Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Smart Security 2010


  • This topic is locked This topic is locked
14 replies to this topic

#1 mritchey

mritchey

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 02 April 2010 - 09:51 AM

For the last couple of weeks, I have had several problems with malware on my computer. I have had AVG free installed on all my computers for years with no problems. It is always updated with the most current signatures. I started getting hijacked search pages and random browser pages opening up so decided to install malwarebytes. It detected and fixed a couple dozen things on the first scan and the problem cleared for a few days but is now coming back stronger than ever with the addition of "XP Smart Security 2010 ALERT" messages coming up constantly. This XP Smart Security thing is obvious malware but I don't know how to get rid of it. I would very much appreciate any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:12 AM, on 4/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Marion\Local Settings\Application Data\ave.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirect...c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wowhead.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirect...c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: H2Press toolbar - {4fcc864f-07ef-4409-95f5-cf62803e7d0e} - C:\Program Files\H2Press\tbH2Pr.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: DVFC Toolbar - {f0f8f802-e207-41a8-a4d2-b875b8eaefe8} - C:\Program Files\DVFC\tbDVFC.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.6.0.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us//h...ALStreaming.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8...pdatePortal.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132922578625
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2918.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tuvTJaAr - tuvTJaAr.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office HTML Viewer Load Balancing Service - Unknown owner - c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.loadbalancer.exe (file missing)
O23 - Service: Office HTML Viewer Service - Unknown owner - c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launcher.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11788 bytes

Edited by Orange Blossom, 02 April 2010 - 11:06 AM.
Move to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 05 April 2010 - 06:16 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 mritchey

mritchey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 06 April 2010 - 10:15 AM

Thank you for your reply EB. Since posting that, I think I have successfully removed the XP Security crap. I had to download Malwarebytes to my son's IPOD and install it but something was immediately deleting the .exe so that I couldn't run it. I fixed that by installing it to another computer and allowing it to update, then copying those files to the infected computer and running it in safe mode. Still, it took Malwarebytes, AVG, Superantispyware and some registry editing to get the thing working right. Now, it seems the only thing I have left to deal with is google hijacks, random pages opening and iexplore.exe starting itself. I will post the things you asked for as soon as I can. Maybe you can help me with those things.

#4 mritchey

mritchey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 06 April 2010 - 12:49 PM

Still running GMER scan but I want to get this posted.

It seems that I spoke to soon in the above post ... as I was running the GMER scan, my browser window closed and the "XP Defender" window showed up with it's fake virus scan page. This is the third time I have thought that I was rid of this thing only to have it pop up while doing a scan of some sort. I don't know if this is coincidence or if it is "woken up" by activity somehow. The "XP Smart Security 2010 ALERT" seems to be still gone though. Anyway, the list of problems I have is:

1. "XP Defender - Unregistred Version" infection with fake virus scan page.
2. Random browser pages opening.
3. Browser window closing itself.
4. Google search page hijacks.
5. iexplore.exe starting itself. No IE browser window opens, just the iexplore.exe shows up in the task manager and restarts if I close it. Sometimes can start three or more times at once.
6. "System hijack!", "Virus infection!", "Threat detected", "Security breach!" and "Privacy threat!" messages popping up at the bottom of the screen. These messages appear to be faked by the XP Defender thing.
7. "XP Defender ALERT" System integrity threat! windows opening telling me I am being attacked from 7.64.171.8 port 12850 with Lemena.3544
8. XP Security Center telling me that my Antivirus scanner and firewall is not running when AVG appears to be working normally and I am using a firewall on my router and have told the security center not to monitor the firewall.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Marion at 10:45:56.48 on Tue 04/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.743 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Marion\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wowhead.com/
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dPolicies-explorer: EditLevel = 0 (0x0)
dPolicies-explorer: NoCommonGroups = 0 (0x0)
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1100885463125
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by1fd.bay1.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132922578625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax2918.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll, digeste.dll
LSA: Notification Packages = scecli bevobaku.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marion\applic~1\mozilla\firefox\profiles\i65d10ag.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.wowhead.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\marion\application data\mozilla\firefox\profiles\i65d10ag.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-4 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-4 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-4 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-4 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-4 308064]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2003-6-14 2560]
R2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2002-5-31 64512]
R3 C4C_BSC2;C4C_BSC2;c:\windows\system32\drivers\C4C_BSC2.sys [2002-7-8 84788]
S2 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
S2 Office HTML Viewer Load Balancing Service;Office HTML Viewer Load Balancing Service;c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.loadbalancer.exe --> c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.loadbalancer.exe [?]
S2 Office HTML Viewer Service;Office HTML Viewer Service;c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launcher.exe --> c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launcher.exe [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-4-4 369920]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [2008-9-13 72832]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-5 24652]

