Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirects - Summary Post w/All Requested Files


  • This topic is locked This topic is locked
56 replies to this topic

#1 Michele W

Michele W

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 13 April 2010 - 09:54 AM

Hi, since last week I am infected with something that is causing my browsers to launch new tabs on their own, going to strange websites. Sometimes the new site appears to be benign (a search site, or online flower shop, etc.), but more often it's a site that triggers a Warning! dialogue box from my AVG 8, telling me that it has just blocked a malicious site. However, despite that assurance, popup boxes immediately begin to appear, resembling the Windows Security Center but with different names (XP antispyware tool, etc.) They warn me that I must purchase their software if I want to rid my computer of all its malware. Similarly, an icon appears in my QuickLaunch, where it persistently pops up dire warnings.

Then ZoneAlarm asks me for permission to run ave.exe, which I deny.

At that point I run Malwarebytes, which finds 9 or 10 trojans (or whatever they're called) -- Rogue.MultipleAV (ave.exe), Hijack.ExeFile, Hijack.StartMenuInternet, and a bunch of HKEY entries telling me that files in my Security Center have been Disabled. I tell Malwarebytes to fix this stuff. I then run SuperAntispyware, which finds nothing but Adware tracking cookies. I then run Spybot, which finds nothing at all. Ditto my AVG scanner. I've even run these scans while not connected to the Internet (after installing Updates for each one) and I've also run a couple of them in Safemode.

So it feels like I'm clean.....

Until the next time I open my browser (Firefox 3.6 or IE8, it happens in both of them) and start surfing, whereupon the same thing happens again....the tabs launch by themselves -- not always immediately and not one right after another -- sometimes it's 5 or 10 minutes between occurrences -- I close each tab as quickly as I can, but before too long one of them hits upon a bad site and before I can scramble to close it, I'm infected again with the Rogue/Hijack stuff.

I did run one Spybot scan about a week ago, when this started happening, which found Virtumonde, which is the first and only time I've seen that one. I'm wondering if part of Virtumonde is still on my computer?

Prior to this whole thing starting, I had never had a lick of trouble with this 2005 IBM Thinkpad z60t. It is running Service Pack 2.

Hope someone can help!

All best,
Michele

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:30 AM

Posted 17 April 2010 - 08:36 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


++++++++++++++++++++++++++++++++


One or more of the identified infections is a Rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.


++++++++++++++++++++++++++++++++


If you do not wish to reformat, please do the following:

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2
  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper.

Edited by sempai, 17 April 2010 - 08:38 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Michele W

Michele W
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 17 April 2010 - 11:49 AM

Hi, sempai,

Thank you so much for helping me! I am dismayed at this news. I read through the Identity Theft and Reformatting pages you referred me to. I disconnected from the Internet and used a clean computer to change all my important passwords. Now I'm trying to decide what to do.

Does this trojan/virus/rootkit have a specific name? My AVG resident shield had been popping up a warning that drivers/dmio.sys is infected with the Win32/Patched.DO virus -- is that the one causing the problems?

All best,
Michele

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:30 AM

Posted 17 April 2010 - 12:08 PM

Hi Michele,

QUOTE
Does this trojan/virus/rootkit have a specific name? My AVG resident shield had been popping up a warning that drivers/dmio.sys is infected with the Win32/Patched.DO virus -- is that the one causing the problems?

Yes, dmio.sys is a legitimate driver but got infected by TDL3/TDSS rootkit.

Information about this rootkit can be found here:
http://www.symantec.com/security_response/...-091809-0911-99
http://www.rootkit.com/blog.php?newsid=970
http://threatinfo.trendmicro.com/vinfo/art...111209-TDSS.xml


Please let me know if we will proceed with the cleaning process, sorry about the bad news.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Michele W

Michele W
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 17 April 2010 - 02:15 PM

Hi, sempai,

I just read all three links you pointed me to -- thank you!

I think I am wanting to give the Combofix cleaning process a try, but first I'd like to ask.....this TDL3/TDSS rootkit that I have, is it different from the Virut/Virux rootkit thing I've been reading so much about, the one that can attach to html/php files? Since I have a website and I've uploaded some files to it recently, I'm very concerned.



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:30 AM

Posted 17 April 2010 - 09:02 PM

Yes TDL3 is different from Virut.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Michele W

Michele W
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 18 April 2010 - 08:26 AM

Hi, sempai,

Here you go!


