Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Defender Pro Maleware


  • This topic is locked This topic is locked
30 replies to this topic

#1 roaddie

roaddie

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:12 AM

Posted 03 April 2010 - 10:06 AM

Hello,
I have this maleware on my pc and maleware bytes is not picking it up and I need help getting it off. I am posting a HiJack this log for review and hope someone is able to help me.

I am using Windows XP with Avira virus protection and using Windows firewall. My pc is a Dell.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:05 AM, on 4/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Jean Johnson\Local Settings\Application Data\vma.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jean Johnson\My Documents\idman .exe
C:\Documents and Settings\Jean Johnson\Desktop\gmer.exe
C:\Documents and Settings\Jean Johnson\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: IAOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Documents and Settings\Jean Johnson\My Documents\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Jdowohavonaxehiz] rundll32.exe "C:\WINDOWS\ifoqicacepe.dll",Startup
O4 - HKCU\..\Run: [IDMan] C:\Documents and Settings\Jean Johnson\My Documents\idman .exe /onboot
O4 - HKUS\S-1-5-19\..\Run: [fepubosile] Rundll32.exe "tiseluwi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fepubosile] Rundll32.exe "tiseluwi.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Jean Johnson\My Documents\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Jean Johnson\My Documents\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Jean Johnson\My Documents\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1255831257453
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} (SFImageUpload1_8.ImageUpload) - http://riteaid.storefront.com/images/globa...geUpload1_8.CAB
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: jazuyana.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

--
End of file - 5442 bytes






BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 PM

Posted 03 April 2010 - 01:28 PM

Hello roaddie,

Malwarerbytes should be picking up XP Defender Pro, Please go to the update tab and check for updates, until it says
you have the latest version, then run a quick scan and post back here with the log.


  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.


Then please post back here with the following logs:
  • Malwarebytes log
  • Gmer log

Thanks

unite.jpg


#3 roaddie

roaddie
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:12 AM

Posted 03 April 2010 - 08:06 PM

Hello and thanks for your response. I was finally able to update Malwarebytes and did another scan and I am posting a log here, I also ran Gmer but didn't disconnect the internet, I forgot to do that, anyway here are the posts. Thanks again.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/3/2010 3:35:08 PM
mbam-log-2010-04-03 (15-35-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 150299
Time elapsed: 3 hour(s), 37 minute(s), 1 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\Documents and Settings\Jean Johnson\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Jean Johnson\Local Settings\Application Data\MSASCui.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jean Johnson\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Delete on reboot.
C:\Documents and Settings\Jean Johnson\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jean Johnson\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-03 11:55:24
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JEANJO~1\LOCALS~1\Temp\pxtdapod.sys


---- System - GMER 1.0.15 ----

SSDT F8D83A86 ZwCreateKey
SSDT F8D83A7C ZwCreateThread
SSDT F8D83A8B ZwDeleteKey
SSDT F8D83A95 ZwDeleteValueKey
SSDT F8D83A9A ZwLoadKey
SSDT F8D83A68 ZwOpenProcess
SSDT F8D83A6D ZwOpenThread
SSDT F8D83AA4 ZwReplaceKey
SSDT F8D83A9F ZwRestoreKey
SSDT F8D83A90 ZwSetValueKey
SSDT F8D83A77 ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 832EACA1

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDmrvkylwrxd.sys
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDoxeqlvjnjy.dll
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDmrvkylwrxd.sys
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDnsargompgx.dat
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDpoawxcnroy.dll
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDcwkefkalqj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0xA6 0x71 0x0C 0xD2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{bb0e5a8e-75a5-44e4-8f8c-d6c2d06822fb}@Model 67
Reg HKLM\SOFTWARE\Classes\CLSID\{bb0e5a8e-75a5-44e4-8f8c-d6c2d06822fb}@Therad 32
Reg HKLM\SOFTWARE\Classes\CLSID\{bb0e5a8e-75a5-44e4-8f8c-d6c2d06822fb}@MData 0xCB 0x9B 0xAD 0xEF ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 PM

Posted 04 April 2010 - 06:41 AM

Hi roaddie,

It looks like MBAM has dealt with quite a bit but you still have something nasty showing in the Gmer log, let's run combofix
next.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

unite.jpg


#5 roaddie

roaddie
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:12 AM

Posted 04 April 2010 - 11:11 AM

Thank you, I will get right back to you with the report.