=============== Created Last 30 ================

2067-02-24 21:21:18 79947 ----a-w- c:\windows\fw20.vxd
2010-04-06 15:45:16 0 ----a-w- c:\documents and settings\marion\defogger_reenable
2010-04-04 19:24:04 0 d-----w- C:\!KillBox
2010-04-04 16:19:28 0 d-----w- c:\program files\CCleaner
2010-04-04 09:49:06 0 d--h--w- C:\$AVG
2010-04-04 09:28:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-04 09:28:51 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-04 09:28:41 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-04 09:28:01 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-04 09:27:53 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-04-04 09:20:56 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-03 20:07:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-03 20:07:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-03 20:07:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 22:11:10 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-02 22:10:42 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-02 22:10:42 0 d-----w- c:\docume~1\marion\applic~1\SUPERAntiSpyware.com
2010-04-02 14:27:41 0 d-----w- c:\program files\Trend Micro
2010-03-28 20:01:58 0 d-----w- c:\docume~1\marion\applic~1\Malwarebytes
2010-03-28 20:01:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-20 04:09:18 754 ----a-w- c:\windows\WORDPAD.INI
2010-03-19 14:46:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Wowhead
2010-03-19 14:17:03 0 d-----w- c:\program files\Curse
2010-03-18 20:00:34 0 d-sh--w- c:\documents and settings\marion\IECompatCache
2010-03-18 19:59:09 0 d-sh--w- c:\documents and settings\marion\PrivacIE
2010-03-18 19:49:32 0 d-sh--w- c:\documents and settings\marion\IETldCache
2010-03-18 19:30:29 0 d-----w- c:\windows\ie8updates
2010-03-18 19:23:47 0 dc-h--w- c:\windows\ie8
2010-03-18 19:12:59 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-18 19:12:48 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-18 19:12:47 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-18 19:12:46 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-18 19:12:46 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-18 19:12:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-03-18 19:12:18 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-03-18 01:45:14 0 d-----w- c:\program files\Ventrilo
2010-03-18 01:43:48 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2010-03-16 19:38:33 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-06 15:25:25 2121 --sha-w- c:\windows\system32\mmf.sys
2010-04-03 22:30:19 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-03 22:30:19 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-03-09 09:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-08 22:20:09 41 ----a-w- c:\documents and settings\marion\jagex_runescape_preferences.dat
2010-02-08 22:20:00 69 ----a-w- c:\documents and settings\marion\jagex_runescape_preferences2.dat
2003-09-03 00:07:41 61 --sh--w- c:\windows\cnerolf.dat
2004-09-22 05:28:49 56 -csh--r- c:\windows\system32\9F1F505505.sys

============= FINISH: 10:47:22.25 ===============


#5 mritchey

mritchey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 06 April 2010 - 04:03 PM

Here is the GMER file attached. I have also been getting this randomly: "Generic Host Process for Win32 Services has encountered a problem and needs to close. " Don't know if that is related to the rest but ...
Thanks for your help smile.gif

Attached Files


Edited by mritchey, 06 April 2010 - 04:04 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 06 April 2010 - 06:15 PM

Yup. Any information helps. smile.gif

Hello.

Yes, you seem to be infected with the newer TDSS variant. More information here: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

Let's start off with Combofix. If it doesn't run or work, try re-naming the extension and name of Combofix to mritchey.scr and run it.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 mritchey

mritchey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 07 April 2010 - 06:28 AM

Thank you very much for your speedy reply!

