Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus, atapi.sys rootkit


  • This topic is locked This topic is locked
15 replies to this topic

#1 DrewCon18

DrewCon18

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 12 April 2010 - 12:30 AM

Hi, I'm having a problem with a google redirect virus that I just cant seem to clean from my computer. It sounds like alot of people are having problems very similar to mine at the moment, so hopefully I can get some much needed support. I have run dozens of scans with a variety of different malware and spyware softwares, but none of them seem to fix the google redirect problem (3 days of non-stop scans and fixes). I tried using tdsskiller which identified the atapi.sys file as a potential rootkit, but it was unable to fix the problem. I would like to try combofix to hopefully resolve this issue, but I read that this was unwise without proper supervision. Attached is a copy of the GMER log file that was produced after I ran a scan. Thanks in advance for your time and help!!!

Update: I ran a scan using Dr. Web CureIt (1st time using this software) and it identified several infections and numerous suspicious files. At one point it asked me if I wanted to "move" the files so I clicked "yes to to all". When the scan finished, it said that it had eradicated backdoor.tdss.565 and moved several files. Everything else it identified was left blank under the Actions Taken column. If I select one of these items the option to "cure" is greyed out. Do I need to do more or has Dr. Web all ready quarantined these files??? The Dr. Web log file is attached.

Attached Files


Edited by Budapest, 12 April 2010 - 07:51 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 DrewCon18

DrewCon18
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 12 April 2010 - 07:56 PM

Update: I ran a scan using Dr. Web CureIt (1st time using this software) and it identified several infections and numerous suspicious files. At one point it asked me if I wanted to "move" the files so I clicked "yes to to all". When the scan finished, it said that it had eradicated backdoor.tdss.565 and moved several files. Everything else it identified was left blank under the Actions Taken column. If I select one of these items the option to "cure" is greyed out. Do I need to do more or has Dr. Web all ready quarantined these files??? The Dr. Web log file is attached...

Attached Files



#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 12 April 2010 - 08:09 PM

Hello DrewCon18,

It seems you're infected with one of the new TDL3 rootkit infection. Let's see what we can do here. More information on this rootkit can be found here: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

The GMER log is very helpful here, as it indicates the "real" driver that needs replacing and fixing. Pleased do NOT run Combofix unless I tell you to.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    intelide.sy*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results soon.
  • Follow the instructions that pop up for posting the results and then click Ok.
  • The black and message box window shall then disappear.
  • Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

I'll review the logs tomorrow afternoon once I come back as it's getting late here, please refrain from using the computer or doing too much fixing yourself in the meantime as it can change the results.

Thanks.

With Regards,
Extremeboy

Edited by extremeboy, 12 April 2010 - 08:09 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 DrewCon18

DrewCon18
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 12 April 2010 - 08:44 PM

The SystemLook log file is as follows:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:15 on 12/04/2010 by Andrew (Administrator - Elevation successful)

========== filefind ==========

Searching for "intelide.sy*"
C:\I386\INTELIDE.SYS --a--- 5504 bytes [02:05 21/08/2005] [03:59 04/08/2004] 2D722B2B54AB55B2FA475EB58D7B2AAD
C:\WINDOWS\$NtServicePackUninstall$\intelide.sys -----c 5504 bytes [00:20 07/08/2008] [03:59 04/08/2004] 2D722B2B54AB55B2FA475EB58D7B2AAD
C:\WINDOWS\ServicePackFiles\i386\intelide.sys ------ 5504 bytes [00:18 05/08/2008] [18:40 13/04/2008] B5466A9250342A7AA0CD1FBA13420678
C:\WINDOWS\SYSTEM32\DRIVERS\intelide.sys --a--- 5504 bytes [03:59 04/08/2004] [18:40 13/04/2008] B5466A9250342A7AA0CD1FBA13420678
C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\i386\intelide.sys --a--- 5504 bytes [15:45 11/08/2005] [03:59 04/08/2004] 2D722B2B54AB55B2FA475EB58D7B2AAD

-=End Of File=-

The DDS log file is as follows:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Andrew at 21:35:02.93 on Mon 04/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1463 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by Comcast
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office 2007\office12\GrooveMonitor.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Google Search - c:\program files\google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi69df~1\office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\googletoolbar.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi69df~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi69df~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi69df~1\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi69df~1\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\4q4z9a0i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\andrew\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-10 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-14 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-18 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-18 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-18 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-17 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-17 1095560]