ComboFix 10-04-17.05 - Michele Welton 04/18/2010 9:01.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.190 [GMT -5:00]
Running from: c:\documents and settings\Michele Welton\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Michele Welton\Local Settings\Application Data\{5A63BC15-97D7-4F1E-A5FC-024374BAE7C7}
c:\documents and settings\Michele Welton\Local Settings\Application Data\{5A63BC15-97D7-4F1E-A5FC-024374BAE7C7}\chrome.manifest
c:\documents and settings\Michele Welton\Local Settings\Application Data\{5A63BC15-97D7-4F1E-A5FC-024374BAE7C7}\chrome\content\_cfg.js
c:\documents and settings\Michele Welton\Local Settings\Application Data\{5A63BC15-97D7-4F1E-A5FC-024374BAE7C7}\chrome\content\overlay.xul
c:\documents and settings\Michele Welton\Local Settings\Application Data\{5A63BC15-97D7-4F1E-A5FC-024374BAE7C7}\install.rdf
c:\windows\desktop
c:\windows\desktop\QuickSilver.LNK
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
c:\windows\winhelp.ini

Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
c:\windows\system32\dbghlp.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-15 00:38 . 2010-04-15 00:38 -------- d-----w- C:\$AVG
2010-04-13 03:40 . 2010-04-13 03:40 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\AVG9
2010-04-13 02:45 . 2010-04-13 02:45 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-13 02:45 . 2010-04-13 02:45 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-13 02:45 . 2010-04-13 02:45 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-13 02:45 . 2010-04-13 02:45 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-13 02:44 . 2010-04-13 02:44 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-13 02:44 . 2010-04-13 02:44 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-13 02:44 . 2010-04-13 02:44 4250976 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-13 02:44 . 2010-04-13 02:44 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-13 02:44 . 2010-04-13 02:44 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-13 02:44 . 2010-04-13 02:44 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-13 02:44 . 2010-04-13 02:44 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-13 02:44 . 2010-04-13 02:44 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-13 02:42 . 2010-04-13 02:42 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-13 02:42 . 2010-04-13 02:42 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-13 02:27 . 2010-04-13 02:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-13 02:27 . 2010-04-13 02:27 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-13 02:27 . 2010-04-13 02:27 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-13 02:27 . 2010-04-13 02:27 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-13 02:27 . 2010-04-17 00:13 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-13 02:26 . 2010-04-13 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-12 23:54 . 2010-04-12 23:54 52224 ----a-w- c:\documents and settings\Michele Welton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-12 23:54 . 2010-04-12 23:54 117760 ----a-w- c:\documents and settings\Michele Welton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-12 23:31 . 2010-04-12 23:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-12 23:30 . 2010-04-12 23:30 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-12 23:29 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 23:29 . 2010-04-12 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 23:29 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 23:12 . 2010-04-13 16:04 -------- d-----w- C:\HijackThis
2010-04-12 22:02 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-12 18:04 . 2010-04-12 18:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-10 03:36 . 2010-04-12 12:15 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-10 03:35 . 2010-04-10 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-10 02:52 . 2010-04-10 02:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-10 02:52 . 2010-04-10 02:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-09 19:56 . 2009-11-22 20:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-04-09 19:56 . 2009-11-22 20:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-04-09 19:56 . 2009-11-22 20:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-09 19:56 . 2010-04-09 19:57 -------- d-----w- c:\windows\system32\ZoneLabs
2010-04-09 19:56 . 2010-04-09 19:56 -------- d-----w- c:\program files\Zone Labs
2010-04-09 12:22 . 2010-04-09 12:22 120 ----a-w- c:\windows\Fbegupa.dat
2010-04-09 12:22 . 2010-04-09 12:22 0 ----a-w- c:\windows\Ylelu.bin
2010-04-08 17:01 . 2010-04-13 02:37 -------- d-----w- c:\program files\Citrix
2010-04-08 17:01 . 2010-04-08 17:01 60744 ----a-w- c:\documents and settings\Michele Welton\g2mdlhlpx.exe
2010-04-03 15:25 . 2010-04-03 15:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 16:51 . 2010-04-02 16:51 -------- d-----w- c:\program files\AVG
2010-04-02 14:31 . 2010-04-02 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-02 14:31 . 2010-04-12 23:53 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\SUPERAntiSpyware.com
2010-04-02 13:37 . 2010-04-18 13:55 -------- d-----w- c:\windows\Internet Logs
2010-04-02 13:29 . 2010-04-02 13:29 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\Malwarebytes