ComboFix 10-04-05.06 - Marion 04/06/2010 23:55:00.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.896 [GMT -5:00]
Running from: c:\documents and settings\Marion\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe
c:\recycler\S-1-5-21-2376740472-3675345140-1602489464-1006
c:\recycler\S-1-5-21-2376740472-3675345140-1602489464-1008
c:\recycler\S-1-5-21-2376740472-3675345140-1602489464-1010
C:\Thumbs.db
c:\windows\bobsaver.scr
c:\windows\compaq.reg
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\setup.dll
c:\windows\INET.reg
c:\windows\system32\32cowinlin.dll
c:\windows\system32\cd_clint.dll
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\SIntf16.dll
c:\windows\system32\Temp
c:\windows\Tasks\jjbzudsl.job
F:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://download.newaol.com
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-04 19:24 . 2010-04-04 19:24 -------- d-----w- C:\!KillBox
2010-04-04 16:19 . 2010-04-04 16:19 -------- d-----w- c:\program files\CCleaner
2010-04-04 09:49 . 2010-04-04 09:49 -------- d-----w- C:\$AVG
2010-04-04 09:36 . 2010-04-04 09:36 -------- d-----w- c:\documents and settings\Marion\Local Settings\Application Data\AVG Security Toolbar
2010-04-04 09:28 . 2010-04-04 09:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-04 09:28 . 2010-04-04 09:28 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-04 09:28 . 2010-04-04 09:28 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-04 09:28 . 2010-04-04 09:28 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-04 09:28 . 2010-04-06 23:35 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-04 09:27 . 2010-04-04 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-04-04 09:20 . 2010-04-04 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-04 05:59 . 2010-04-04 05:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-03 20:18 . 2010-04-03 20:18 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 20:07 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-03 20:07 . 2010-04-04 06:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 20:07 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 22:11 . 2010-04-02 22:11 52224 ----a-w- c:\documents and settings\Marion\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-02 22:11 . 2010-04-02 22:11 117760 ----a-w- c:\documents and settings\Marion\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-02 22:11 . 2010-04-02 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-02 22:10 . 2010-04-02 22:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-02 22:10 . 2010-04-02 22:10 -------- d-----w- c:\documents and settings\Marion\Application Data\SUPERAntiSpyware.com
2010-04-02 16:28 . 2010-04-02 23:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-04-02 14:27 . 2010-04-02 14:27 -------- d-----w- c:\program files\Trend Micro
2010-04-02 01:16 . 2010-04-02 01:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-02 00:53 . 2010-04-02 00:53 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-01 22:55 . 2010-04-01 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-01 22:55 . 2010-04-01 22:55 -------- d-----w- c:\program files\NOS
2010-04-01 22:55 . 2010-03-22 20:53 32576 ----a-w- c:\documents and settings\Marion\Application Data\Mozilla\Firefox\Profiles\i65d10ag.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-04-01 22:55 . 2010-03-22 20:53 29984 ----a-w- c:\documents and settings\Marion\Application Data\Mozilla\Firefox\Profiles\i65d10ag.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-03-30 18:07 . 2010-03-30 18:07 503808 ----a-w- c:\documents and settings\Marion\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71d78f8c-n\msvcp71.dll
2010-03-30 18:07 . 2010-03-30 18:07 499712 ----a-w- c:\documents and settings\Marion\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71d78f8c-n\jmc.dll
2010-03-30 18:07 . 2010-03-30 18:07 348160 ----a-w- c:\documents and settings\Marion\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-71d78f8c-n\msvcr71.dll
2010-03-30 18:07 . 2010-03-30 18:07 61440 ----a-w- c:\documents and settings\Marion\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5d086bc3-n\decora-sse.dll
2010-03-30 18:07 . 2010-03-30 18:07 12800 ----a-w- c:\documents and settings\Marion\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5d086bc3-n\decora-d3d.dll
2010-03-29 17:40 . 2010-03-29 17:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-28 22:27 . 2010-03-28 22:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-28 20:01 . 2010-03-28 20:01 -------- d-----w- c:\documents and settings\Marion\Application Data\Malwarebytes
