trojan horse SHeur3.CVM C:\Documents and Settings\Owner\Local Settings\Temp\TMP9D81.exe Infected 3/12/2010, 1:05:38 PM file C:\DOCUME~1\Owner\LOCALS~1\Temp\rjcddtg.exe
Trojan horse Rootkit-Agent.EG C:\WINDOWS\system32\drivers\atmarpc.sys Object is white-listed (critical/system file that should not be removed) 3/12/2010, 1:05:38 PM file System
Trojan horse Rootkit-Agent.EG C:\WINDOWS\system32\drivers\arp1394.sys Infected 3/12/2010, 1:05:37 PM file System
Trojan horse Rootkit-Agent.EG C:\WINDOWS\system32\drivers\aec.sys Infected 3/12/2010, 1:05:37 PM file System
Trojan horse SHeur3.CVM C:\Documents and Settings\Owner\Local Settings\Temp\TMP8EDB.exe Infected 3/12/2010, 1:05:36 PM file C:\DOCUME~1\Owner\LOCALS~1\Temp\rjcddtg.exe
Trojan horse Small.BUH C:\WINDOWS\system32\6to4v32.dll Infected 3/12/2010, 1:05:34 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Small.BUH C:\WINDOWS\system32\6to4v32.dll Infected 3/12/2010, 1:05:33 PM file C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\winzip.exe
Trojan horse Small.BUL C:\WINDOWS\system32\seagate.sys Infected 3/12/2010, 1:05:25 PM file C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\winzip.exe
Trojan horse Generic17.AII C:\Documents and Settings\Owner\Local Settings\Temp\2426501364.exe Infected 3/12/2010, 1:05:24 PM file C:\DOCUME~1\Owner\LOCALS~1\Temp\r31sa8olc.exe
Trojan horse Cryptic.BD C:\Documents and Settings\Owner\Local Settings\Temp\93ea4300.exe Infected 3/12/2010, 1:05:17 PM file C:\DOCUME~1\Owner\LOCALS~1\Temp\snreyh.exe
Trojan horse Generic17.AII C:\Documents and Settings\Owner\Local Settings\Temp\2388688864.exe Infected 3/12/2010, 1:05:12 PM file C:\DOCUME~1\Owner\LOCALS~1\Temp\hpaq.exe
Trojan horse Cryptic.BD C:\Documents and Settings\Owner\Local Settings\Temp\93ea4300.exe Infected 3/12/2010, 1:05:07 PM file C:\DOCUME~1\Owner\LOCALS~1\Temp\1.771186667266937E7.exe
Trojan horse Cryptic.Z C:\Documents and Settings\Owner\Local Settings\Temp\rhqskd.exe Moved to Virus Vault 3/9/2010, 1:20:57 AM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Virus identified JS/Downloader.Agent C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D65CI4B2\nice-tits[1].htm Moved to Virus Vault 3/9/2010, 1:02:41 AM file C:\Program Files\Internet Explorer\iexplore.exe
Trojan horse Cryptic.I C:\Documents and Settings\Owner\Local Settings\Temp\ovcndu.exe Infected 3/6/2010, 12:51:33 PM file C:\Program Files\Internet Explorer\iexplore.exe
Trojan horse Downloader.Mebload.A C:\Documents and Settings\Owner\Local Settings\Temp\vjexfw.dll Infected 2/3/2010, 3:53:41 PM file C:\WINDOWS\system32\regsvr32.exe
Trojan horse Downloader.Generic9.AISY C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1306\A0144015.exe Moved to Virus Vault 1/23/2010, 4:46:41 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Downloader.Generic9.AIKZ C:\Documents and Settings\Owner\Local Settings\Temp\0.09333249356283668.exe Moved to Virus Vault 1/18/2010, 11:52:17 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Trojan horse Downloader.Generic9.AIKZ C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\21\31a53b95-579d42ca Moved to Virus Vault 1/18/2010, 11:46:44 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Trojan horse Downloader.Generic9.AIKZ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1301\A0141701.exe Moved to Virus Vault 1/18/2010, 10:43:27 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Trojan horse Downloader.Generic9.AIKZ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141508.exe Moved to Virus Vault 1/18/2010, 10:43:18 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Trojan horse Downloader.Generic9.AIKZ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141519.exe Moved to Virus Vault 1/18/2010, 10:43:16 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Trojan horse Downloader.Generic9.AIKZ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141501.exe Moved to Virus Vault 1/18/2010, 10:43:15 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Trojan horse Downloader.Generic9.AIKZ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141493.exe Moved to Virus Vault 1/18/2010, 10:43:14 PM file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Trojan horse Downloader.Generic9.AIKZ C:\WINDOWS\system32\winlogon32.exe Moved to Virus Vault 1/18/2010, 9:05:53 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse Crypt.MIQ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141480.exe Moved to Virus Vault 1/18/2010, 8:47:26 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse Downloader.Generic9.AIKZ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141466.exe Moved to Virus Vault 1/18/2010, 8:47:25 PM file C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
Trojan horse Crypt.MIQ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141468.exe Moved to Virus Vault 1/18/2010, 7:36:37 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Crypt.MIQ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141468.exe Moved to Virus Vault 1/18/2010, 7:18:31 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Crypt.MIQ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141468.exe Moved to Virus Vault 1/18/2010, 6:17:13 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Crypt.MIQ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141468.exe Moved to Virus Vault 1/18/2010, 4:53:57 PM file C:\WINDOWS\system32\svchost.exe
Trojan horse Crypt.MIQ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141468.exe Moved to Virus Vault 1/18/2010, 9:36:39 AM file C:\WINDOWS\system32\svchost.exe
Trojan horse Crypt.MIQ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1299\A0141468.exe Moved to Virus Vault 1/18/2010, 9:21:49 AM file C:\WINDOWS\system32\svchost.exe