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 PM

Posted 04 April 2010 - 11:22 AM

Your welcome smile.gif

unite.jpg


#7 roaddie

roaddie
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:12 AM

Posted 04 April 2010 - 11:46 AM

I hope this is the right report. I await your response and again, Thanks for your help.
Update: Found the report and here it is:

ComboFix 10-04-03.02 - Jean Johnson 04/04/2010 12:26:37.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.332 [GMT -4:00]
Running from: c:\documents and settings\Jean Johnson\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\charprep.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Jean Johnson\Local Settings\Application Data\{93F7FBEC-D543-46C3-B82F-A6B9EF5D9BA6}
c:\documents and settings\Jean Johnson\Local Settings\Application Data\{93F7FBEC-D543-46C3-B82F-A6B9EF5D9BA6}\chrome.manifest
c:\documents and settings\Jean Johnson\Local Settings\Application Data\{93F7FBEC-D543-46C3-B82F-A6B9EF5D9BA6}\chrome\content\_cfg.js
c:\documents and settings\Jean Johnson\Local Settings\Application Data\{93F7FBEC-D543-46C3-B82F-A6B9EF5D9BA6}\chrome\content\overlay.xul
c:\documents and settings\Jean Johnson\Local Settings\Application Data\{93F7FBEC-D543-46C3-B82F-A6B9EF5D9BA6}\install.rdf
c:\windows\AppPatch\AcAdProc.dll
c:\windows\eSellerateEngine.dll
c:\windows\ifoqicacepe.dll
c:\windows\system32\_VOIDmfeklnmal.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\Ijl11.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))
.