2010-03-28 20:01 . 2010-03-28 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-28 17:59 . 2010-03-28 17:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-26 00:53 . 2010-03-26 00:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-19 14:46 . 2010-03-19 14:46 91648 ----a-w- c:\documents and settings\All Users\Application Data\Wowhead\Wowhead Client\gzip.exe
2010-03-19 14:46 . 2010-03-19 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Wowhead
2010-03-19 14:17 . 2010-04-05 17:00 -------- d-----w- c:\documents and settings\Marion\Local Settings\Application Data\CurseClient
2010-03-19 14:17 . 2010-03-19 14:17 -------- d-----w- c:\program files\Curse
2010-03-18 20:00 . 2010-03-18 20:00 -------- d-sh--w- c:\documents and settings\Marion\IECompatCache
2010-03-18 19:59 . 2010-03-18 19:59 -------- d-sh--w- c:\documents and settings\Marion\PrivacIE
2010-03-18 19:49 . 2010-03-18 19:49 -------- d-sh--w- c:\documents and settings\Marion\IETldCache
2010-03-18 19:30 . 2010-03-19 14:42 -------- d-----w- c:\windows\ie8updates
2010-03-18 19:23 . 2010-04-04 08:33 -------- dc-h--w- c:\windows\ie8
2010-03-18 19:12 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-18 19:12 . 2010-02-25 06:24 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-18 19:12 . 2010-02-25 06:24 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-18 19:12 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-18 19:12 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-18 19:12 . 2010-02-25 06:24 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-03-18 19:12 . 2010-02-25 16:54 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-03-18 01:45 . 2010-03-18 01:45 -------- d-----w- c:\program files\Ventrilo
2010-03-16 19:38 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 05:13 . 2003-06-14 20:08 2121 --sha-w- c:\windows\system32\mmf.sys
2010-04-04 18:59 . 2002-06-01 03:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-04 18:43 . 2006-12-19 02:12 -------- d-----w- c:\program files\Image-Line
2010-04-04 18:43 . 2003-06-14 22:08 -------- d-----w- c:\program files\Common Files\AOL
2010-04-04 09:12 . 2006-01-09 07:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-04-03 22:30 . 2001-08-17 22:51 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-02 22:09 . 2003-09-02 19:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-30 18:07 . 2007-08-25 04:34 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 18:06 . 2003-08-30 04:42 -------- d-----w- c:\program files\Java
2010-03-26 14:52 . 2006-04-08 20:15 -------- d-----w- c:\program files\World of Warcraft
2010-03-25 15:46 . 2009-05-17 17:49 -------- d-----w- c:\program files\AVG
2010-03-18 01:47 . 2006-10-21 20:04 -------- d-----w- c:\documents and settings\Marion\Application Data\Ventrilo
2010-03-09 09:28 . 2009-05-17 17:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 15:16 . 2009-10-07 14:42 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-08 22:20 . 2008-07-06 23:45 41 ----a-w- c:\documents and settings\Marion\jagex_runescape_preferences.dat
2010-02-08 22:20 . 2010-02-07 22:24 69 ----a-w- c:\documents and settings\Marion\jagex_runescape_preferences2.dat
2003-09-03 00:07 . 2003-09-03 00:07 61 --sh--w- c:\windows\cnerolf.dat
2004-09-22 05:28 . 2004-08-15 16:35 56 -csh--r- c:\windows\system32\9F1F505505.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 19:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-04 09:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ c:\windows\system32\hvygucnn.exe c:\windows\system32\hvygucnn.exe:changelist\0c:\windows\system32\ubjlpaeh.exe c:\windows\system32\ubjlpaeh.exe:changelist\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Gaming Zone\\zclient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard
"6112:TCP"= 6112:TCP:Blizzard
"6881:TCP"= 6881:TCP:Blizzard
"6882:TCP"= 6882:TCP:Blizzard
"6883:TCP"= 6883:TCP:Blizzard
"6884:TCP"= 6884:TCP:Blizzard
"6885:TCP"= 6885:TCP:Blizzard
"6886:TCP"= 6886:TCP:Blizzard
"6887:TCP"= 6887:TCP:Blizzard
"6888:TCP"= 6888:TCP:Blizzard
"6889:TCP"= 6889:TCP:Blizzard
"6890:TCP"= 6890:TCP:Blizzard
"6891:TCP"= 6891:TCP:Blizzard
"6892:TCP"= 6892:TCP:Blizzard
"6893:TCP"= 6893:TCP:Blizzard
"6894:TCP"= 6894:TCP:Blizzard
"6895:TCP"= 6895:TCP:Blizzard
"6896:TCP"= 6896:TCP:Blizzard
"6897:TCP"= 6897:TCP:Blizzard
"6898:TCP"= 6898:TCP:Blizzard
"6899:TCP"= 6899:TCP:Blizzard