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 23:29:05.01 on Fri 03/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1200 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Iomega\QuikProtect\QpMonitor.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5056
uStart Page = file:///C:/Start/start_page.htm
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5056
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {20beb9fc-5e75-4904-aecd-2d2ae9bac454} - duyojaye.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [Power2GoExpress] NA
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263190953788
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://128.230.73.133/activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://128.101.28.100/activex/AxisCamControl.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://cam-cityhall1.delft.nl/activex/AMC.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn-cr.aegonins.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: kamosaduv - {41682e9c-85e8-4bec-8c16-3f928fe64ad8} - c:\windows\system32\ledahofo.dll
STS: tokatiluy: {41682e9c-85e8-4bec-8c16-3f928fe64ad8} - c:\windows\system32\ledahofo.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\fusageza.dll lodivoyo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ar0j1fmp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - file:///C:/Start/start_page.htm
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-16 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-29 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-29 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-21 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 QSCopyEngine;QSCopyEngine;c:\program files\iomega\quikprotect\QpMonitor.exe [2009-4-22 122880]
S2 gupdate1c9d56bd0d4ccd6;Google Update Service (gupdate1c9d56bd0d4ccd6);c:\program files\google\update\GoogleUpdate.exe [2009-5-15 133104]
S3 cmvad;Linksys Wireless-G Music Bridge Interface;c:\windows\system32\drivers\cmudaxv.sys --> c:\windows\system32\drivers\cmudaxv.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-12-29 36928]
S3 QsFsFltr;QsFsFltr;c:\windows\system32\drivers\QsFsFltr.sys [2009-12-19 13824]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 12872]
S4 gduuhzf;gduuhzf; [x]

=============== Created Last 30 ================

2010-03-18 05:42:29 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-03-18 05:27:25 0 d-----w- c:\windows\ERUNT
2010-03-18 05:22:14 0 d-----w- C:\SDFix
2010-03-17 05:38:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-17 04:36:49 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-17 04:36:46 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-17 04:35:33 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-16 22:52:40 20 ----a-w- c:\windows\system32\crt.dat
2010-03-14 05:23:25 0 d-----w- c:\docume~1\owner\applic~1\Foxit Software
2010-03-14 05:22:20 0 d-----w- c:\docume~1\owner\applic~1\Foxit
2010-03-14 05:21:58 0 d-----w- c:\program files\Foxit Software
2010-03-14 04:31:44 435 ----a-w- c:\temp\x.cmd
2010-03-14 03:25:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 19:42:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 04:53:45 0 d-----w- c:\program files\Windows Installer Clean Up