=============== Created Last 30 ================

2010-04-12 05:36:12 0 d-----w- c:\documents and settings\andrew\DoctorWeb
2010-04-12 04:38:59 0 dc-h--w- c:\windows\ie8
2010-04-12 04:35:01 0 d-----w- C:\0081ee64d55fbdfd32
2010-04-11 07:24:07 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-04-11 07:23:57 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-11 00:33:41 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-11 00:33:26 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-11 00:33:26 0 d-----w- c:\docume~1\andrew\applic~1\SUPERAntiSpyware.com
2010-04-10 05:54:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-10 05:34:39 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-10 05:27:29 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-10 05:27:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-10 05:27:20 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-10 04:58:29 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-10 04:58:10 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-10 04:55:53 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-10 04:55:15 0 d-----w- c:\program files\Lavasoft
2010-04-08 22:41:56 0 d-----w- c:\docume~1\andrew\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-04-07 17:59:42 0 d-----w- c:\program files\iPod
2010-04-07 17:59:32 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-06 19:22:52 0 d-----w- c:\program files\Bonjour
2010-04-02 02:51:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-27 18:36:22 0 d-----w- c:\program files\Windows Media Connect 2
2010-03-27 00:02:30 567 ----a-w- C:\hpfr5550.xml
2010-03-27 00:00:10 0 d-----w- c:\program files\HP Photosmart 11
2010-03-26 23:49:58 0 d-----w- c:\temp\photosmart
2010-03-26 23:49:57 0 d-----w- C:\temp
2010-03-26 05:45:11 10752 ------w- c:\windows\system32\rspndr.exe
2010-03-26 05:45:10 62848 ------w- c:\windows\system32\drivers\rspndr.sys
2010-03-19 19:11:06 35 ----a-w- c:\windows\system32\3870807e
2010-03-19 19:06:56 817 ----a-w- c:\windows\system32\1760593785
2010-03-19 06:39:22 203776 --sh--w- c:\windows\system32\unrar.exe
2010-03-19 06:39:22 0 d-----w- c:\windows\system32\1522720798
2010-03-19 06:39:09 112 ----a-w- c:\windows\system32\534754e0
2010-03-19 06:39:08 0 d-sh--w- C:\System Volume Data
2010-03-18 01:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-03-18 01:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-04-02 02:50:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 06:12:25 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 06:12:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 06:11:20 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 12:38:51 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-02-12 15:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-08-07 03:54:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080620080807\index.dat

============= FINISH: 21:36:18.17 ===============

Thanks again for the help.

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 12 April 2010 - 08:58 PM

Hello.

Okay, let's actually run Combofix -it probably won't deal with it automatically which will require us to do some more work after that, but we'll see.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 DrewCon18

DrewCon18
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 12 April 2010 - 11:56 PM

The ComboFix log is listed below. It does not appear to have solved the problem, but hopefully we're moving in the right direction.