2010-04-03 14:20 . 2010-04-03 14:20 184320 --sha-w- c:\documents and settings\Jean Johnson\Local Settings\Application Data\2927340765.dll
2010-04-01 13:15 . 2010-04-01 13:15 35840 ----a-w- c:\windows\system32\charprep.dll
2010-03-31 14:26 . 2010-03-31 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HipSoft
2010-03-31 13:47 . 2010-03-31 13:47 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\Big Fish Games
2010-03-30 21:37 . 2010-03-30 21:37 -------- d-----w- c:\documents and settings\Jean Johnson\Local Settings\Application Data\JollyBear
2010-03-30 21:37 . 2010-03-30 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2010-03-30 21:32 . 2010-03-30 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Nevosoft
2010-03-30 20:42 . 2010-03-30 20:42 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\Dragon Altar Games
2010-03-29 23:07 . 2010-03-29 23:07 60704 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-28 17:41 . 2010-03-28 17:41 -------- d-----w- c:\temp\DMTemp
2010-03-26 17:30 . 2010-03-26 17:30 -------- d-----w- c:\documents and settings\Jean Johnson\Local Settings\Application Data\Archaeologists
2010-03-26 00:40 . 2010-03-30 01:11 5918720 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-25 23:50 . 2010-03-25 23:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-25 22:23 . 2010-03-25 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
2010-03-25 21:59 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-25 21:59 . 2010-03-30 01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 21:59 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 21:34 . 2010-03-25 21:34 -------- d-----w- c:\windows\RegCure
2010-03-25 19:38 . 2010-04-03 00:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 19:38 . 2010-03-25 19:38 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-25 19:38 . 2010-03-25 19:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-25 18:37 . 2010-03-25 18:37 -------- d-----w- C:\Malicious Software
2010-03-25 17:57 . 2010-04-02 16:16 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-25 14:08 . 2010-04-04 04:37 0 ----a-w- c:\windows\Ddiwadisuvubovis.bin
2010-03-25 04:20 . 2010-04-04 16:06 120 ----a-w- c:\windows\Kbevezib.dat
2010-03-25 04:17 . 2010-03-26 01:38 -------- d-sh--w- c:\documents and settings\Jean Johnson\.COMMgr
2010-03-25 04:17 . 2008-04-14 00:12 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-03-25 04:17 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-25 04:17 . 2010-03-25 04:17 118 ----a-w- C:\tujserrew.bat
2010-03-20 23:41 . 2010-03-20 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Happyville__
2010-03-18 23:30 . 2010-03-18 23:30 -------- d-----w- c:\documents and settings\Jean Johnson\Local Settings\Application Data\Unity
2010-03-13 18:49 . 2010-03-14 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Deadtime Stories
2010-03-10 21:45 . 2010-03-10 21:45 -------- d-----w- c:\windows\Cache
2010-03-08 20:09 . 2010-03-26 01:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-08 20:09 . 2010-03-26 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-08 13:36 . 2010-03-08 13:39 23113 ----a-w- c:\windows\hpqins15.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 16:37 . 2009-09-04 23:48 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\DMCache
2010-04-04 16:12 . 2010-02-19 13:04 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\HPAppData
2010-04-04 00:46 . 2009-09-05 15:30 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\LimeWire
2010-04-02 15:26 . 2009-09-05 19:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-28 23:30 . 2010-02-08 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
2010-03-28 20:07 . 2009-09-04 23:47 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\Vso
2010-03-26 02:10 . 2009-09-15 22:43 -------- d-----w- c:\program files\Realore
2010-03-25 19:49 . 2009-09-05 16:00 -------- d-----w- c:\program files\AOL 9.1
2010-03-25 17:35 . 2009-09-05 00:59 60704 -c--a-w- c:\documents and settings\Jean Johnson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 14:10 . 2004-08-12 13:55 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-09 14:08 . 2009-10-30 00:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-01 23:11 . 2009-10-13 22:57 -------- d-----w- c:\program files\DVDFab 6
2010-03-01 21:33 . 2010-03-01 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2010-03-01 21:00 . 2010-03-01 20:53 -------- d-----w- c:\program files\Any DVD Cloner Platinum
2010-03-01 20:28 . 2010-03-01 20:28 -------- d-----w- c:\program files\Aiseesoft Studio
2010-02-26 20:26 . 2010-02-18 18:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-02-26 20:26 . 2010-02-18 18:51 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\ArcSoft
2010-02-25 06:24 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 02:12 . 2009-09-04 23:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-22 18:44 . 2010-02-22 18:44 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\HP
2010-02-22 03:21 . 2010-02-20 06:57 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\Janes Realty2
2010-02-18 19:58 . 2010-02-18 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-02-18 19:50 . 2010-02-18 19:35 186748 ----a-w- c:\windows\hpwins23.dat
2010-02-18 19:47 . 2009-09-05 02:58 -------- d-----w- c:\program files\HP
2010-02-18 19:47 . 2010-02-18 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-02-18 19:47 . 2010-02-18 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-02-18 19:39 . 2010-02-18 19:39 -------- d-----w- c:\program files\Common Files\HP
2010-02-18 19:04 . 2010-02-18 19:04 -------- d-----w- c:\program files\Common Files\Real
2010-02-18 18:50 . 2010-02-18 18:49 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-02-18 18:49 . 2010-02-18 18:49 -------- d-----w- c:\program files\ArcSoft
2010-02-18 18:49 . 2010-02-18 18:49 -------- d-----w- c:\program files\Philips
2010-02-18 18:48 . 2010-02-18 18:48 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\InstallShield
2010-02-14 01:17 . 2009-09-06 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-02-07 19:21 . 2009-09-05 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-02-05 03:56 . 2010-02-05 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Top Evidence
2010-01-06 04:07 . 2010-01-06 03:34 22 ----a-w- c:\windows\popcinfot.dat
2010-01-06 03:34 . 2010-01-06 03:34 0 ----a-w- c:\windows\popcreg.dat
.
CODE
<pre>
c:\program files\AOL 9.1\aol .exe
c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\documents and settings\Jean Johnson\My Documents\idman .exe" [2008-08-10 2594224]
"AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jdowohavonaxehiz"="c:\windows\ifoqicacepe.dll" [N/A]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [N/A]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jean Johnson^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\Jean Johnson\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\chk_mdv241]
c:\program files\MDV241\chk_mdv241 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
c:\program files\AOL 9.1\AOL.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2009-03-02 17:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BarbieGirlsTray]
c:\program files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbf70700 .exe]
c:\documents and settings\Jean Johnson\Application Data\4C117E5EFB08794131F70A99787C08CE\dbf70700 .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbf70700.exe]
c:\documents and settings\Jean Johnson\Application Data\4C117E5EFB08794131F70A99787C08CE\dbf70700.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ewrgetuj]
c:\docume~1\JEANJO~1\LOCALS~1\Temp\geurge.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fepubosile]
tiseluwi.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\aol\1252166423\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 12:59 126976 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsa8ffushf83hoigjhs98jgijg9sd8e]
c:\docume~1\jeanjo~1\locals~1\temp\pwqq1z .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2008-08-10 22:38 2594224 ----a-w- c:\documents and settings\Jean Johnson\My Documents\idman .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jdowohavonaxehiz]
c:\windows\ifoqicacepe.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2005-05-09 19:32 53248 -c--a-w- c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 21:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-04 23:54 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\User Protection]
c:\program files\User Protection\usrprot.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"seclogon"=2 (0x2)
"Nla"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"Eventlog"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"SLService"=2 (0x2)
"ScsiAccess"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"AOL ACS"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dumprsm REG_SZ c:\windows\system32\charprep.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1252166423\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = localhost
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: Download all links with IDM - c:\documents and settings\Jean Johnson\My Documents\IEGetAll.htm
IE: Download FLV video content with IDM - c:\documents and settings\Jean Johnson\My Documents\IEGetVL.htm
IE: Download with IDM - c:\documents and settings\Jean Johnson\My Documents\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} - hxxp://riteaid.storefront.com/images/global/activex/SFImageUpload1_8.CAB
FF - ProfilePath - c:\documents and settings\Jean Johnson\Application Data\Mozilla\Firefox\Profiles\2bb145ye.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\documents and settings\Jean Johnson\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\documents and settings\Jean Johnson\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 12:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):a6,71,0c,d2,51,3a,11,2c,88,0b,8a,c2,be,30,9f,e0,ca,48,ef,83,7d,
e5,d7,a2,e0,9d,e6,34,ee,64,fa,48,05,42,76,8a,cf,a7,b5,7f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{bb0e5a8e-75a5-44e4-8f8c-d6c2d06822fb}]
@Denied: (Full) (Everyone)
"Model"=dword:00000043
"Therad"=dword:00000020
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,d8,aa,de,e3,89,f4,3c,14,46,8f,3c,f2,5c,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\charprep.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
.
**************************************************************************
.
Completion time: 2010-04-04 12:42:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-04 16:42