==================== Find3M ====================

2010-03-25 01:48:58 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-19 15:51:35 41 ----a-w- c:\documents and settings\owner\jagex_runescape_preferences.dat
2010-03-19 15:51:34 69 ----a-w- c:\documents and settings\owner\jagex_runescape_preferences2.dat
2010-03-14 03:25:15 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 03:24:17 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-12 00:57:34 70984 ----a-w- c:\documents and settings\owner\g2mdlhlpx.exe
2010-01-07 20:38:18 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-01-07 20:38:10 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-01-07 20:22:04 74240 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-01-07 20:22:04 57344 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-01-07 20:22:04 310784 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-01-07 20:22:04 18944 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-01-07 20:22:04 147456 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-01-07 20:22:04 12800 ----a-w- c:\windows\system32\ZunePTDNS.dll
2008-05-11 21:38:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051120080512\index.dat

============= FINISH: 23:30:32.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:54 PM

Posted 28 March 2010 - 08:16 AM

Hi LostInTheForrest,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#3 LostInTheForrest

LostInTheForrest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 28 March 2010 - 12:01 PM

Hi farbar,

Thank you for your quick reply!

I've ran ComboFix per your instructions. It detected a RootKit, and then rebooted before it continued scanning. Scanning process then went through 50 stages, deleted a couple of folders and then rebooted again. After the second reboot it prepared a Log Report.
The scan process - including the 2 reboots, deletion of the files and the preparing of the log report - took approx. 34 minutes.

Here are the results from C:\ComboFix.txt:

ComboFix 10-03-27.04 - Owner 03/28/2010 11:23:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1333 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\1x02B.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\AYxMA2Oy.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\B4LYM7.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\j7m2bY.jpg
c:\my documents\ZbThumbnail.info
c:\recycler\S-1-5-21-2770796679-92956565-1429760954-500
c:\recycler\S-1-5-21-3717083602-1431449881-2874546908-500
C:\s
C:\Thumbs.db
c:\windows\system32\aveharop.ini
c:\windows\system32\crt.dat
c:\windows\system32\Thumbs.db
c:\windows\system32\uninstall.exe
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-18 18:57 . 2010-03-18 18:57 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-18 05:42 . 2010-03-18 05:42 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-03-18 05:27 . 2010-03-18 05:27 -------- d-----w- c:\windows\ERUNT
2010-03-18 05:22 . 2010-03-23 03:34 -------- d-----w- C:\SDFix
2010-03-17 05:38 . 2010-03-17 04:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-17 04:36 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-17 04:36 . 2010-03-17 04:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-17 04:35 . 2010-03-17 04:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-16 15:33 . 2010-03-17 01:20 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\atnwfr
2010-03-14 05:23 . 2010-03-14 05:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit Software
2010-03-14 05:22 . 2010-03-14 05:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit
2010-03-14 05:21 . 2010-03-14 05:21 -------- d-----w- c:\program files\Foxit Software
2010-03-14 04:31 . 2010-03-14 04:43 435 ----a-w- c:\temp\x.cmd
2010-03-14 03:25 . 2010-03-14 03:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 19:42 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 17:51 . 2010-03-12 18:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\alfnuv
2010-03-05 04:57 . 2010-03-05 04:57 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-05 04:53 . 2010-03-05 04:53 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-03-02 20:40 . 2010-03-02 20:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 02:48 . 2009-12-09 02:02 -------- d-----w- c:\program files\Garmin
2010-03-26 05:39 . 2005-01-10 01:26 67320 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 01:48 . 2004-08-04 05:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-23 00:41 . 2006-06-03 02:02 -------- d-----w- c:\program files\Trend Micro
2010-03-22 22:48 . 2009-01-04 06:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-19 15:51 . 2008-07-13 00:54 41 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2010-03-19 15:51 . 2009-09-05 19:52 69 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences2.dat
2010-03-17 04:35 . 2008-05-11 18:15 -------- d-----w- c:\program files\Lavasoft
2010-03-17 04:34 . 2008-07-04 23:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-17 00:22 . 2009-08-09 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 05:01 . 2006-02-07 18:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-14 04:23 . 2006-02-07 18:25 -------- d-----w- c:\program files\Google
2010-03-14 03:25 . 2009-11-22 03:27 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 03:25 . 2008-07-30 00:18 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-14 03:24 . 2008-07-30 00:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-05 06:46 . 2009-08-09 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-05 06:01 . 2006-06-05 03:29 -------- d-----w- c:\program files\Macromedia
2010-03-05 04:53 . 2008-06-06 05:30 -------- d-----w- c:\program files\MSECache
2010-02-20 04:33 . 2007-04-07 18:03 -------- d-----w- c:\program files\Winamp
2010-02-06 03:41 . 2009-11-22 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-05 23:48 . 2008-04-19 20:17 -------- d-----w- c:\program files\Zune
2010-02-04 12:43 . 2008-10-03 01:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-12 00:57 . 2008-08-01 00:19 70984 ----a-w- c:\documents and settings\Owner\g2mdlhlpx.exe
2010-01-07 21:07 . 2009-08-09 02:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-08-09 02:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 20:38 . 2010-01-07 20:38 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-01-07 20:38 . 2010-01-07 20:38 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-01-07 20:22 . 2009-09-02 06:29 74240 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-01-07 20:22 . 2009-09-02 06:29 57344 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-01-07 20:22 . 2009-09-02 06:29 18944 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-01-07 20:22 . 2009-09-02 06:29 12800 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-01-07 20:22 . 2009-09-02 06:29 310784 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-01-07 20:22 . 2009-09-02 06:29 147456 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-01-07 20:22 . 2009-09-02 06:28 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys
2009-12-31 16:50 . 2005-01-09 23:48 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2007-11-28 19:12 . 2006-07-22 04:46 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:12 . 2006-07-22 04:46 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:12 . 2007-12-25 19:12 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:12 . 2007-12-25 19:12 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:12 . 2006-07-22 04:46 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-26 185896]
"SoundMan"="SOUNDMAN.EXE" [2005-12-15 577536]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 13:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 03:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"getPlusHelper"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\FRONTPG.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Performer Software\\Presentation Image Viewer 6\\Viewer.exe"=
"c:\\Program Files\\Performer Software\\Presentation Image Viewer 6\\PSAutoUpdate.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Brother\\BRAdmin Light\\BRAdmLight.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Iomega\\QuikProtect\\QuikProtect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/16/2010 11:36 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/29/2008 7:18 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/21/2009 10:27 PM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 12:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 10:25 PM 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1229232]
R2 QSCopyEngine;QSCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [4/22/2009 4:09 PM 122880]
S2 gupdate1c9d56bd0d4ccd6;Google Update Service (gupdate1c9d56bd0d4ccd6);c:\program files\Google\Update\GoogleUpdate.exe [5/15/2009 9:45 AM 133104]
S3 cmvad;Linksys Wireless-G Music Bridge Interface;c:\windows\system32\drivers\cmudaxv.sys --> c:\windows\system32\drivers\cmudaxv.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [12/29/2008 9:05 PM 36928]
S3 QsFsFltr;QsFsFltr;c:\windows\system32\drivers\QsFsFltr.sys [12/19/2009 11:20 PM 13824]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 12872]
S4 gduuhzf;gduuhzf; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 04:36]

