Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.patched.DO/ Cant access Windows Update


  • This topic is locked This topic is locked
21 replies to this topic

#1 Rob81

Rob81

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 28 April 2010 - 08:21 PM

Hello I am having a problem loading the windows update page. Whenever I try to open it, it tells me "internet explorer cannot display the webpage" and I also get redirected to different websites then the ones that I click on when I do a search in google. I recently ran Malwarebytes, Super AntiSpyware and AVG and erased a whole bunch of Trojans and such spyware I ran the scans and they all came up clean. Just recently my AVG came up saying it found Virus Win32patched.DO. Any Help?

Thanks, Rob


DDS (Ver_10-03-17.01) - NTFSx86
Run by Gary at 20:23:52.28 on Wed 04/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.76 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Gary\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\mal\hgtukjj.exe" /runcleanupscript
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\gary\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com\download
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229785323281
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-28 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-28 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-28 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-28 308064]
S0 rcvomt;rcvomt; [x]
S0 rzkvqbym;rzkvqbym;c:\windows\system32\drivers\rzkvqbym.sys [2010-4-8 823808]
S2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-12-26 34136]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-29 00:17:44 0 ----a-w- c:\documents and settings\gary\defogger_reenable
2010-04-29 00:10:31 0 d--h--w- C:\$AVG
2010-04-28 17:53:09 0 d-----w- c:\docume~1\gary\applic~1\ElevatedDiagnostics
2010-04-28 17:37:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-28 17:37:26 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 15:42:46 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-28 15:42:32 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-28 15:31:17 0 d-----w- c:\program files\Eusing Free Registry Cleaner
2010-04-28 14:11:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-28 14:10:58 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-28 14:10:49 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-28 14:10:30 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-28 14:10:15 0 d-----w- c:\program files\AVG
2010-04-28 04:17:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-28 04:16:55 0 d-----w- c:\docume~1\gary\applic~1\SUPERAntiSpyware.com
2010-04-28 04:07:50 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-28 04:06:45 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-28 04:02:54 0 d-----w- C:\AVGTemp
2010-04-28 02:36:10 16832 ----a-w- c:\windows\system32\amcompat.tlb
2010-04-28 02:36:09 23392 ----a-w- c:\windows\system32\nscompat.tlb
2010-04-28 02:08:44 4608 ----a-w- c:\windows\system32\msimg32.dll
2010-04-28 01:57:16 0 d-----w- c:\program files\VS Revo Group
2010-04-28 01:28:17 0 d-----w- c:\program files\GaryClean
2010-04-28 00:20:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 00:20:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 00:20:46 0 d-----w- c:\program files\Mal
2010-04-27 19:31:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-27 19:31:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-27 14:51:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-27 14:20:51 0 d-----w- c:\docume~1\gary\applic~1\Windows Search
2010-04-27 12:19:24 0 d-----w- c:\docume~1\gary\applic~1\Malwarebytes
2010-04-27 12:19:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-08 21:14:20 1179 ----a-w- c:\docume~1\alluse~1\applic~1\_VOIDmfeklnmal.dll
2010-04-08 19:49:57 823808 ----a-w- c:\windows\system32\drivers\rzkvqbym.sys
2010-04-08 19:48:06 0 d-----w- c:\docume~1\gary\applic~1\13C75E78DEE4DE0D27EE06D042DC9594
2010-04-07 02:02:00 0 d-----w- c:\program files\common files\Software Update Utility
2010-04-07 02:01:41 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM

==================== Find3M ====================

2010-04-29 00:15:20 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 20:25:19.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:22 AM

Posted 28 April 2010 - 09:01 PM

Hello Rob81,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
How is your machine running now?



" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Rob81

Rob81
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 28 April 2010 - 09:40 PM

I ran combo fix and did everything you said. The windows update site is now working. What should I do next? Here is the combofix.txt

ComboFix 10-04-28.03 - Gary 04/28/2010 22:23:32.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.184 [GMT -4:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\_VOIDmfeklnmal.dll
c:\windows\system32\SHELLLNK.TLB