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/4/2010 4:28 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/4/2010 4:28 AM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/4/2010 4:25 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/4/2010 4:25 AM 308064]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [6/14/2003 3:08 PM 2560]
R2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [5/31/2002 10:28 PM 64512]
R3 C4C_BSC2;C4C_BSC2;c:\windows\system32\drivers\C4C_BSC2.sys [7/8/2002 7:32 PM 84788]
S2 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\msCMTSrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
S2 Office HTML Viewer Load Balancing Service;Office HTML Viewer Load Balancing Service;c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.loadbalancer.exe --> c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.loadbalancer.exe [?]
S2 Office HTML Viewer Service;Office HTML Viewer Service;c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launcher.exe --> c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launcher.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [4/4/2010 4:27 AM 369920]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [9/13/2008 9:53 PM 72832]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/5/2008 12:19 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-05 c:\windows\Tasks\{C8F9C587-B470-4070-AE7C-A479F26A2790}_THEKIDSPUTER_Michael.job
- c:\windows\System32\mobsync.exe [2001-08-18 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wowhead.com/
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Marion\Application Data\Mozilla\Firefox\Profiles\i65d10ag.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.wowhead.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Marion\Application Data\Mozilla\Firefox\Profiles\i65d10ag.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)
AddRemove-Autofighter - c:\documents and settings\Matthew\My Documents\lol\Uninstall.exe
AddRemove-LimeWire - c:\documents and settings\Matthew\My Documents\AIMLogger\flasgh\LimeWire\uninstall.exe
AddRemove-NoteWorthy Composer - c:\progra~1\NOTEWO~1\Uninstal.exe
AddRemove-Quicken Financial Center - c:\progra~1\QUICKE~1\rem\UNWISE.EXE
AddRemove-Sierra Utilities - c:\program files\Sierra On-Line\sutil32.exe
AddRemove-VPN v1.4us - c:\program files\Microsoft Games\Flight Simulator 9\Uninstal.exe
AddRemove-WavePad - c:\program files\NCH Swift Sound\WavePad\uninst.exe
AddRemove-Yahoo! Companion - c:\progra~1\Yahoo!\Common\unyt.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{93539D60-1817-11D1-9504-00805F26A89C} - c:\program files\COMPAQ\Easy Access Button Support\Uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 06:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,e4,a7,56,24,10,cd,49,af,70,34,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,e4,a7,56,24,10,cd,49,af,70,34,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8]
"1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df
"2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae,
65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96
"3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90,
71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\4F72AD6D614594B9]
"1"=hex:1a,dd,98,10,b1,7c,5d,e1
"2"=hex:ec,2e,4d,24,10,71,d3,85
"3"=hex:c6,62,ff,4c,0e,52,2b,d9,6e,7f,09,01,69,f6,a5,ed,56,ab,85,28,ce,f4,af,
18,8f,10,b3,39,1d,9c,d0,dc,c6,55,34,4e,02,3c,6f,f7,c9,90,f9,48,9b,d9,fa,02,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:17,91,40,09,f3,9f,3c,db,07,2e,07,12,f0,36,58,52,b0,43,ca,5f,04,60,ac,
98,39,b8,49,eb,35,49,46,e3,ae,47,bd,fc,11,ff,80,2a,20,8c,25,17,ed,f8,73,08,\
"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,
4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\
"8"=hex:f8,4c,a2,d5,d3,34,5b,c8,95,d5,75,a3,d2,bd,3a,96,12,ac,7c,d2,10,49,37,
03
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:da,18,fd,e4,06,ad,17,df,06,1b,84,1c,4b,e9,cd,6a,87,fe,75,8e,bf,08,61,
28,41,58,e2,aa,00,14,7d,09,63,cc,d7,81,0c,6b,91,10,0c,55,62,d0,53,d7,9f,40,\
"13"=hex:b5,b8,87,df,4e,f0,1a,82,23,5d,7c,0a,b1,57,87,8a,cd,21,af,bc,0f,a0,61,
bc
"14"=hex:07,33,f3,19,69,cb,f0,42
"19"=hex:7b,e0,a6,d1,18,09,44,93,02,23,83,f5,78,7f,56,d2
"15"=hex:41,dc,5d,56,7d,e8,03,2e,3d,f7,4c,d3,46,65,99,63,7a,9e,58,a2,2e,9a,3d,
5f,58,a9,2d,cf,ce,ac,cb,a8,db,5d,6d,0d,df,6c,07,b2,8c,82,13,f7,02,31,93,7b,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\A4C6DC1D7052183A161573F7BA846387]
"1"=hex:1a,dd,98,10,b1,7c,5d,e1
"2"=hex:af,4a,de,61,0e,7b,66,a4
"3"=hex:51,65,9d,d1,54,e3,fb,a3,85,6b,dd,32,13,0c,c6,e7,72,1d,10,73,2d,f0,b9,
c5,21,25,18,15,d8,32,66,a7,d1,7b,df,8f,08,c3,5b,ad,09,ee,d1,3f,54,9c,27,50,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:70,cc,d4,7e,a1,ef,bb,b8,b4,a4,6d,64,f4,76,df,79,1f,14,c6,b9,e3,6c,46,
51,50,78,21,1b,dc,b8,8c,90,7a,2e,ed,c0,0f,ce,46,19,73,5c,a1,ca,be,de,a0,14,\
"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,
4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,a2,3d,37,04,e1,16,32,
df,db,08,86,ee,77,a6,dd,cb
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:f8,fe,42,b7,de,5f,ba,f0
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:6e,34,d6,d2,ef,cc,7d,e9,09,25,55,53,65,99,10,26,b9,42,cf,87,6c,4f,a8,
0c,87,0c,16,23,e8,f0,31,77,bd,de,0a,c4,60,6e,f4,90,90,e7,6c,4f,7b,13,cd,50,\
"13"=hex:49,71,cf,17,22,cb,ad,87,2f,43,04,2c,62,fc,c5,ff,ef,f0,59,ea,01,1a,e0,
57
"14"=hex:0d,a3,f0,13,5a,b2,4b,be,11,13,f0,3c,be,44,35,ac
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:8b,07,db,ab,79,ff,10,a8,a1,7e,8b,36,78,95,1e,fd
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:d8,11,48,05,0d,12,5b,a3,22,10,81,ce,a8,59,a0,fc,8f,08,11,53,5f,94,d6,
cc,1e,e7,50,47,b8,5f,28,52,bd,7a,e9,01,c1,02,ba,df,20,84,71,a3,d4,e8,ed,c0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2956)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-04-07 06:20:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 11:20