2010-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-03-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-27 18:06]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 14:45]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 14:45]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Start/start_page.htm
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: musicmatch.com\online
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://cam-cityhall1.delft.nl/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ar0j1fmp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - file:///C:/Start/start_page.htm
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{20beb9fc-5e75-4904-aecd-2d2ae9bac454} - duyojaye.dll
HKLM-Run-BrStsWnd - c:\program files\Brownie\BrstsWnd.exe
SharedTaskScheduler-{41682e9c-85e8-4bec-8c16-3f928fe64ad8} - c:\windows\system32\ledahofo.dll
SSODL-kamosaduv-{41682e9c-85e8-4bec-8c16-3f928fe64ad8} - c:\windows\system32\ledahofo.dll
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-WOLAPI - c:\westwood\Internet\UnstllAP.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 11:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,3c,e2,e4,
2d,97,3b,06,03,f4,d4,81,74,a9,4b,77,01,d4,71,6e,22,1b,af,a0,47,c5,27,d6,7d,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{95E4E1A2-907D-DCF4-ECED76DBDD55C8D9}\{E181FB36-5321-7919-FB2ED9EA97CF00E0}\{36D13116-5EAF-FC6E-3E8424C538F75A0E}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,3c,e2,e4,
2d,97,3b,06,03,f4,d4,81,74,a9,4b,77,01,d4,71,6e,22,1b,af,a0,47,c5,27,d6,7d,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EAE54BA3-56A0-7636-9D760FE75B19E95C}\{32AED356-A62E-B541-0C1631C471EC4552}\{622BCC28-1320-8061-75578A77CF92A31A}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,3c,e2,e4,
2d,97,3b,06,03,f4,d4,81,74,a9,4b,77,01,d4,71,6e,22,1b,af,a0,47,c5,27,d6,7d,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F1AB0511-A375-41F8-28F286EA5B314AE1}\{CDE856FA-B0FC-53AE-2E76D427065C9F08}\{06F28CA4-0E64-79D3-A5453F20806788AF}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\ZuneBusEnum.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-28 11:50:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 16:49

Pre-Run: 119,288,438,784 bytes free
Post-Run: 119,625,318,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 2F1BB327D4C6F065E0B46FB0D92C963F



#4 LostInTheForrest

LostInTheForrest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 28 March 2010 - 12:15 PM

I just did a Google search on "windowsupdate" and it works! Yes! thumbup.gif
And I was now also able to successfully access the windowsupdate.microsoft.com website!

Thank you very much!

I hope that from studying the ComboFix log, you won't find any other issues.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:54 PM

Posted 28 March 2010 - 12:23 PM

Well done and thanks for the detailed feedback. thumbup2.gif

The redirection should have been stopped.
  1. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    Dirlook::
    c:\documents and settings\Owner\Local Settings\Application Data\atnwfr
    c:\documents and settings\Owner\Local Settings\Application Data\alfnuv

    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"=-

    RegNull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{95E4E1A2-907D-DCF4-ECED76DBDD55C8D9}\{E181FB36-5321-7919-FB2ED9EA97CF00E0}\{36D13116-5EAF-FC6E-3E8424C538F75A0E}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EAE54BA3-56A0-7636-9D760FE75B19E95C}\{32AED356-A62E-B541-0C1631C471EC4552}\{622BCC28-1320-8061-75578A77CF92A31A}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F1AB0511-A375-41F8-28F286EA5B314AE1}\{CDE856FA-B0FC-53AE-2E76D427065C9F08}\{06F28CA4-0E64-79D3-A5453F20806788AF}*]

    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{95E4E1A2-907D-DCF4-ECED76DBDD55C8D9}\{E181FB36-5321-7919-FB2ED9EA97CF00E0}\{36D13116-5EAF-FC6E-3E8424C538F75A0E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD212F18-226F-19C5-6836DC0F322A8CD1}\{165CDB28-57BC-2FFB-C17032E84F1598CE}\{1D773DA2-1E07-1A59-CFCCE9D8E9744932}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1D66034-199B-5834-FAD091A744E2DF52}\{A9398372-0762-3A7E-A7C8ABB3F38F2F6E}\{F18374B6-D35D-16D4-9DBDDA1016548C70}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EAE54BA3-56A0-7636-9D760FE75B19E95C}\{32AED356-A62E-B541-0C1631C471EC4552}\{622BCC28-1320-8061-75578A77CF92A31A}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F1AB0511-A375-41F8-28F286EA5B314AE1}\{CDE856FA-B0FC-53AE-2E76D427065C9F08}\{06F28CA4-0E64-79D3-A5453F20806788AF}]


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#6 LostInTheForrest

LostInTheForrest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 28 March 2010 - 01:07 PM

I've ran ComboFix again, following your instructions.