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 00:10 . 2010-04-29 00:10 -------- d-----w- C:\$AVG
2010-04-28 17:53 . 2010-04-28 17:53 -------- d-----w- c:\documents and settings\Gary\Application Data\ElevatedDiagnostics
2010-04-28 17:41 . 2010-04-28 17:41 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 17:38 . 2010-04-28 17:38 503808 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4eeba759-n\msvcp71.dll
2010-04-28 17:38 . 2010-04-28 17:38 12800 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54afca38-n\decora-d3d.dll
2010-04-28 17:38 . 2010-04-28 17:38 499712 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4eeba759-n\jmc.dll
2010-04-28 17:38 . 2010-04-28 17:38 61440 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54afca38-n\decora-sse.dll
2010-04-28 17:38 . 2010-04-28 17:38 348160 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4eeba759-n\msvcr71.dll
2010-04-28 17:37 . 2010-04-28 17:36 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 15:42 . 2010-04-28 15:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-28 15:42 . 2010-04-28 15:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-28 15:31 . 2010-04-28 15:31 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-04-28 14:11 . 2010-04-28 14:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-28 14:10 . 2010-04-28 14:10 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-28 04:06 . 2010-04-28 04:06 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-28 04:02 . 2010-04-28 04:02 -------- d-----w- C:\AVGTemp
2010-04-28 02:08 . 2004-08-17 18:04 4608 ----a-w- c:\windows\system32\msimg32.dll
2010-04-28 01:57 . 2010-04-28 02:19 -------- d-----w- c:\program files\VS Revo Group
2010-04-28 01:28 . 2010-04-28 02:18 -------- d-----w- c:\program files\GaryClean
2010-04-28 00:20 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 00:20 . 2010-04-28 00:22 -------- d-----w- c:\program files\Mal
2010-04-28 00:20 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 19:31 . 2010-04-27 19:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVG7
2010-04-27 19:31 . 2010-04-27 19:31 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-27 19:31 . 2010-04-27 19:31 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-27 14:51 . 2010-04-28 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-27 14:20 . 2010-04-27 14:20 -------- d-----w- c:\documents and settings\Gary\Application Data\Windows Search
2010-04-27 12:19 . 2010-04-27 12:19 -------- d-----w- c:\documents and settings\Gary\Application Data\Malwarebytes
2010-04-27 12:19 . 2010-04-27 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-08 19:49 . 2010-04-24 21:48 823808 ----a-w- c:\windows\system32\drivers\rzkvqbym.sys
2010-04-08 19:48 . 2010-04-13 06:45 -------- d-----w- c:\documents and settings\Gary\Application Data\13C75E78DEE4DE0D27EE06D042DC9594
2010-04-07 02:02 . 2010-04-07 02:02 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-04-07 02:01 . 2010-04-07 02:03 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\AIM
2010-04-07 02:01 . 2010-04-07 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-04-07 01:59 . 2009-10-05 19:11 1225352 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\msvc9rt.exe
2010-04-07 01:59 . 2009-10-05 19:11 243048 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\migrator.exe
2010-04-07 01:59 . 2009-10-05 19:11 10088 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\imappver.dll
2010-04-07 01:59 . 2009-10-05 19:10 1025384 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\gui.dll
2010-04-07 01:59 . 2009-10-05 19:11 97128 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\bsetutil.exe
2010-04-07 01:59 . 2009-10-05 19:11 180824 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\dlupd.exe
2010-04-07 01:59 . 2009-10-05 19:11 111976 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLSearch.dll
2010-04-07 01:59 . 2007-08-17 13:34 107872 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\aolsetup.exe
2010-04-07 01:59 . 2009-10-05 19:10 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLFirewallMgr.dll
2010-04-07 01:59 . 2009-10-05 19:11 2314768 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AIMLang.exe
2010-04-07 01:59 . 2009-10-05 19:11 3547096 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AIMinst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 00:15 . 2002-08-29 12:00 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2010-04-28 15:46 . 2010-04-28 04:18 117760 ----a-w- c:\documents and settings\Gary\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-28 14:10 . 2010-04-28 14:10 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-28 14:10 . 2010-04-28 14:10 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-28 14:10 . 2010-04-28 14:10 -------- d-----w- c:\program files\AVG
2010-04-28 14:10 . 2010-04-28 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-28 12:14 . 2010-04-28 12:14 0 ----a-w- c:\documents and settings\Chjw\cm-4-p.dat
2010-04-28 12:14 . 2010-04-28 12:14 0 ----a-w- c:\documents and settings\Chjw\cm-3-p.dat
2010-04-28 04:18 . 2010-04-28 04:18 52224 ----a-w- c:\documents and settings\Gary\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-28 04:17 . 2010-04-28 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-28 04:16 . 2010-04-28 04:16 -------- d-----w- c:\documents and settings\Gary\Application Data\SUPERAntiSpyware.com
2010-04-28 02:33 . 2008-12-30 16:22 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-28 01:21 . 2009-11-26 17:57 -------- d-----w- c:\program files\CCleaner
2010-04-27 19:41 . 2008-12-22 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-27 19:22 . 2009-04-23 14:34 -------- d-----w- c:\documents and settings\Gary\Application Data\MSN6
2010-04-17 18:10 . 2008-12-25 01:55 -------- d-----w- c:\documents and settings\Gary\Application Data\LimeWire
2010-04-07 02:00 . 2008-12-22 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-04-07 02:00 . 2008-12-22 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-03-11 05:48 . 2008-12-20 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 06:24 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-20 22:27 . 2010-02-20 22:27 50354 ----a-w- c:\documents and settings\Gary\Application Data\Facebook\uninstall.exe
2010-02-01 23:26 . 2009-11-06 23:08 79488 -c--a-w- c:\documents and settings\Gary\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Gary\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Gary\Application Data\Facebook\npfbplugin_1_0_1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"nwiz"="nwiz.exe" [2005-02-24 1495040]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-02-24 5537792]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Mal\hgtukjj.exe" [2010-03-29 1086856]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Gary\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-28 14:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/28/2010 10:10 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/28/2010 10:10 AM 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/28/2010 10:10 AM 308064]
S0 rcvomt;rcvomt; [x]
S0 rzkvqbym;rzkvqbym;c:\windows\system32\drivers\rzkvqbym.sys [4/8/2010 3:49 PM 823808]
S2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/26/2008 9:02 PM 34136]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com\download
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 22:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-28 22:34:33
ComboFix-quarantined-files.txt 2010-04-29 02:34