ComboFix 10-04-12.03 - Andrew 04/13/2010 0:13.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1380 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Andrew\Application Data\020000009b292bae854C.manifest
c:\documents and settings\Andrew\Application Data\020000009b292bae854O.manifest
c:\documents and settings\Andrew\Application Data\020000009b292bae854P.manifest
c:\documents and settings\Andrew\Application Data\020000009b292bae854S.manifest
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{ba1b965e-603f-4206-ac4d-b9fd52da27f9}
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{ba1b965e-603f-4206-ac4d-b9fd52da27f9}\chrome.manifest
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{ba1b965e-603f-4206-ac4d-b9fd52da27f9}\chrome\xulcache.jar
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{ba1b965e-603f-4206-ac4d-b9fd52da27f9}\defaults\preferences\xulcache.js
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{ba1b965e-603f-4206-ac4d-b9fd52da27f9}\install.rdf
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{cf00e132-17a7-4c85-befc-51fe2a17d403}
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{cf00e132-17a7-4c85-befc-51fe2a17d403}\chrome.manifest
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{cf00e132-17a7-4c85-befc-51fe2a17d403}\chrome\xulcache.jar
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{cf00e132-17a7-4c85-befc-51fe2a17d403}\defaults\preferences\xulcache.js
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{cf00e132-17a7-4c85-befc-51fe2a17d403}\install.rdf
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{fc363151-dd2a-4457-b402-af8576f015f6}
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{fc363151-dd2a-4457-b402-af8576f015f6}\chrome.manifest
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{fc363151-dd2a-4457-b402-af8576f015f6}\chrome\xulcache.jar
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{fc363151-dd2a-4457-b402-af8576f015f6}\defaults\preferences\xulcache.js
c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\extensions\{fc363151-dd2a-4457-b402-af8576f015f6}\install.rdf
C:\dvglbk.exe
c:\windows\system32\1522720798
c:\windows\system32\unrar.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-13 04:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-04-13 04:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-04-12 05:36 . 2010-04-12 16:33 -------- d-----w- c:\documents and settings\Andrew\DoctorWeb
2010-04-12 05:31 . 2010-04-12 05:31 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-12 04:38 . 2010-04-12 04:40 -------- dc-h--w- c:\windows\ie8
2010-04-12 04:35 . 2010-04-12 04:35 -------- d-----w- C:\0081ee64d55fbdfd32
2010-04-11 07:24 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-04-11 07:23 . 2010-04-13 01:09 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-11 00:34 . 2010-04-11 00:34 52224 ----a-w- c:\documents and settings\Andrew\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-11 00:34 . 2010-04-11 00:34 117760 ----a-w- c:\documents and settings\Andrew\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-11 00:33 . 2010-04-11 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-11 00:33 . 2010-04-11 00:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-11 00:33 . 2010-04-11 00:33 -------- d-----w- c:\documents and settings\Andrew\Application Data\SUPERAntiSpyware.com
2010-04-10 20:06 . 2010-04-10 20:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-10 09:55 . 2010-04-10 09:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-10 05:54 . 2010-04-10 04:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-10 05:34 . 2010-04-10 05:34 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-10 05:27 . 2010-04-11 07:50 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-10 05:27 . 2010-04-10 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-10 05:27 . 2010-04-10 05:27 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-10 04:57 . 2010-04-10 04:57 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-04-10 04:57 . 2010-04-10 04:57 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-04-10 04:57 . 2010-04-10 04:57 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-04-10 04:57 . 2010-04-10 04:57 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-10 04:57 . 2010-04-10 04:57 849744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-04-10 04:57 . 2010-04-10 04:57 855864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-04-10 04:57 . 2010-04-10 04:57 1597952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-04-10 04:57 . 2010-04-10 04:57 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-10 04:57 . 2010-04-10 04:57 1265264 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-10 04:55 . 2010-04-10 04:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-10 04:55 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-04-10 04:55 . 2010-04-10 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-10 04:55 . 2010-04-10 04:55 -------- d-----w- c:\program files\Lavasoft
2010-04-08 22:41 . 2010-04-08 22:41 -------- d-----w- c:\documents and settings\Andrew\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-04-08 22:39 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Andrew\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-08 22:38 . 2010-04-08 22:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-08 22:38 . 2010-04-08 22:38 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-08 22:37 . 2010-04-09 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-08 13:46 . 2010-04-08 13:46 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-07 17:59 . 2010-04-07 17:59 -------- d-----w- c:\program files\iPod
2010-04-07 17:59 . 2010-04-07 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-07 17:55 . 2010-04-07 17:56 -------- d-----w- c:\program files\QuickTime
2010-04-07 17:51 . 2010-04-07 17:51 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-06 19:22 . 2010-04-06 19:22 -------- d-----w- c:\program files\Bonjour
2010-04-01 13:02 . 2010-04-01 13:02 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-01 13:02 . 2010-04-01 13:02 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-01 13:02 . 2010-04-01 13:02 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-01 13:02 . 2010-04-01 13:02 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll
2010-04-01 13:02 . 2010-04-01 13:02 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-01 13:02 . 2010-04-01 13:02 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-01 13:02 . 2010-04-01 13:02 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-01 13:02 . 2010-04-01 13:02 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-01 13:02 . 2010-04-01 13:02 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-01 13:02 . 2010-04-01 13:02 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-01 13:02 . 2010-04-01 13:02 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-01 13:02 . 2010-04-01 13:02 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-01 13:00 . 2010-04-01 13:00 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-01 13:00 . 2010-04-01 13:00 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-27 18:36 . 2010-03-27 18:36 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-27 18:34 . 2010-03-27 18:35 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-03-27 00:00 . 2010-03-27 00:00 -------- d-----w- c:\program files\HP Photosmart 11
2010-03-26 23:49 . 2010-03-26 23:59 -------- d-----w- c:\temp\photosmart
2010-03-26 23:49 . 2010-03-26 23:49 -------- d-----w- C:\temp
2010-03-26 05:45 . 2008-05-29 12:04 10752 ------w- c:\windows\system32\rspndr.exe
2010-03-26 05:45 . 2008-05-29 12:04 62848 ------w- c:\windows\system32\drivers\rspndr.sys
2010-03-25 18:14 . 2010-03-26 18:42 -------- d-----w- c:\documents and settings\Andrew\Application Data\vlc
2010-03-19 06:39 . 2010-03-19 06:39 -------- d-----w- C:\System Volume Data

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 03:55 . 2009-01-25 00:00 -------- d-----w- c:\documents and settings\Andrew\Application Data\DNA
2010-04-13 03:41 . 2009-01-25 00:00 -------- d-----w- c:\program files\DNA
2010-04-13 01:04 . 2009-01-17 17:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-10 19:27 . 2006-02-08 21:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-08 22:40 . 2005-08-24 00:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-08 03:58 . 2005-08-21 03:29 -------- d-----w- c:\program files\Full Tilt Poker
2010-04-08 03:47 . 2008-10-18 05:06 -------- d-----w- c:\documents and settings\Andrew\Application Data\LimeWire
2010-04-07 19:55 . 2009-01-18 22:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:55 . 2010-01-04 07:04 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-07 19:53 . 2009-02-17 23:38 -------- d-----w- c:\program files\Spyware Doctor
2010-04-07 18:01 . 2009-06-02 17:13 -------- d-----w- c:\program files\iTunes
2010-04-07 17:59 . 2007-09-06 00:31 -------- d-----w- c:\program files\Common Files\Apple
2010-04-06 03:03 . 2007-09-05 23:42 -------- d-----w- c:\documents and settings\Andrew\Application Data\BitTorrent
2010-04-05 17:59 . 2008-08-27 21:49 -------- d-----w- c:\documents and settings\Andrew\Application Data\U3
2010-04-05 02:11 . 2009-01-23 04:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-02 02:50 . 2008-11-24 19:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-01 15:49 . 2005-08-11 15:54 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 04:46 . 2009-01-18 22:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-01-18 22:05 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 06:12 . 2009-02-18 21:35 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 06:12 . 2010-03-13 06:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 06:12 . 2009-02-18 21:34 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 06:11 . 2009-02-18 21:35 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 05:39 . 2010-03-11 05:39 -------- d-----w- c:\program files\SopCast
2010-03-06 21:45 . 2010-03-06 21:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-22 01:36 . 2009-01-19 06:44 -------- d-----w- c:\program files\AVG
2010-02-22 01:35 . 2010-02-22 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-12 22:59 . 2005-08-11 15:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-04 15:53 . 2010-04-10 04:58 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-27 18:47 . 2010-01-27 18:47 503808 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4d28d1e7-n\msvcp71.dll
2010-01-27 18:47 . 2010-01-27 18:47 499712 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4d28d1e7-n\jmc.dll
2010-01-27 18:47 . 2010-01-27 18:47 348160 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4d28d1e7-n\msvcr71.dll
2010-01-27 18:47 . 2010-01-27 18:47 61440 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-290a1fff-n\decora-sse.dll
2010-01-27 18:47 . 2010-01-27 18:47 12800 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-290a1fff-n\decora-d3d.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-08 323392]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"GrooveMonitor"="c:\program files\Microsoft Office 2007\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 06:12 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2008-12-08 18:33 1173384 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg9wd"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsGui.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [4/10/2010 12:58 AM 64288]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [9/14/2009 5:31 PM 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2/18/2009 5:35 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2/18/2009 5:35 PM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
S0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [9/12/2008 8:51 PM 717296]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/17/2009 7:39 PM 348752]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 2:12 AM 308064]
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 04:57]