Here are the results from C:\ComboFix.txt:

ComboFix 10-03-27.04 - Owner 03/28/2010 12:52:28.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1310 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-18 18:57 . 2010-03-18 18:57 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-18 05:42 . 2010-03-18 05:42 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-03-18 05:27 . 2010-03-18 05:27 -------- d-----w- c:\windows\ERUNT
2010-03-18 05:22 . 2010-03-23 03:34 -------- d-----w- C:\SDFix
2010-03-17 05:38 . 2010-03-17 04:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-17 04:35 . 2010-03-17 04:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-17 04:35 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-16 15:33 . 2010-03-17 01:20 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\atnwfr
2010-03-14 05:23 . 2010-03-14 05:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit Software
2010-03-14 05:22 . 2010-03-14 05:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit
2010-03-14 05:21 . 2010-03-14 05:21 -------- d-----w- c:\program files\Foxit Software
2010-03-14 04:31 . 2010-03-14 04:43 435 ----a-w- c:\temp\x.cmd
2010-03-14 03:25 . 2010-03-14 03:25 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-14 03:25 . 2010-03-14 03:25 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-14 03:25 . 2010-03-14 03:25 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-14 03:25 . 2010-03-14 03:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 19:42 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 17:51 . 2010-03-12 18:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\alfnuv
2010-03-05 06:43 . 2010-03-05 06:43 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-05 04:57 . 2010-03-05 04:57 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-05 04:57 . 2010-03-05 04:57 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-05 04:53 . 2010-03-05 04:53 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-03-05 04:53 . 2010-03-05 04:53 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-03-02 20:40 . 2010-03-02 20:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 02:48 . 2009-12-09 02:02 -------- d-----w- c:\program files\Garmin
2010-03-26 05:39 . 2005-01-10 01:26 67320 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 01:48 . 2004-08-04 05:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-23 00:41 . 2006-06-03 02:02 -------- d-----w- c:\program files\Trend Micro
2010-03-22 22:48 . 2009-01-04 06:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-22 04:09 . 2009-03-28 15:26 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-19 15:51 . 2008-07-13 00:54 41 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2010-03-19 15:51 . 2009-09-05 19:52 69 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences2.dat
2010-03-17 04:35 . 2008-05-11 18:15 -------- d-----w- c:\program files\Lavasoft
2010-03-17 04:34 . 2008-07-04 23:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-17 00:22 . 2009-08-09 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 00:22 . 2010-01-19 02:37 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-14 05:01 . 2006-02-07 18:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-14 04:23 . 2006-02-07 18:25 -------- d-----w- c:\program files\Google
2010-03-14 03:25 . 2009-11-22 03:27 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 03:25 . 2008-07-30 00:18 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-14 03:24 . 2008-07-30 00:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-05 06:46 . 2009-08-09 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-05 06:01 . 2006-06-05 03:29 -------- d-----w- c:\program files\Macromedia
2010-03-05 04:53 . 2008-06-06 05:30 -------- d-----w- c:\program files\MSECache
2010-02-20 04:33 . 2007-04-07 18:03 -------- d-----w- c:\program files\Winamp
2010-02-06 03:41 . 2009-11-22 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-05 23:48 . 2008-04-19 20:17 -------- d-----w- c:\program files\Zune
2010-02-04 15:53 . 2010-03-17 04:36 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-04 12:43 . 2008-10-03 01:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-12 00:57 . 2008-08-01 00:19 70984 ----a-w- c:\documents and settings\Owner\g2mdlhlpx.exe
2010-01-07 21:07 . 2009-08-09 02:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-08-09 02:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 20:38 . 2010-01-07 20:38 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-01-07 20:38 . 2010-01-07 20:38 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-01-07 20:22 . 2009-09-02 06:29 74240 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-01-07 20:22 . 2009-09-02 06:29 57344 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-01-07 20:22 . 2009-09-02 06:29 18944 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-01-07 20:22 . 2009-09-02 06:29 12800 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-01-07 20:22 . 2009-09-02 06:29 310784 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-01-07 20:22 . 2009-09-02 06:29 147456 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-01-07 20:22 . 2009-09-02 06:28 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys
2010-01-07 04:10 . 2010-01-07 04:10 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-31 16:50 . 2005-01-09 23:48 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2007-11-28 19:12 . 2006-07-22 04:46 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:12 . 2006-07-22 04:46 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:12 . 2007-12-25 19:12 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:12 . 2007-12-25 19:12 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:12 . 2006-07-22 04:46 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Owner\Local Settings\Application Data\alfnuv ----