Pre-Run: 13,445,984,256 bytes free
Post-Run: 19,132,928,000 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 70C7EB76B3D38E96D2244B7C023DA509


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 07 April 2010 - 09:05 PM

Hello.

Seems Combofix dealt with that infected file successfully. smile.gif

Let's continue.

How's your computer running now?

Run ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 mritchey

mritchey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 08 April 2010 - 04:12 PM

My computer has been running quite well. Can you tell me what "Seems Combofix dealt with that infected file successfully" from your post above is referring to?

I ran ESET as requested and it found a couple things and cleaned them. I deleted the quarantined files on exit from ESET.

C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe.vir a variant of Win32/Kryptik.DLI trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan cleaned - quarantined

I am using the firewall in my Cisco WRT54G router. Should I also/instead be using something else?

Edited by mritchey, 08 April 2010 - 04:16 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 08 April 2010 - 04:59 PM

QUOTE
My computer has been running quite well. Can you tell me what "Seems Combofix dealt with that infected file successfully" from your post above is referring to?

The TDL3 rootkit -atapi.sys driver file.

QUOTE
I ran ESET as requested and it found a couple things and cleaned them. I deleted the quarantined files on exit from ESET.

That's fine, those are just Combofix quarantined items.

QUOTE
I am using the firewall in my Cisco WRT54G router. Should I also/instead be using something else?

No, that's fine. Having one firewall is enough along with an anti-virus software which you already have.

Your forgot to re-run DDS...
QUOTE
Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply.


Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 mritchey

mritchey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 08 April 2010 - 08:31 PM

I used to be good at following instructions ... I guess I am getting old. crazy.gif


DDS (Ver_10-03-17.01) - NTFSx86
Run by Marion at 20:29:00.35 on Thu 04/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.724 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Marion\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wowhead.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dPolicies-explorer: EditLevel = 0 (0x0)
dPolicies-explorer: NoCommonGroups = 0 (0x0)
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1100885463125
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by1fd.bay1.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132922578625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax2918.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marion\applic~1\mozilla\firefox\profiles\i65d10ag.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.wowhead.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\marion\application data\mozilla\firefox\profiles\i65d10ag.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-4 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-4 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-4 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-4 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-4 308064]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2003-6-14 2560]
R2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2002-5-31 64512]
R3 C4C_BSC2;C4C_BSC2;c:\windows\system32\drivers\C4C_BSC2.sys [2002-7-8 84788]
S2 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
S2 Office HTML Viewer Load Balancing Service;Office HTML Viewer Load Balancing Service;c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.loadbalancer.exe --> c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.loadbalancer.exe [?]
S2 Office HTML Viewer Service;Office HTML Viewer Service;c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launcher.exe --> c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launcher.exe [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-4-4 369920]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [2008-9-13 72832]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-5 24652]