2010-04-02 13:29 . 2010-04-02 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-02 13:28 . 2010-04-12 23:55 -------- d-----w- c:\program files\_Twice the Geek
2010-04-02 11:28 . 2010-04-02 11:28 -------- d-sh--w- c:\documents and settings\Michele Welton\IECompatCache
2010-04-02 11:24 . 2010-04-02 11:24 -------- d-sh--w- c:\documents and settings\Michele Welton\PrivacIE
2010-04-02 11:06 . 2010-04-02 11:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-02 11:05 . 2010-04-02 11:05 -------- d-sh--w- c:\documents and settings\Michele Welton\IETldCache
2010-04-02 10:59 . 2010-04-02 11:02 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 14:00 . 2010-04-09 21:57 23630754 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-18 13:42 . 2005-12-26 17:21 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-18 02:24 . 1980-01-01 08:00 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
2010-04-13 02:23 . 2008-02-23 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-12 23:45 . 2005-12-20 03:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 15:04 . 2010-04-12 15:03 19215227 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2010_04_12_09_57_24_full.dmp.zip
2010-04-11 03:34 . 2005-12-25 19:30 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\ThinkVantage
2010-04-10 14:25 . 2005-12-20 04:09 -------- d-----w- c:\program files\IBM ThinkVantage
2010-04-09 19:57 . 2006-10-16 02:15 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-03 19:30 . 2005-12-20 04:05 -------- d-----w- c:\program files\ThinkVantage
2010-04-03 19:18 . 2005-12-20 03:56 -------- d-----w- c:\program files\ThinkPad
2010-04-03 19:18 . 2005-12-20 03:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-02 22:30 . 2005-12-20 03:57 -------- d-----w- c:\program files\Common Files\Virtual Token
2010-04-02 14:05 . 2009-01-19 21:53 -------- d-----w- c:\program files\Lavasoft
2010-04-02 14:05 . 2009-01-19 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-02 13:59 . 2005-12-20 04:17 40 ----a-w- c:\windows\system32\profile.dat
2010-04-02 02:38 . 2005-12-20 04:11 -------- d-----w- c:\program files\Symantec Client Security
2010-03-25 20:06 . 2005-12-25 19:49 20032 -c--a-w- c:\documents and settings\Michele Welton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 22:02 . 2010-03-14 21:48 -------- d-----w- c:\program files\Canon
2010-03-14 21:50 . 2010-03-14 21:50 -------- d--h--w- c:\program files\CanonBJ
2010-03-12 20:08 . 2010-03-12 20:08 -------- d-----w- c:\program files\MozBackup
2009-01-20 14:23 . 2009-01-20 14:24 90382 -c--a-w- c:\program files\ToolTipFixer 1.0.1.exe
2008-03-04 02:23 . 2008-03-04 02:23 1357 ----a-w- c:\program files\VISCOI.EXE.LNK
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-08-25 408064]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 512000]
"TpShocks"="TpShocks.exe" [2005-06-23 86016]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-19 127037]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-08-10 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-08-10 208896]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-13 02:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 06:23 24576 ------w- c:\windows\system32\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2005-07-14 21:38 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-07-19 22:29 77824 ------w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-07-19 22:32 94208 ------w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-28 00:50 221184 ------w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-28 00:50 81920 ------w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-07-19 22:33 114688 ------w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
2005-08-02 01:32 40960 ------w- c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
2005-08-02 09:09 40960 ------w- c:\windows\system32\TP4EX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2009-11-22 20:42 1037192 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2009 4:55 PM 64160]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2/23/2006 8:07 AM 6097]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2010 9:27 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2010 9:27 PM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/12/2010 9:26 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/12/2010 9:26 PM 308064]
R2 TTFixerService;NST ToolTipFixer;c:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [6/27/2007 12:20 AM 10240]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2/23/2006 8:07 AM 299923]
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-18 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-12-20 09:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download all by YouTube Robot - c:\program files\YouTubeRobot\downall.htm
IE: Download by YouTube Robot - c:\program files\YouTubeRobot\downlink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michele Welton\Application Data\Mozilla\Firefox\Profiles\kf2mx6fh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yourpurebredpuppy.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-NavLogon - (no file)
MSConfigStartUp-cssauth - c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe
MSConfigStartUp-PDService - c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 09:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\tphklock.dll
.
Completion time: 2010-04-18 09:09:01
ComboFix-quarantined-files.txt 2010-04-18 14:08