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-13 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2010-03-26 19:07]

2010-04-13 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2010-03-26 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI69DF~1\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Andrew\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-HPHUPD04 - c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
SafeBoot-klmdb.sys
AddRemove-CCenter - c:\documents and settings\Andrew\Application Data\CCenter\uninstall.exe
AddRemove-Macromedia Shockwave Player - c:\windows\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 00:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A7D2AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76bbf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74ae852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
NDIS: Linksys Wireless-G PCI Network Adapter with SpeedBooster -> SendCompleteHandler -> NDIS.sys @ 0xf7b3abb0
PacketIndicateHandler -> NDIS.sys @ 0xf7b47a21
SendHandler -> NDIS.sys @ 0xf7b2587b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2010-04-13 00:32:36
ComboFix-quarantined-files.txt 2010-04-13 04:32

Pre-Run: 7,602,700,288 bytes free
Post-Run: 8,249,405,440 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 22A592C32D4279B84838A749B8199809

Edited by DrewCon18, 12 April 2010 - 11:58 PM.


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 13 April 2010 - 03:28 PM

Hello.

Combofix installed the Recovery Console, from what I can see. We are going to use that.

Reboot your computer and press the F8 button as soon as the BIOS starts loading. Go back to the OS Choice Menu and select Windows Recovery Console. Follow through the prompts, and when asked to type in the number of the Windows installation you want to repair (usually 1), then press Enter. Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.

Now you should be at the C:\Windows prompt. Please type the following bolded entries, and press 'Enter' (note the spaces) upon completion of each line:

cd c:\windows\system32\drivers
ren intelide.sys intelide.old
copy C:\WINDOWS\ServicePackFiles\i386\intelide.sys c:\windows\system32\drivers


You should see a message '1 file copied'. after inputting the last line. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths. If asked to overwrite the file, please allow so.

Type exit and press 'Enter'. Your computer should reboot.

Then run Combofix again.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 DrewCon18

DrewCon18
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 13 April 2010 - 04:51 PM

New Combofix log is as follows:

ComboFix 10-04-13.02 - Andrew 04/13/2010 17:28:05.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1429 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-13 04:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-04-13 04:24 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-04-12 05:36 . 2010-04-12 16:33 -------- d-----w- c:\documents and settings\Andrew\DoctorWeb
2010-04-12 05:31 . 2010-04-12 05:31 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-12 04:38 . 2010-04-12 04:40 -------- dc-h--w- c:\windows\ie8
2010-04-12 04:35 . 2010-04-12 04:35 -------- d-----w- C:\0081ee64d55fbdfd32
2010-04-11 07:24 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-04-11 07:23 . 2010-04-13 01:09 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-11 00:33 . 2010-04-11 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-11 00:33 . 2010-04-13 05:20 -------- d-----w- c:\documents and settings\Andrew\Application Data\SUPERAntiSpyware.com
2010-04-11 00:33 . 2010-04-13 05:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-10 20:06 . 2010-04-10 20:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-10 09:55 . 2010-04-10 09:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-10 05:54 . 2010-04-10 04:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-10 05:34 . 2010-04-10 05:34 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-10 05:27 . 2010-04-11 07:50 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-10 05:27 . 2010-04-10 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-10 05:27 . 2010-04-10 05:27 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-10 04:57 . 2010-04-10 04:57 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-04-10 04:57 . 2010-04-10 04:57 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-04-10 04:57 . 2010-04-10 04:57 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-04-10 04:57 . 2010-04-10 04:57 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-10 04:57 . 2010-04-10 04:57 849744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-04-10 04:57 . 2010-04-10 04:57 855864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-04-10 04:57 . 2010-04-10 04:57 1597952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-04-10 04:57 . 2010-04-10 04:57 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-10 04:57 . 2010-04-10 04:57 1265264 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-10 04:55 . 2010-04-10 04:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-10 04:55 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-04-10 04:55 . 2010-04-10 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-10 04:55 . 2010-04-10 04:55 -------- d-----w- c:\program files\Lavasoft
2010-04-08 22:41 . 2010-04-08 22:41 -------- d-----w- c:\documents and settings\Andrew\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-04-08 22:39 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Andrew\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-08 22:38 . 2010-04-08 22:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-08 22:38 . 2010-04-08 22:38 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-08 22:37 . 2010-04-09 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-08 13:46 . 2010-04-08 13:46 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-07 17:59 . 2010-04-07 17:59 -------- d-----w- c:\program files\iPod
2010-04-07 17:59 . 2010-04-07 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-07 17:55 . 2010-04-07 17:56 -------- d-----w- c:\program files\QuickTime
2010-04-07 17:51 . 2010-04-07 17:51 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-06 19:22 . 2010-04-06 19:22 -------- d-----w- c:\program files\Bonjour
2010-04-01 13:02 . 2010-04-01 13:02 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-01 13:02 . 2010-04-01 13:02 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-01 13:02 . 2010-04-01 13:02 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-01 13:02 . 2010-04-01 13:02 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll
2010-04-01 13:02 . 2010-04-01 13:02 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-01 13:02 . 2010-04-01 13:02 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-01 13:02 . 2010-04-01 13:02 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-01 13:02 . 2010-04-01 13:02 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-01 13:02 . 2010-04-01 13:02 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-01 13:02 . 2010-04-01 13:02 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-01 13:02 . 2010-04-01 13:02 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-01 13:02 . 2010-04-01 13:02 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-01 13:00 . 2010-04-01 13:00 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-01 13:00 . 2010-04-01 13:00 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-27 18:36 . 2010-03-27 18:36 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-27 18:34 . 2010-03-27 18:35 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-03-27 00:00 . 2010-03-27 00:00 -------- d-----w- c:\program files\HP Photosmart 11
2010-03-26 23:49 . 2010-03-26 23:59 -------- d-----w- c:\temp\photosmart
2010-03-26 23:49 . 2010-03-26 23:49 -------- d-----w- C:\temp
2010-03-26 05:45 . 2008-05-29 12:04 10752 ------w- c:\windows\system32\rspndr.exe
2010-03-26 05:45 . 2008-05-29 12:04 62848 ------w- c:\windows\system32\drivers\rspndr.sys
2010-03-25 18:14 . 2010-03-26 18:42 -------- d-----w- c:\documents and settings\Andrew\Application Data\vlc
2010-03-19 06:39 . 2010-03-19 06:39 -------- d-----w- C:\System Volume Data