Pre-Run: 60,310,822,912 bytes free
Post-Run: 60,459,081,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,4,5
- - End Of File - - 5EC1FB4175751673742DC3B6B96E49B7

Edited by roaddie, 04 April 2010 - 11:50 AM.


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 PM

Posted 04 April 2010 - 01:42 PM

Can you tell me if you know what program the following folder is for?

c:\program files\MDV241

I see that you have been disabling some entries under msconfig, I need you to re-enable these for now you
can change them again when we are finished.

Click Start >> Run, then type msconfig in the box.
Under the general tab, select Normal Startup - load all devices and services.
Click Apply then Close and restart your computer.

When you ran combofix it appears Avira was not disabled, it is important to disable it first so please make sure you do.
Don't disable it using msconfig disable it via the program, if you can't get it disabled ask me before continuing and I will help.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/306889/xp-defender-pro-maleware/

Collect::
c:\documents and settings\Jean Johnson\Local Settings\Application Data\2927340765.dll
c:\windows\system32\charprep.dll
c:\windows\Ddiwadisuvubovis.bin
c:\windows\Kbevezib.dat
C:\tujserrew.bat
Folder::
c:\documents and settings\Jean Johnson\.COMMgr
c:\program files\User Protection
c:\documents and settings\Jean Johnson\Application Data\4C117E5EFB08794131F70A99787C08CE
RenV::
c:\program files\AOL 9.1\aol .exe
c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray .exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jdowohavonaxehiz"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
"dumprsm"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{bb0e5a8e-75a5-44e4-8f8c-d6c2d06822fb}]


Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
Then please post back here with the following logs:
  • Combofix.txt
  • ESET report
Thanks

Edited by syler, 04 April 2010 - 01:43 PM.

unite.jpg


#9 roaddie

roaddie
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:12 AM

Posted 04 April 2010 - 05:05 PM

I went to Avira and it states that it is : Stopped
so I don't know what to do, please let me know as I am ready to do the rest of your steps. Thanks

Ii don't know what that program is either.

Edited by roaddie, 04 April 2010 - 05:06 PM.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 PM

Posted 04 April 2010 - 05:39 PM

It might be a problem with Windows reporting it is running when it's not, because I don't see it in the running processes,
please go ahead and run combofix.

unite.jpg


#11 roaddie

roaddie
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:12 AM

Posted 04 April 2010 - 05:42 PM

Just combo fix or follow all the above steps?

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 PM

Posted 04 April 2010 - 06:01 PM

All of the steps.

unite.jpg


#13 roaddie

roaddie
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:12 AM

Posted 04 April 2010 - 08:17 PM

Okay, here we go. I ran Combofix and did Eset and here are the results:
By the way what is this file
"The following files were disabled during the run:
c:\windows\system32\charprep.dll"

ComboFix 10-04-03.02 - Jean Johnson 04/04/2010 18:56:58.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.326 [GMT -4:00]
Running from: c:\documents and settings\Jean Johnson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jean Johnson\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: c:\documents and settings\Jean Johnson\Local Settings\Application Data\2927340765.dll
file zipped: C:\tujserrew.bat
file zipped: c:\windows\Ddiwadisuvubovis.bin
file zipped: c:\windows\Kbevezib.dat
.
The following files were disabled during the run:
c:\windows\system32\charprep.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jean Johnson\.COMMgr
c:\documents and settings\Jean Johnson\.COMMgr\complmgr .exe
c:\documents and settings\Jean Johnson\Local Settings\Application Data\2927340765.dll
c:\documents and settings\Jean Johnson\Start Menu\Programs\Startup\Antimalware Doctor.lnk
C:\tujserrew.bat
c:\windows\Ddiwadisuvubovis.bin
c:\windows\Kbevezib.dat

.
((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))
.