Pre-Run: 15,316,217,856 bytes free
Post-Run: 15,345,401,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - C8474E725AD8445D4DCEFDB426C5AEDB


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:30 AM

Posted 19 April 2010 - 04:57 AM

Hi Michele,

Symantec Client Security folder is present on your log, did you uninstall it already?


+++++++++++++++++++


1. Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    dbghlp.dll
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply



2. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\documents and settings\Michele Welton\g2mdlhlpx.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



3. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
File::
c:\windows\Fbegupa.dat
c:\windows\Ylelu.bin

DirLook::
c:\program files\Symantec Client Security

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Michele W

Michele W
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 19 April 2010 - 06:24 AM

Hi, sempai,

A computer repair guy came to our house two weeks ago. He said he was going to use Norton Removal Tool to remove the Norton/Symantec Firewall etc. He said it was blocking my computer's ability to connect to a newly-setup network, even though I wasn't using it. I was using Zone Alarm. He said he removed it. Apparently he didn't get all of it?



Here are your three logs:


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 06:39 on 19/04/2010 by Michele Welton (Administrator - Elevation successful)

========== filefind ==========

Searching for "dbghlp.dll"
No files found.

-=End Of File=-



VirSCAN.org Scanned Report :
Scanned time : 2010/04/19 06:46:01 (EDT)
Scanner results: Scanners did not find malware!
File Name : g2mdlhlpx.exe
File Size : 60744 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 403ff64073419e6a45d3831f62ed8d4f
SHA1 : f777cc993f0196a88aae0fae85716582b954fed7
Online report : http://virscan.org/report/8c7817f5e82f02da...7cee64c60d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100419150713 2010-04-19 5.36 -
AhnLab V3 2010.04.19.00 2010.04.19 2010-04-19 1.11 -
AntiVir 8.2.1.220 7.10.6.117 2010-04-19 0.30 -
Antiy 2.0.18 20100419.4208535 2010-04-19 0.12 -
Arcavir 2009 201004190013 2010-04-19 0.24 -
Authentium 5.1.1 201004161205 2010-04-16 1.32 -
AVAST! 4.7.4 100419-0 2010-04-19 0.02 -
AVG 8.5.720 271.1.1/2820 2010-04-19 0.62 -
BitDefender 7.81008.5682081 7.31284 2010-04-19 3.80 -
ClamAV 0.95.3 10756 2010-04-18 0.04 -
Comodo 3.13.579 4642 2010-04-19 2.02 -
CP Secure 1.3.0.5 2010.04.19 2010-04-19 0.13 -
Dr.Web 5.0.2.3300 2010.04.19 2010-04-19 7.03 -
F-Prot 4.4.4.56 20100418 2010-04-18 1.42 -
F-Secure 7.02.73807 2010.04.19.05 2010-04-19 0.34 -
Fortinet 4.0.14 11.702 2010-04-15 0.44 -
GData 19.11033/19.895 20100419 2010-04-19 6.50 -
ViRobot 20100417 2010.04.17 2010-04-17 0.73 -
Ikarus T3.1.01.80 2010.04.19.75661 2010-04-19 6.22 -
JiangMin 13.0.900 2010.04.19 2010-04-19 1.81 -
Kaspersky 5.5.10 2010.04.18 2010-04-18 0.26 -
KingSoft 2009.2.5.15 2010.4.19.17 2010-04-19 0.73 -
McAfee 5400.1158 5955 2010-04-18 0.06 -
Microsoft 1.5605 2010.04.19 2010-04-19 8.35 -
Norman 6.04.11 6.04.00 2010-04-16 4.01 -
Panda 9.05.01 2010.04.18 2010-04-18 3.16 -
Trend Micro 9.120-1004 7.112.07 2010-04-19 0.14 -
Quick Heal 10.00 2010.04.19 2010-04-19 3.11 -
Rising 20.0 22.44.00.04 2010-04-19 1.66 -
Sophos 3.06.0 4.52 2010-04-19 4.64 -
Sunbelt 3.9.2418.2 6194 2010-04-18 13.43 -
Symantec 1.3.0.24 20100418.002 2010-04-18 0.09 -
nProtect 20100419.01 8028667 2010-04-19 8.61 -
The Hacker 6.5.2.0 v00264 2010-04-18 0.45 -
VBA32 3.12.12.4 20100418.2214 2010-04-18 3.06 -
VirusBuster 4.5.11.10 10.124.17/2029311 2010-04-18 2.78 -






ComboFix 10-04-17.05 - Michele Welton 04/19/2010 6:58.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.282 [GMT -5:00]
Running from: c:\documents and settings\Michele Welton\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michele Welton\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\Fbegupa.dat"
"c:\windows\Ylelu.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fbegupa.dat
c:\windows\Ylelu.bin