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 21:35 . 2009-01-25 00:00 -------- d-----w- c:\documents and settings\Andrew\Application Data\DNA
2010-04-13 21:25 . 2009-01-25 00:00 -------- d-----w- c:\program files\DNA
2010-04-13 05:16 . 2006-02-08 21:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-13 01:04 . 2009-01-17 17:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 22:40 . 2005-08-24 00:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-08 03:58 . 2005-08-21 03:29 -------- d-----w- c:\program files\Full Tilt Poker
2010-04-08 03:47 . 2008-10-18 05:06 -------- d-----w- c:\documents and settings\Andrew\Application Data\LimeWire
2010-04-07 19:55 . 2009-01-18 22:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:55 . 2010-01-04 07:04 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-07 19:53 . 2009-02-17 23:38 -------- d-----w- c:\program files\Spyware Doctor
2010-04-07 18:01 . 2009-06-02 17:13 -------- d-----w- c:\program files\iTunes
2010-04-07 17:59 . 2007-09-06 00:31 -------- d-----w- c:\program files\Common Files\Apple
2010-04-06 03:03 . 2007-09-05 23:42 -------- d-----w- c:\documents and settings\Andrew\Application Data\BitTorrent
2010-04-05 17:59 . 2008-08-27 21:49 -------- d-----w- c:\documents and settings\Andrew\Application Data\U3
2010-04-05 02:11 . 2009-01-23 04:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-02 02:50 . 2008-11-24 19:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-01 15:49 . 2005-08-11 15:54 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 04:46 . 2009-01-18 22:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-01-18 22:05 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 06:12 . 2009-02-18 21:35 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 06:12 . 2010-03-13 06:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 06:12 . 2009-02-18 21:34 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 06:11 . 2009-02-18 21:35 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 05:39 . 2010-03-11 05:39 -------- d-----w- c:\program files\SopCast
2010-03-06 21:45 . 2010-03-06 21:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-25 06:24 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-22 01:36 . 2009-01-19 06:44 -------- d-----w- c:\program files\AVG
2010-02-22 01:35 . 2010-02-22 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-12 22:59 . 2005-08-11 15:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-04 15:53 . 2010-04-10 04:58 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-27 18:47 . 2010-01-27 18:47 503808 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4d28d1e7-n\msvcp71.dll
2010-01-27 18:47 . 2010-01-27 18:47 499712 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4d28d1e7-n\jmc.dll
2010-01-27 18:47 . 2010-01-27 18:47 348160 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4d28d1e7-n\msvcr71.dll
2010-01-27 18:47 . 2010-01-27 18:47 61440 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-290a1fff-n\decora-sse.dll
2010-01-27 18:47 . 2010-01-27 18:47 12800 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-290a1fff-n\decora-d3d.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-13_04.26.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-13 20:52 . 2010-04-13 20:52 16384 c:\windows\Temp\Perflib_Perfdata_ac.dat
- 2005-08-11 15:45 . 2010-04-13 04:02 54280 c:\windows\SYSTEM32\PERFC009.DAT
+ 2005-08-11 15:45 . 2010-04-13 21:26 54280 c:\windows\SYSTEM32\PERFC009.DAT
- 2006-11-08 01:03 . 2009-03-08 08:31 55296 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2006-11-08 01:03 . 2010-02-25 06:24 55296 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2004-08-04 10:00 . 2010-02-25 06:24 25600 c:\windows\SYSTEM32\jsproxy.dll
- 2004-08-04 10:00 . 2009-03-08 08:33 25600 c:\windows\SYSTEM32\jsproxy.dll
+ 2009-06-10 04:34 . 2010-02-25 06:24 12800 c:\windows\SYSTEM32\DLLCACHE\xpshims.dll
- 2009-06-10 04:34 . 2009-04-30 21:22 12800 c:\windows\SYSTEM32\DLLCACHE\xpshims.dll
- 2007-06-27 14:34 . 2009-03-08 08:31 55296 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2007-06-27 14:34 . 2010-02-25 06:24 55296 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2007-06-14 18:09 . 2009-03-08 08:33 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2007-06-14 18:09 . 2010-02-25 06:24 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2010-04-13 05:56 . 2009-03-08 08:33 12288 c:\windows\ie8updates\KB980182-IE8\xpshims.dll
+ 2010-04-13 05:56 . 2009-03-08 08:31 55296 c:\windows\ie8updates\KB980182-IE8\msfeedsbs.dll
+ 2010-04-13 05:56 . 2009-03-08 08:33 25600 c:\windows\ie8updates\KB980182-IE8\jsproxy.dll
+ 2008-08-05 00:18 . 2008-04-13 18:40 5504 c:\windows\SYSTEM32\DRIVERS\intelide.sys
- 2004-08-04 03:59 . 2008-04-13 18:40 5504 c:\windows\SYSTEM32\DRIVERS\intelide.sys
+ 2005-08-11 15:45 . 2010-04-13 21:26 384596 c:\windows\SYSTEM32\PERFH009.DAT
- 2005-08-11 15:45 . 2010-04-13 04:02 384596 c:\windows\SYSTEM32\PERFH009.DAT
+ 2004-08-04 10:00 . 2010-02-25 06:24 206848 c:\windows\SYSTEM32\occache.dll
- 2004-08-04 10:00 . 2009-03-08 08:32 611840 c:\windows\SYSTEM32\mstime.dll
+ 2004-08-04 10:00 . 2010-02-25 06:24 611840 c:\windows\SYSTEM32\mstime.dll
- 2006-11-08 01:03 . 2009-03-08 08:32 594432 c:\windows\SYSTEM32\msfeeds.dll
+ 2006-11-08 01:03 . 2010-02-25 06:24 594432 c:\windows\SYSTEM32\msfeeds.dll
- 2004-08-04 10:00 . 2009-03-08 08:33 726528 c:\windows\SYSTEM32\jscript.dll
+ 2004-08-04 10:00 . 2009-12-09 05:53 726528 c:\windows\SYSTEM32\jscript.dll
+ 2004-08-04 10:00 . 2010-02-25 06:24 184320 c:\windows\SYSTEM32\iepeers.dll
+ 2004-08-04 10:00 . 2010-02-25 06:24 387584 c:\windows\SYSTEM32\iedkcs32.dll
+ 2004-08-04 10:00 . 2010-02-24 09:54 173056 c:\windows\SYSTEM32\ie4uinit.exe
- 2004-08-04 10:00 . 2009-03-08 08:32 173056 c:\windows\SYSTEM32\ie4uinit.exe
+ 2007-06-26 14:09 . 2010-02-25 06:24 916480 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2006-10-17 16:04 . 2010-02-25 06:24 206848 c:\windows\SYSTEM32\DLLCACHE\occache.dll
+ 2007-06-14 18:09 . 2010-02-25 06:24 611840 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2007-06-14 18:09 . 2009-03-08 08:32 611840 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2007-06-27 14:34 . 2009-03-08 08:32 594432 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2007-06-27 14:34 . 2010-02-25 06:24 594432 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\SYSTEM32\DLLCACHE\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 08:33 726528 c:\windows\SYSTEM32\DLLCACHE\jscript.dll
+ 2009-06-10 04:33 . 2010-02-25 06:24 247808 c:\windows\SYSTEM32\DLLCACHE\ieproxy.dll
+ 2007-06-14 18:09 . 2010-02-25 06:24 184320 c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
+ 2006-11-07 07:27 . 2010-02-25 06:24 387584 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2006-11-07 07:26 . 2010-02-24 09:54 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2006-11-07 07:26 . 2009-03-08 08:32 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2010-04-13 05:56 . 2009-03-08 08:34 914944 c:\windows\ie8updates\KB980182-IE8\wininet.dll
+ 2010-04-13 05:56 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB980182-IE8\spuninst\updspapi.dll
+ 2010-04-13 05:56 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB980182-IE8\spuninst\spuninst.exe
+ 2010-04-13 05:56 . 2009-03-08 08:34 109568 c:\windows\ie8updates\KB980182-IE8\occache.dll
+ 2010-04-13 05:56 . 2009-03-08 08:32 611840 c:\windows\ie8updates\KB980182-IE8\mstime.dll
+ 2010-04-13 05:56 . 2009-03-08 08:32 594432 c:\windows\ie8updates\KB980182-IE8\msfeeds.dll
+ 2010-04-13 05:56 . 2009-03-08 08:33 246784 c:\windows\ie8updates\KB980182-IE8\ieproxy.dll
+ 2010-04-13 05:56 . 2009-03-08 08:31 183808 c:\windows\ie8updates\KB980182-IE8\iepeers.dll
+ 2010-04-13 05:56 . 2009-03-08 18:09 391536 c:\windows\ie8updates\KB980182-IE8\iedkcs32.dll
+ 2010-04-13 05:56 . 2009-03-08 08:32 173056 c:\windows\ie8updates\KB980182-IE8\ie4uinit.exe
+ 2010-04-13 05:56 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-04-13 05:56 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-04-13 05:56 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2010-04-13 05:55 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2010-04-13 05:55 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2010-04-13 05:55 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2004-08-04 10:00 . 2010-02-25 06:24 1209344 c:\windows\SYSTEM32\urlmon.dll
+ 2004-08-04 10:00 . 2010-02-25 06:24 5944832 c:\windows\SYSTEM32\mshtml.dll
+ 2006-10-17 15:57 . 2010-02-25 06:24 1985536 c:\windows\SYSTEM32\iertutil.dll
+ 2007-06-14 18:09 . 2010-02-25 06:24 1209344 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2007-06-14 18:09 . 2010-02-25 06:24 5944832 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2007-06-27 14:34 . 2010-02-25 06:24 1985536 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
+ 2010-04-13 05:56 . 2009-03-08 08:34 1206784 c:\windows\ie8updates\KB980182-IE8\urlmon.dll
+ 2010-04-13 05:56 . 2009-03-08 08:41 5937152 c:\windows\ie8updates\KB980182-IE8\mshtml.dll
+ 2010-04-13 05:56 . 2009-03-08 08:32 1985024 c:\windows\ie8updates\KB980182-IE8\iertutil.dll
+ 2006-11-08 01:03 . 2010-02-25 15:54 11070976 c:\windows\SYSTEM32\ieframe.dll
+ 2007-06-27 14:34 . 2010-02-25 15:54 11070976 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
+ 2010-04-13 05:56 . 2009-03-08 08:39 11063808 c:\windows\ie8updates\KB980182-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-08 323392]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"GrooveMonitor"="c:\program files\Microsoft Office 2007\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 06:12 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2008-12-08 18:33 1173384 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsGui.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [4/10/2010 12:58 AM 64288]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [9/14/2009 5:31 PM 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2/18/2009 5:35 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2/18/2009 5:35 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 2:12 AM 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
S0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [9/12/2008 8:51 PM 717296]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/17/2009 7:39 PM 348752]
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 04:57]