2010-04-01 13:15 . 2010-04-01 13:15 35840 ----a-w- c:\windows\system32\charprep.dll.vir
2010-03-31 14:26 . 2010-03-31 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HipSoft
2010-03-31 13:47 . 2010-03-31 13:47 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\Big Fish Games
2010-03-30 21:37 . 2010-03-30 21:37 -------- d-----w- c:\documents and settings\Jean Johnson\Local Settings\Application Data\JollyBear
2010-03-30 21:37 . 2010-03-30 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2010-03-30 21:32 . 2010-03-30 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Nevosoft
2010-03-30 20:42 . 2010-03-30 20:42 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\Dragon Altar Games
2010-03-29 23:07 . 2010-03-29 23:07 60704 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-28 17:41 . 2010-03-28 17:41 -------- d-----w- c:\temp\DMTemp
2010-03-26 17:30 . 2010-03-26 17:30 -------- d-----w- c:\documents and settings\Jean Johnson\Local Settings\Application Data\Archaeologists
2010-03-26 00:40 . 2010-03-30 01:11 5918720 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-25 23:50 . 2010-03-25 23:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-25 22:23 . 2010-03-25 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
2010-03-25 21:59 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-25 21:59 . 2010-03-30 01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 21:59 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 21:34 . 2010-03-25 21:34 -------- d-----w- c:\windows\RegCure
2010-03-25 19:38 . 2010-04-03 00:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 19:38 . 2010-03-25 19:38 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-25 19:38 . 2010-03-25 19:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-25 18:37 . 2010-03-25 18:37 -------- d-----w- C:\Malicious Software
2010-03-25 17:57 . 2010-04-02 16:16 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-25 04:17 . 2008-04-14 00:12 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-03-25 04:17 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-20 23:41 . 2010-03-20 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Happyville__
2010-03-18 23:30 . 2010-03-18 23:30 -------- d-----w- c:\documents and settings\Jean Johnson\Local Settings\Application Data\Unity
2010-03-13 18:49 . 2010-03-14 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Deadtime Stories
2010-03-10 21:45 . 2010-03-10 21:45 -------- d-----w- c:\windows\Cache
2010-03-08 20:09 . 2010-03-26 01:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-08 20:09 . 2010-03-26 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-08 13:36 . 2010-03-08 13:39 23113 ----a-w- c:\windows\hpqins15.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 22:56 . 2009-09-05 16:00 -------- d-----w- c:\program files\AOL 9.1
2010-04-04 22:08 . 2009-09-04 23:55 -------- d-----w- c:\program files\LimeWire
2010-04-04 16:37 . 2009-09-04 23:48 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\DMCache
2010-04-04 16:12 . 2010-02-19 13:04 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\HPAppData
2010-04-04 00:46 . 2009-09-05 15:30 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\LimeWire
2010-04-02 15:26 . 2009-09-05 19:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-28 23:30 . 2010-02-08 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
2010-03-28 20:07 . 2009-09-04 23:47 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\Vso
2010-03-26 02:10 . 2009-09-15 22:43 -------- d-----w- c:\program files\Realore
2010-03-25 17:35 . 2009-09-05 00:59 60704 -c--a-w- c:\documents and settings\Jean Johnson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 14:10 . 2004-08-12 13:55 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-09 14:08 . 2009-10-30 00:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-01 23:11 . 2009-10-13 22:57 -------- d-----w- c:\program files\DVDFab 6
2010-03-01 21:33 . 2010-03-01 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2010-03-01 21:00 . 2010-03-01 20:53 -------- d-----w- c:\program files\Any DVD Cloner Platinum
2010-03-01 20:28 . 2010-03-01 20:28 -------- d-----w- c:\program files\Aiseesoft Studio
2010-02-26 20:26 . 2010-02-18 18:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-02-26 20:26 . 2010-02-18 18:51 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\ArcSoft
2010-02-25 06:24 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 02:12 . 2009-09-04 23:56 -------- d-----w- c:\program files\InstallShield Installation Information
2010-02-22 18:44 . 2010-02-22 18:44 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\HP
2010-02-22 03:21 . 2010-02-20 06:57 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\Janes Realty2
2010-02-18 19:58 . 2010-02-18 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-02-18 19:50 . 2010-02-18 19:35 186748 ----a-w- c:\windows\hpwins23.dat
2010-02-18 19:47 . 2009-09-05 02:58 -------- d-----w- c:\program files\HP
2010-02-18 19:47 . 2010-02-18 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-02-18 19:47 . 2010-02-18 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-02-18 19:39 . 2010-02-18 19:39 -------- d-----w- c:\program files\Common Files\HP
2010-02-18 19:04 . 2010-02-18 19:04 -------- d-----w- c:\program files\Common Files\Real
2010-02-18 18:50 . 2010-02-18 18:49 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-02-18 18:49 . 2010-02-18 18:49 -------- d-----w- c:\program files\ArcSoft
2010-02-18 18:49 . 2010-02-18 18:49 -------- d-----w- c:\program files\Philips
2010-02-18 18:48 . 2010-02-18 18:48 -------- d-----w- c:\documents and settings\Jean Johnson\Application Data\InstallShield
2010-02-14 01:17 . 2009-09-06 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-02-07 19:21 . 2009-09-05 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-02-05 03:56 . 2010-02-05 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Top Evidence
2010-01-06 04:07 . 2010-01-06 03:34 22 ----a-w- c:\windows\popcinfot.dat
2010-01-06 03:34 . 2010-01-06 03:34 0 ----a-w- c:\windows\popcreg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\documents and settings\Jean Johnson\My Documents\idman .exe" [2008-08-10 2594224]
"AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2008-11-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"chk_mdv241"="c:\program files\MDV241\chk_mdv241" [X]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-05-09 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-04 149280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-05-09 53248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"HostManager"="c:\program files\Common Files\AOL\1252166423\ee\AOLSoftware.exe" [2008-06-24 41824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-6-25 614531]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-6-8 16432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirSchedulerService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1252166423\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.att.net
uInternet Settings,ProxyOverride = localhost
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: Download all links with IDM - c:\documents and settings\Jean Johnson\My Documents\IEGetAll.htm
IE: Download FLV video content with IDM - c:\documents and settings\Jean Johnson\My Documents\IEGetVL.htm
IE: Download with IDM - c:\documents and settings\Jean Johnson\My Documents\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {8646A6AF-0AE4-4BF8-B716-DB1513803972} - hxxp://riteaid.storefront.com/images/global/activex/SFImageUpload1_8.CAB
FF - ProfilePath - c:\documents and settings\Jean Johnson\Application Data\Mozilla\Firefox\Profiles\2bb145ye.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\documents and settings\Jean Johnson\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\documents and settings\Jean Johnson\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-User Protection - c:\program files\User Protection\usrprot.exe
HKCU-Run-dbf70700.exe - c:\documents and settings\Jean Johnson\Application Data\4C117E5EFB08794131F70A99787C08CE\dbf70700.exe
HKCU-Run-dbf70700 .exe - c:\documents and settings\Jean Johnson\Application Data\4C117E5EFB08794131F70A99787C08CE\dbf70700 .exe
HKLM-Run-fepubosile - tiseluwi.dll
HKLM-Run-BarbieGirlsTray - c:\program files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 19:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-04 19:05:00
ComboFix-quarantined-files.txt 2010-04-04 23:04
ComboFix2.txt 2010-04-04 16:42