c:\windows\system32\dbghlp.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-18 21:20 . 2010-04-18 21:20 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-04-15 00:38 . 2010-04-15 00:38 -------- d-----w- C:\$AVG
2010-04-13 03:40 . 2010-04-13 03:40 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\AVG9
2010-04-13 02:45 . 2010-04-13 02:45 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-13 02:45 . 2010-04-13 02:45 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-13 02:45 . 2010-04-13 02:45 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-13 02:45 . 2010-04-13 02:45 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-13 02:44 . 2010-04-13 02:44 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-13 02:44 . 2010-04-13 02:44 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-13 02:44 . 2010-04-13 02:44 4250976 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-13 02:44 . 2010-04-13 02:44 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-13 02:44 . 2010-04-13 02:44 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-13 02:44 . 2010-04-13 02:44 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-13 02:44 . 2010-04-13 02:44 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-13 02:44 . 2010-04-13 02:44 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-13 02:42 . 2010-04-13 02:42 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-13 02:42 . 2010-04-13 02:42 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-13 02:27 . 2010-04-13 02:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-13 02:27 . 2010-04-13 02:27 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-13 02:27 . 2010-04-13 02:27 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-13 02:27 . 2010-04-13 02:27 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-13 02:27 . 2010-04-17 00:13 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-13 02:26 . 2010-04-13 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-12 23:54 . 2010-04-12 23:54 52224 ----a-w- c:\documents and settings\Michele Welton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-12 23:54 . 2010-04-12 23:54 117760 ----a-w- c:\documents and settings\Michele Welton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-12 23:31 . 2010-04-12 23:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-12 23:30 . 2010-04-12 23:30 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-12 23:29 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 23:29 . 2010-04-12 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 23:29 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 23:12 . 2010-04-13 16:04 -------- d-----w- C:\HijackThis
2010-04-12 22:02 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-12 18:04 . 2010-04-12 18:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-10 03:36 . 2010-04-12 12:15 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-10 03:35 . 2010-04-10 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-10 02:52 . 2010-04-10 02:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-10 02:52 . 2010-04-10 02:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-09 19:56 . 2009-11-22 20:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-04-09 19:56 . 2009-11-22 20:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-04-09 19:56 . 2009-11-22 20:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-09 19:56 . 2010-04-09 19:57 -------- d-----w- c:\windows\system32\ZoneLabs
2010-04-09 19:56 . 2010-04-09 19:56 -------- d-----w- c:\program files\Zone Labs
2010-04-08 17:01 . 2010-04-13 02:37 -------- d-----w- c:\program files\Citrix
2010-04-08 17:01 . 2010-04-08 17:01 60744 ----a-w- c:\documents and settings\Michele Welton\g2mdlhlpx.exe
2010-04-03 15:25 . 2010-04-03 15:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 16:51 . 2010-04-02 16:51 -------- d-----w- c:\program files\AVG
2010-04-02 14:31 . 2010-04-02 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-02 14:31 . 2010-04-12 23:53 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\SUPERAntiSpyware.com
2010-04-02 13:37 . 2010-04-19 11:37 -------- d-----w- c:\windows\Internet Logs
2010-04-02 13:29 . 2010-04-02 13:29 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\Malwarebytes
2010-04-02 13:29 . 2010-04-02 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-02 13:28 . 2010-04-18 22:11 -------- d-----w- c:\program files\_Twice the Geek
2010-04-02 11:28 . 2010-04-02 11:28 -------- d-sh--w- c:\documents and settings\Michele Welton\IECompatCache
2010-04-02 11:24 . 2010-04-02 11:24 -------- d-sh--w- c:\documents and settings\Michele Welton\PrivacIE
2010-04-02 11:06 . 2010-04-02 11:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-02 11:05 . 2010-04-02 11:05 -------- d-sh--w- c:\documents and settings\Michele Welton\IETldCache
2010-04-02 10:59 . 2010-04-02 11:02 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 03:21 . 2005-12-26 17:21 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-18 16:18 . 2010-04-09 21:57 33423286 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-18 02:24 . 1980-01-01 08:00 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
2010-04-13 02:23 . 2008-02-23 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-12 23:45 . 2005-12-20 03:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 15:04 . 2010-04-12 15:03 19215227 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2010_04_12_09_57_24_full.dmp.zip
2010-04-11 03:34 . 2005-12-25 19:30 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\ThinkVantage
2010-04-10 14:25 . 2005-12-20 04:09 -------- d-----w- c:\program files\IBM ThinkVantage
2010-04-09 19:57 . 2006-10-16 02:15 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-03 19:30 . 2005-12-20 04:05 -------- d-----w- c:\program files\ThinkVantage
2010-04-03 19:18 . 2005-12-20 03:56 -------- d-----w- c:\program files\ThinkPad
2010-04-03 19:18 . 2005-12-20 03:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-02 22:30 . 2005-12-20 03:57 -------- d-----w- c:\program files\Common Files\Virtual Token
2010-04-02 14:05 . 2009-01-19 21:53 -------- d-----w- c:\program files\Lavasoft
2010-04-02 14:05 . 2009-01-19 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-02 13:59 . 2005-12-20 04:17 40 ----a-w- c:\windows\system32\profile.dat
2010-04-02 02:38 . 2005-12-20 04:11 -------- d-----w- c:\program files\Symantec Client Security
2010-03-25 20:06 . 2005-12-25 19:49 20032 -c--a-w- c:\documents and settings\Michele Welton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 22:02 . 2010-03-14 21:48 -------- d-----w- c:\program files\Canon
2010-03-14 21:50 . 2010-03-14 21:50 -------- d--h--w- c:\program files\CanonBJ
2010-03-12 20:08 . 2010-03-12 20:08 -------- d-----w- c:\program files\MozBackup
2009-01-20 14:23 . 2009-01-20 14:24 90382 -c--a-w- c:\program files\ToolTipFixer 1.0.1.exe
2008-03-04 02:23 . 2008-03-04 02:23 1357 ----a-w- c:\program files\VISCOI.EXE.LNK
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\Symantec Client Security ----

2005-04-13 21:20 . 2005-04-13 21:20 79448 --s-atw- c:\program files\Symantec Client Security\Symantec Client Firewall\HNetCore.dll