=============== Created Last 30 ================

2067-02-24 21:21:18 79947 ----a-w- c:\windows\fw20.vxd
2010-04-08 14:24:32 0 d-----w- c:\program files\ESET
2010-04-07 04:41:56 0 d-sha-r- C:\cmdcons
2010-04-07 04:39:18 98816 ----a-w- c:\windows\sed.exe
2010-04-07 04:39:18 77312 ----a-w- c:\windows\MBR.exe
2010-04-07 04:39:18 261632 ----a-w- c:\windows\PEV.exe
2010-04-07 04:39:18 161792 ----a-w- c:\windows\SWREG.exe
2010-04-06 15:45:16 0 ----a-w- c:\documents and settings\marion\defogger_reenable
2010-04-04 19:24:04 0 d-----w- C:\!KillBox
2010-04-04 16:19:28 0 d-----w- c:\program files\CCleaner
2010-04-04 09:49:06 0 d-----w- C:\$AVG
2010-04-04 09:28:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-04 09:28:51 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-04 09:28:41 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-04 09:28:01 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-04 09:27:53 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-04-04 09:20:56 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-03 20:07:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-03 20:07:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-03 20:07:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 22:11:10 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-02 22:10:42 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-02 22:10:42 0 d-----w- c:\docume~1\marion\applic~1\SUPERAntiSpyware.com
2010-04-02 14:27:41 0 d-----w- c:\program files\Trend Micro
2010-03-28 20:01:58 0 d-----w- c:\docume~1\marion\applic~1\Malwarebytes
2010-03-28 20:01:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-20 04:09:18 754 ----a-w- c:\windows\WORDPAD.INI
2010-03-19 14:46:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Wowhead
2010-03-19 14:17:03 0 d-----w- c:\program files\Curse
2010-03-18 20:00:34 0 d-sh--w- c:\documents and settings\marion\IECompatCache
2010-03-18 19:59:09 0 d-sh--w- c:\documents and settings\marion\PrivacIE
2010-03-18 19:49:32 0 d-sh--w- c:\documents and settings\marion\IETldCache
2010-03-18 19:30:29 0 d-----w- c:\windows\ie8updates
2010-03-18 19:23:47 0 dc-h--w- c:\windows\ie8
2010-03-18 19:12:59 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-18 19:12:48 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-18 19:12:47 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-18 19:12:46 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-18 19:12:46 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-18 19:12:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-03-18 19:12:18 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-03-18 01:45:14 0 d-----w- c:\program files\Ventrilo
2010-03-18 01:43:48 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2010-03-16 19:38:33 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-08 14:11:36 2121 --sha-w- c:\windows\system32\mmf.sys
2010-04-03 22:30:19 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-04-03 22:30:19 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-09 09:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-08 22:20:09 41 ----a-w- c:\documents and settings\marion\jagex_runescape_preferences.dat
2010-02-08 22:20:00 69 ----a-w- c:\documents and settings\marion\jagex_runescape_preferences2.dat
2003-09-03 00:07:41 61 --sh--w- c:\windows\cnerolf.dat
2004-09-22 05:28:49 56 -csh--r- c:\windows\system32\9F1F505505.sys

============= FINISH: 20:30:27.53 ===============

Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 08 April 2010 - 10:23 PM

No problem. smile.gif

That looks good. just uninstall these older versions of Java:

QUOTE
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment, SE v1.4.1_05
Java™ 6 Update 2
Java™ 6 Update 3


Other than that we can cleanup!

Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck thumbup2.gif


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks smile.gif

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 mritchey

mritchey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 08 April 2010 - 11:27 PM

Thanks for all your help, EB. I have had antivirus protection running on all my computers since BBS'es were the thing and have always been very careful with the Internet. I count myself fortunate that this is the first time something like this has hit me and I don't really know how this one got in. I now have some antimalware software running in addition to the AVG.

Again, thanks! Hopefully, I won't need you again but it is awesome to know that people like you are there to help when needed!

Edited by mritchey, 08 April 2010 - 11:28 PM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 09 April 2010 - 08:44 PM

No problem, I'm glad I was able to help!

Stay clean. smile.gif
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 09 April 2010 - 08:47 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help smile.gif
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users