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-13 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2010-03-26 19:07]

2010-04-13 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2010-03-26 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI69DF~1\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\4q4z9a0i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Andrew\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 17:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1168)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-13 17:47:35
ComboFix-quarantined-files.txt 2010-04-13 21:47
ComboFix2.txt 2010-04-13 04:32

Pre-Run: 8,247,709,696 bytes free
Post-Run: 8,283,848,704 bytes free

- - End Of File - - 7C304DCADCB4D2B23F63DFFB71590DE3


#9 DrewCon18

DrewCon18
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 13 April 2010 - 04:56 PM

I'm not 100% sure, but I think this may have solved the redirect problem. Is there anything else that I need to do? If not, then thanks for the help. I really appreciate it.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 13 April 2010 - 05:01 PM

Hello.

QUOTE
I'm not 100% sure, but I think this may have solved the redirect problem. Is there anything else that I need to do? If not, then thanks for the help. I really appreciate it.

Yup, that fixed it and the Combofix log also shows that however, we're not 100% done yet, please stick with me until the end. smile.gif

I got to go run but will be back in an hour, and provide further instructions on what to do.

Thanks.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 13 April 2010 - 06:01 PM

Hello.

That's looking good.

Let's get an online scan now. Almost done. ;)

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 DrewCon18

DrewCon18
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 14 April 2010 - 12:29 AM

The Kapersky online scan report is as follows (2 threats were found):

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, April 14, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, April 13, 2010 19:47:08
Records in database: 3939804
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 221714
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 05:27:21


File name / Threat / Threats count
C:\Documents and Settings\Andrew\DoctorWeb\Quarantine\29643996-3087a279 Infected: Trojan-Downloader.Java.Agent.aj 1
C:\WINDOWS\SYSTEM32\DRIVERS\intelide.old Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.