((((((((((((((((((((((((((((( SnapShot@2010-04-18_14.06.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-29 04:42 . 2009-06-29 04:42 91656 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2009-06-25 00:56 . 2009-06-25 00:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
- 2003-02-21 03:09 . 2003-02-21 03:09 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2003-02-21 03:09 . 2003-02-21 03:09 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2004-07-15 08:32 . 2004-07-15 08:32 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2004-07-15 09:49 . 2004-07-15 09:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2010-04-18 21:28 . 2010-04-18 21:28 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2010-04-18 21:28 . 2010-04-18 21:28 32768 c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2010-04-18 21:30 . 2010-04-18 21:30 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_74374866\System.Drawing.Design.dll
+ 2010-04-18 21:29 . 2010-04-18 21:29 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_5684dd76\CustomMarshalers.dll
- 2005-09-23 12:29 . 2005-09-23 12:29 6144 c:\windows\system32\mui\0409\mscorees.dll
+ 2006-12-22 18:02 . 2006-12-22 18:02 6144 c:\windows\system32\mui\0409\mscorees.dll
+ 2006-12-22 17:28 . 2006-12-22 17:28 271360 c:\windows\system32\mscoree.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-15 08:33 . 2004-07-15 08:33 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 08:25 . 2004-07-15 08:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 09:49 . 2004-07-15 09:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-04-18 21:28 . 2010-04-18 21:28 432640 c:\windows\Installer\19aeab0.msi
+ 2010-04-18 21:28 . 2010-04-18 21:28 429568 c:\windows\Installer\19aeaa9.msi
+ 2010-04-18 21:30 . 2010-04-18 21:30 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_58b5cbd7\System.Drawing.dll
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2008-09-30 21:42 . 2008-09-30 21:42 1286152 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\system32\msxml4.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-04-18 21:29 . 2010-04-18 21:29 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_ee61530f\System.dll
+ 2010-04-18 21:30 . 2010-04-18 21:30 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_1f31ed47\System.Xml.dll
+ 2010-04-18 21:30 . 2010-04-18 21:30 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_ce24a552\System.Windows.Forms.dll
+ 2010-04-18 21:30 . 2010-04-18 21:30 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_2d73f200\System.Design.dll
+ 2010-04-18 21:30 . 2010-04-18 21:30 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_9c45a905\mscorlib.dll
+ 2010-04-18 21:29 . 2010-04-18 21:29 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2010-04-18 21:29 . 2010-04-18 21:29 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-08-11 02:08 . 2009-08-11 02:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-10 19:09 . 2009-08-10 19:09 17254912 c:\windows\Installer\19aeac8.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-08-25 408064]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 512000]
"TpShocks"="TpShocks.exe" [2005-06-23 86016]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-19 127037]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-08-10 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-08-10 208896]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-13 02:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 06:23 24576 ------w- c:\windows\system32\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2005-07-14 21:38 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-07-19 22:29 77824 ------w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-07-19 22:32 94208 ------w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-28 00:50 221184 ------w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-28 00:50 81920 ------w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-07-19 22:33 114688 ------w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
2005-08-02 01:32 40960 ------w- c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
2005-08-02 09:09 40960 ------w- c:\windows\system32\TP4EX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2009-11-22 20:42 1037192 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2009 4:55 PM 64160]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2/23/2006 8:07 AM 6097]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2010 9:27 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2010 9:27 PM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/12/2010 9:26 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/12/2010 9:26 PM 308064]
R2 TTFixerService;NST ToolTipFixer;c:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [6/27/2007 12:20 AM 10240]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2/23/2006 8:07 AM 299923]
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-19 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-12-20 09:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download all by YouTube Robot - c:\program files\YouTubeRobot\downall.htm
IE: Download by YouTube Robot - c:\program files\YouTubeRobot\downlink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michele Welton\Application Data\Mozilla\Firefox\Profiles\kf2mx6fh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yourpurebredpuppy.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 07:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\tphklock.dll
.
Completion time: 2010-04-19 07:07:08
ComboFix-quarantined-files.txt 2010-04-19 12:07
ComboFix2.txt 2010-04-18 14:09

Pre-Run: 19,624,120,320 bytes free
Post-Run: 19,576,750,080 bytes free

- - End Of File - - 0E5BB012A203AC3C2E48CA323B583799


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:30 AM

Posted 19 April 2010 - 06:31 AM

Hi,

QUOTE
Apparently he didn't get all of it?

Yes he didn't.

++++++++++++++++

1. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
SrPeek::
c:\windows\system32\dbghlp.dll

Folder::
c:\program files\Symantec Client Security


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 Michele W

Michele W
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 19 April 2010 - 07:54 AM

Hi, sempai,

Here you go:


ComboFix 10-04-17.05 - Michele Welton 04/19/2010 8:41.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.218 [GMT -5:00]
Running from: c:\documents and settings\Michele Welton\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michele Welton\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Symantec Client Security
c:\program files\Symantec Client Security\Symantec Client Firewall\HNetCore.dll