Pre-Run: 60,512,641,024 bytes free
Post-Run: 60,494,188,544 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,4,5
- - End Of File - - E05ADE65D97F85F8ED76C43C6A6381B6
Upload was successful



EsetScan:
C:\Qoobox\Quarantine\C\WINDOWS\ifoqicacepe.dll.vir a variant of Win32/Cimag.CA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan cleaned - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP2\A0000152.exe Win32/Adware.AntimalwareDoctor application cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP2\A0001274.exe a variant of Win32/Kryptik.DJA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP4\A0002625.exe a variant of Win32/Kryptik.DKW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP4\A0003678.exe a variant of Win32/Kryptik.DKW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP4\A0003679.exe a variant of Win32/Kryptik.DKW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP4\A0003680.exe a variant of Win32/Kryptik.DKW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP4\A0003681.exe a variant of Win32/Kryptik.DKW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP4\A0004720.dll a variant of Win32/PSW.Papras.AW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP5\A0004774.dll a variant of Win32/Cimag.CA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP5\A0004782.exe Win32/PrcView application cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP5\A0004871.dll a variant of Win32/PSW.Papras.AW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FCD8E4FE-ADBF-4E6C-A63F-5D117C2DDC21}\RP5\snapshot\MFEX-1.DAT a variant of Win32/PSW.Papras.AW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\charprep.dll a variant of Win32/PSW.Papras.AW trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\system32\rundll32.exe.delme239 a variant of Win32/Kryptik.DJG trojan cleaned by deleting - quarantined


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 PM

Posted 05 April 2010 - 07:04 AM

You still have Avira disabled in msconfig. open msconfig, click the services tab then check AntiVirSchedulerService,
then click ok and reboot the computer.

Once rebooted open Avira and tell me if it is enabled or disabled?

unite.jpg


#15 roaddie

roaddie
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:08:12 AM

Posted 05 April 2010 - 09:06 AM

Avira is now working, it comes on when I turn on my pc, where before it was not and I didn't even notice that it wasn't coming up when I turn on my pc. But it seems to be working now. I went back to msconfig and made sure that it was enabled and it states that it is running, I also turn back on most of the things that I had originally disabled. Am I finally clean or do I need more work.
And I wonder if that is how I got the trojans from Avira being disabled ( I did not disable it in the beginning though) I don't know how it got disabled.
Okay I will await your next response. I really appreciate your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users