The DDS report is as follows:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Andrew at 1:19:48.25 on Wed 04/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1091 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Documents and Settings\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office 2007\office12\GrooveMonitor.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: &Google Search - c:\program files\google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi69df~1\office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\googletoolbar.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi69df~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi69df~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi69df~1\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi69df~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\4q4z9a0i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\andrew\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-10 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-14 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-18 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-18 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-18 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-17 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-17 1095560]

=============== Created Last 30 ================

2010-04-13 04:24:52 50176 ----a-w- c:\windows\system32\proquota.exe
2010-04-13 04:24:52 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-04-13 04:00:52 0 d-sha-r- C:\cmdcons
2010-04-13 03:58:07 77312 ----a-w- c:\windows\MBR.exe
2010-04-13 03:58:07 261632 ----a-w- c:\windows\PEV.exe
2010-04-13 03:58:07 161792 ----a-w- c:\windows\SWREG.exe
2010-04-13 03:58:06 98816 ----a-w- c:\windows\sed.exe
2010-04-12 05:36:12 0 d-----w- c:\documents and settings\andrew\DoctorWeb
2010-04-12 04:38:59 0 dc-h--w- c:\windows\ie8
2010-04-12 04:35:01 0 d-----w- C:\0081ee64d55fbdfd32
2010-04-11 07:24:07 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-04-11 07:23:57 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-11 00:33:41 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-11 00:33:26 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-11 00:33:26 0 d-----w- c:\docume~1\andrew\applic~1\SUPERAntiSpyware.com
2010-04-10 05:54:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-10 05:34:39 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-10 05:27:29 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-10 05:27:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-10 05:27:20 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-10 04:58:29 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-10 04:58:10 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-10 04:55:53 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-10 04:55:15 0 d-----w- c:\program files\Lavasoft
2010-04-08 22:41:56 0 d-----w- c:\docume~1\andrew\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-04-07 17:59:42 0 d-----w- c:\program files\iPod
2010-04-07 17:59:32 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-06 19:22:52 0 d-----w- c:\program files\Bonjour
2010-04-02 02:51:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-27 18:36:22 0 d-----w- c:\program files\Windows Media Connect 2
2010-03-27 00:02:30 567 ----a-w- C:\hpfr5550.xml
2010-03-27 00:00:10 0 d-----w- c:\program files\HP Photosmart 11
2010-03-26 23:49:58 0 d-----w- c:\temp\photosmart
2010-03-26 23:49:57 0 d-----w- C:\temp
2010-03-26 05:45:11 10752 ------w- c:\windows\system32\rspndr.exe
2010-03-26 05:45:10 62848 ------w- c:\windows\system32\drivers\rspndr.sys
2010-03-19 19:11:06 35 ----a-w- c:\windows\system32\3870807e
2010-03-19 19:06:56 817 ----a-w- c:\windows\system32\1760593785
2010-03-19 06:39:09 112 ----a-w- c:\windows\system32\534754e0
2010-03-19 06:39:08 0 d-----w- C:\System Volume Data
2010-03-18 01:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-03-18 01:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-04-02 02:50:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 06:12:25 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 06:12:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 06:11:20 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 12:38:51 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-02-25 15:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-12 15:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-08-07 03:54:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080620080807\index.dat

============= FINISH: 1:20:19.10 ===============


I'm not seeing any additional symptoms, but my computer does seem to be running a little slower than usual since running combofix.

Attached Files



#13 DrewCon18

DrewCon18
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 14 April 2010 - 10:39 PM

Update: My firewall recently started asking me if I wanted to block an executable file called LEXPPS.exe. My firewall has never asked me to block this program in the past. I read online that it is a Lexmark printer program for networking printers. I do own a Dell printer (not networked), which apparently is made by Lexmark. I also use an HP printer that is networked. Anyways, I read that this program is sometimes hijacked so I thought I'd mention it.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 16 April 2010 - 03:15 PM

Hello again.

Sorry for the delay. I had some things I needed to do and could not respond. Back now, so let's get back to work.

---
Regarding what Kaspersky detected, those are both considered under quarantine and not active, so they are no harm. Feel free to delete and remove them though. smile.gif

Uninstall this older verion of Java:
J2SE Runtime Environment 5.0 Update 4

QUOTE
Update: My firewall recently started asking me if I wanted to block an executable file called LEXPPS.exe. My firewall has never asked me to block this program in the past. I read online that it is a Lexmark printer program for networking printers. I do own a Dell printer (not networked), which apparently is made by Lexmark. I also use an HP printer that is networked. Anyways, I read that this program is sometimes hijacked so I thought I'd mention it.

Yes it is part of Lexmark Printer Sharing application which allows you to share a printer over a network. I wouldn't worry about it. You can deny it and see if that effects your printer or not, if not then that's good. If so, I would allow it.

The logs look good. You're clean! Let's wrap up then.

Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck thumbup2.gif


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks smile.gif

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 DrewCon18

DrewCon18
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 16 April 2010 - 04:17 PM

Great, thanks again for the help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users