c:\windows\system32\dbghlp.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-18 21:20 . 2010-04-18 21:20 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-04-15 00:38 . 2010-04-15 00:38 -------- d-----w- C:\$AVG
2010-04-13 03:40 . 2010-04-13 03:40 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\AVG9
2010-04-13 02:45 . 2010-04-13 02:45 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-13 02:45 . 2010-04-13 02:45 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-13 02:45 . 2010-04-13 02:45 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-13 02:45 . 2010-04-13 02:45 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-13 02:44 . 2010-04-13 02:44 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-13 02:44 . 2010-04-13 02:44 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-13 02:44 . 2010-04-13 02:44 4250976 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-13 02:44 . 2010-04-13 02:44 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-13 02:44 . 2010-04-13 02:44 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-13 02:44 . 2010-04-13 02:44 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-13 02:44 . 2010-04-13 02:44 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-13 02:44 . 2010-04-13 02:44 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-13 02:42 . 2010-04-13 02:42 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-13 02:42 . 2010-04-13 02:42 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-13 02:27 . 2010-04-13 02:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-13 02:27 . 2010-04-13 02:27 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-13 02:27 . 2010-04-13 02:27 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-13 02:27 . 2010-04-13 02:27 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-13 02:27 . 2010-04-17 00:13 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-13 02:26 . 2010-04-13 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-12 23:54 . 2010-04-12 23:54 52224 ----a-w- c:\documents and settings\Michele Welton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-12 23:54 . 2010-04-12 23:54 117760 ----a-w- c:\documents and settings\Michele Welton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-12 23:31 . 2010-04-12 23:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-12 23:30 . 2010-04-12 23:30 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-12 23:29 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 23:29 . 2010-04-12 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 23:29 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 23:12 . 2010-04-13 16:04 -------- d-----w- C:\HijackThis
2010-04-12 22:02 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-12 18:04 . 2010-04-12 18:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-10 03:36 . 2010-04-12 12:15 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-10 03:35 . 2010-04-10 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-10 02:52 . 2010-04-10 02:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-10 02:52 . 2010-04-10 02:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-09 19:56 . 2009-11-22 20:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-04-09 19:56 . 2009-11-22 20:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-04-09 19:56 . 2009-11-22 20:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-09 19:56 . 2010-04-09 19:57 -------- d-----w- c:\windows\system32\ZoneLabs
2010-04-09 19:56 . 2010-04-09 19:56 -------- d-----w- c:\program files\Zone Labs
2010-04-08 17:01 . 2010-04-13 02:37 -------- d-----w- c:\program files\Citrix
2010-04-08 17:01 . 2010-04-08 17:01 60744 ----a-w- c:\documents and settings\Michele Welton\g2mdlhlpx.exe
2010-04-03 15:25 . 2010-04-03 15:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 16:51 . 2010-04-02 16:51 -------- d-----w- c:\program files\AVG
2010-04-02 14:31 . 2010-04-02 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-02 14:31 . 2010-04-12 23:53 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\SUPERAntiSpyware.com
2010-04-02 13:37 . 2010-04-19 13:39 -------- d-----w- c:\windows\Internet Logs
2010-04-02 13:29 . 2010-04-02 13:29 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\Malwarebytes
2010-04-02 13:29 . 2010-04-02 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-02 13:28 . 2010-04-18 22:11 -------- d-----w- c:\program files\_Twice the Geek
2010-04-02 11:28 . 2010-04-02 11:28 -------- d-sh--w- c:\documents and settings\Michele Welton\IECompatCache
2010-04-02 11:24 . 2010-04-02 11:24 -------- d-sh--w- c:\documents and settings\Michele Welton\PrivacIE
2010-04-02 11:06 . 2010-04-02 11:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-02 11:05 . 2010-04-02 11:05 -------- d-sh--w- c:\documents and settings\Michele Welton\IETldCache
2010-04-02 10:59 . 2010-04-02 11:02 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 03:21 . 2005-12-26 17:21 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-18 16:18 . 2010-04-09 21:57 33423286 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-18 02:24 . 1980-01-01 08:00 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
2010-04-13 02:23 . 2008-02-23 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-12 23:45 . 2005-12-20 03:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 15:04 . 2010-04-12 15:03 19215227 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2010_04_12_09_57_24_full.dmp.zip
2010-04-11 03:34 . 2005-12-25 19:30 -------- d-----w- c:\documents and settings\Michele Welton\Application Data\ThinkVantage
2010-04-10 14:25 . 2005-12-20 04:09 -------- d-----w- c:\program files\IBM ThinkVantage
2010-04-09 19:57 . 2006-10-16 02:15 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-03 19:30 . 2005-12-20 04:05 -------- d-----w- c:\program files\ThinkVantage
2010-04-03 19:18 . 2005-12-20 03:56 -------- d-----w- c:\program files\ThinkPad
2010-04-03 19:18 . 2005-12-20 03:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-02 22:30 . 2005-12-20 03:57 -------- d-----w- c:\program files\Common Files\Virtual Token
2010-04-02 14:05 . 2009-01-19 21:53 -------- d-----w- c:\program files\Lavasoft
2010-04-02 14:05 . 2009-01-19 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-02 13:59 . 2005-12-20 04:17 40 ----a-w- c:\windows\system32\profile.dat
2010-03-25 20:06 . 2005-12-25 19:49 20032 -c--a-w- c:\documents and settings\Michele Welton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 22:02 . 2010-03-14 21:48 -------- d-----w- c:\program files\Canon
2010-03-14 21:50 . 2010-03-14 21:50 -------- d--h--w- c:\program files\CanonBJ
2010-03-12 20:08 . 2010-03-12 20:08 -------- d-----w- c:\program files\MozBackup
2009-01-20 14:23 . 2009-01-20 14:24 90382 -c--a-w- c:\program files\ToolTipFixer 1.0.1.exe
2008-03-04 02:23 . 2008-03-04 02:23 1357 ----a-w- c:\program files\VISCOI.EXE.LNK
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