---- Directory of c:\documents and settings\Owner\Local Settings\Application Data\atnwfr ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-26 185896]
"SoundMan"="SOUNDMAN.EXE" [2005-12-15 577536]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 13:30 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 03:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"getPlusHelper"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\FRONTPG.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Performer Software\\Presentation Image Viewer 6\\Viewer.exe"=
"c:\\Program Files\\Performer Software\\Presentation Image Viewer 6\\PSAutoUpdate.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Brother\\BRAdmin Light\\BRAdmLight.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Iomega\\QuikProtect\\QuikProtect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/16/2010 11:36 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/29/2008 7:18 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/21/2009 10:27 PM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 12:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 10:25 PM 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1229232]
S2 gupdate1c9d56bd0d4ccd6;Google Update Service (gupdate1c9d56bd0d4ccd6);c:\program files\Google\Update\GoogleUpdate.exe [5/15/2009 9:45 AM 133104]
S2 QSCopyEngine;QSCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [4/22/2009 4:09 PM 122880]
S3 cmvad;Linksys Wireless-G Music Bridge Interface;c:\windows\system32\drivers\cmudaxv.sys --> c:\windows\system32\drivers\cmudaxv.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [12/29/2008 9:05 PM 36928]
S3 QsFsFltr;QsFsFltr;c:\windows\system32\drivers\QsFsFltr.sys [12/19/2009 11:20 PM 13824]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 12872]
S4 gduuhzf;gduuhzf; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 04:36]

2010-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-03-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-27 18:06]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 14:45]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 14:45]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Start/start_page.htm
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: musicmatch.com\online
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://cam-cityhall1.delft.nl/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ar0j1fmp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - file:///C:/Start/start_page.htm
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1396)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-28 13:04:19
ComboFix-quarantined-files.txt 2010-03-28 18:04
ComboFix2.txt 2010-03-28 16:50

Pre-Run: 119,647,535,104 bytes free
Post-Run: 119,608,209,408 bytes free

- - End Of File - - 28A9747D85D458C6BF30A40A6E5988DE


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:54 PM

Posted 28 March 2010 - 01:08 PM

Looks good. Please proceed with the next steps.

#8 LostInTheForrest

LostInTheForrest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 28 March 2010 - 07:14 PM

I had to coach and referee a couple of soccer games first...

I now also have completed step 2 and step 3.

Here are the results from the MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3925
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/28/2010 7:11:06 PM
mbam-log-2010-03-28 (19-11-06).txt

Scan type: Quick Scan
Objects scanned: 146991
Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:54 PM

Posted 29 March 2010 - 12:46 AM

It looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. Go to start > Run copy and paste the following line in the run box and click OK:

    sc delete gduuhzf

    A window flashes it is normal.

  3. Also delete any tools and log we used from your desktop.

Happy Surfing. smile.gif

#10 LostInTheForrest

LostInTheForrest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 29 March 2010 - 08:38 PM

I've completed the last 3 steps.

Thank you very much for your help farbar!

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:54 PM

Posted 30 March 2010 - 02:00 PM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users