((((((((((((((((((((((((((((( SnapShot@2010-04-18_14.06.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-29 04:42 . 2009-06-29 04:42 91656 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2009-06-25 00:56 . 2009-06-25 00:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
- 2003-02-21 03:09 . 2003-02-21 03:09 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2003-02-21 03:09 . 2003-02-21 03:09 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2004-07-15 08:32 . 2004-07-15 08:32 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2004-07-15 09:49 . 2004-07-15 09:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2010-04-18 21:28 . 2010-04-18 21:28 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2010-04-18 21:28 . 2010-04-18 21:28 32768 c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2010-04-18 21:30 . 2010-04-18 21:30 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_74374866\System.Drawing.Design.dll
+ 2010-04-18 21:29 . 2010-04-18 21:29 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_5684dd76\CustomMarshalers.dll
- 2005-09-23 12:29 . 2005-09-23 12:29 6144 c:\windows\system32\mui\0409\mscorees.dll
+ 2006-12-22 18:02 . 2006-12-22 18:02 6144 c:\windows\system32\mui\0409\mscorees.dll
+ 2006-12-22 17:28 . 2006-12-22 17:28 271360 c:\windows\system32\mscoree.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-15 08:33 . 2004-07-15 08:33 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 08:25 . 2004-07-15 08:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 09:49 . 2004-07-15 09:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-04-18 21:28 . 2010-04-18 21:28 432640 c:\windows\Installer\19aeab0.msi
+ 2010-04-18 21:28 . 2010-04-18 21:28 429568 c:\windows\Installer\19aeaa9.msi
+ 2010-04-18 21:30 . 2010-04-18 21:30 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_58b5cbd7\System.Drawing.dll
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2008-09-30 21:42 . 2008-09-30 21:42 1286152 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\system32\msxml4.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-04-18 21:29 . 2010-04-18 21:29 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_ee61530f\System.dll
+ 2010-04-18 21:30 . 2010-04-18 21:30 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_1f31ed47\System.Xml.dll
+ 2010-04-18 21:30 . 2010-04-18 21:30 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_ce24a552\System.Windows.Forms.dll
+ 2010-04-18 21:30 . 2010-04-18 21:30 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_2d73f200\System.Design.dll
+ 2010-04-18 21:30 . 2010-04-18 21:30 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_9c45a905\mscorlib.dll
+ 2010-04-18 21:29 . 2010-04-18 21:29 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2010-04-18 21:29 . 2010-04-18 21:29 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-08-11 02:08 . 2009-08-11 02:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-10 19:09 . 2009-08-10 19:09 17254912 c:\windows\Installer\19aeac8.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-08-25 408064]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 512000]
"TpShocks"="TpShocks.exe" [2005-06-23 86016]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-19 127037]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-08-10 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-08-10 208896]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-13 02:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 06:23 24576 ------w- c:\windows\system32\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2005-07-14 21:38 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-07-19 22:29 77824 ------w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-07-19 22:32 94208 ------w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-28 00:50 221184 ------w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-28 00:50 81920 ------w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-07-19 22:33 114688 ------w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
2005-08-02 01:32 40960 ------w- c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
2005-08-02 09:09 40960 ------w- c:\windows\system32\TP4EX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2009-11-22 20:42 1037192 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/19/2009 4:55 PM 64160]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2/23/2006 8:07 AM 6097]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2010 9:27 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2010 9:27 PM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/12/2010 9:26 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/12/2010 9:26 PM 308064]
R2 TTFixerService;NST ToolTipFixer;c:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [6/27/2007 12:20 AM 10240]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2/23/2006 8:07 AM 299923]
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-19 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-12-20 09:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download all by YouTube Robot - c:\program files\YouTubeRobot\downall.htm
IE: Download by YouTube Robot - c:\program files\YouTubeRobot\downlink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michele Welton\Application Data\Mozilla\Firefox\Profiles\kf2mx6fh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yourpurebredpuppy.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 08:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\tphklock.dll
.
Completion time: 2010-04-19 08:49:06
ComboFix-quarantined-files.txt 2010-04-19 13:49
ComboFix2.txt 2010-04-19 12:07
ComboFix3.txt 2010-04-18 14:09

Pre-Run: 19,401,588,736 bytes free
Post-Run: 19,375,931,392 bytes free

- - End Of File - - 17C670BA940FE2158A4D9D1325C82346


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:30 AM

Posted 19 April 2010 - 07:58 AM

Please open my computer > tools tab > folder options > click on view tab > make sure that "hide extensions for known file types" is unchecked > click OK to save settings.

Then, navigate to this file c:\windows\system32\dbghlp.dll and rename dbghlp.dll to dbghlp.dll.old.

Wait for about 10 seconds and press F5 on your keyboard, there should be new dbghlp.dll because windows will automatically replace it.


Please tell me how it went, thanks.





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 Michele W

Michele W
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 19 April 2010 - 08:09 AM

Hi, sempai,

There is no dbghlp.dll in system32 folder.

There IS, however, dbghelp.dll


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:30 AM

Posted 19 April 2010 - 08:11 AM

OK please rename dbghelp.dll.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 Michele W

Michele W
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 19 April 2010 - 08:28 AM

There is now a dbghelp.dll and a dbghelp.dll.old

I assume that means it didn't make the replacement?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users