Pre-Run: 37,712,261,120 bytes free
Post-Run: 37,679,411,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer /NoExecute=OptIn

- - End Of File - - C92DBBE568A9A14D8B3116488095781C


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:22 AM

Posted 28 April 2010 - 09:50 PM

Hello,

1.
The following is referring to Eusing Free Registry Cleaner
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.


2.
Your log looks alot better thumbup.gif We still have some work to do though.

We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
File::
c:\windows\system32\drivers\rzkvqbym.sys

Domains::

Driver::
rcvomt
rzkvqbym
Viewpoint Manager Service


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Things to include in your next reply:
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Rob81

Rob81
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 28 April 2010 - 10:20 PM

Still running good.

ComboFix 10-04-28.03 - Gary 04/28/2010 23:00:42.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.134 [GMT -4:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gary\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\rzkvqbym.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\rzkvqbym.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RCVOMT
-------\Legacy_RZKVQBYM
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_rcvomt
-------\Service_rzkvqbym
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 00:10 . 2010-04-29 00:10 -------- d-----w- C:\$AVG
2010-04-28 17:53 . 2010-04-28 17:53 -------- d-----w- c:\documents and settings\Gary\Application Data\ElevatedDiagnostics
2010-04-28 17:41 . 2010-04-28 17:41 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 17:38 . 2010-04-28 17:38 503808 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4eeba759-n\msvcp71.dll
2010-04-28 17:38 . 2010-04-28 17:38 12800 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54afca38-n\decora-d3d.dll
2010-04-28 17:38 . 2010-04-28 17:38 499712 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4eeba759-n\jmc.dll
2010-04-28 17:38 . 2010-04-28 17:38 61440 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54afca38-n\decora-sse.dll
2010-04-28 17:38 . 2010-04-28 17:38 348160 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4eeba759-n\msvcr71.dll
2010-04-28 17:37 . 2010-04-28 17:36 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 15:42 . 2010-04-28 15:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-28 15:42 . 2010-04-28 15:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-28 15:31 . 2010-04-28 15:31 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-04-28 14:11 . 2010-04-28 14:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-28 14:10 . 2010-04-28 14:10 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-28 04:06 . 2010-04-28 04:06 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-28 04:02 . 2010-04-28 04:02 -------- d-----w- C:\AVGTemp
2010-04-28 02:08 . 2004-08-17 18:04 4608 ----a-w- c:\windows\system32\msimg32.dll
2010-04-28 01:57 . 2010-04-28 02:19 -------- d-----w- c:\program files\VS Revo Group
2010-04-28 01:28 . 2010-04-28 02:18 -------- d-----w- c:\program files\GaryClean
2010-04-28 00:20 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 00:20 . 2010-04-28 00:22 -------- d-----w- c:\program files\Mal
2010-04-28 00:20 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 19:31 . 2010-04-27 19:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVG7
2010-04-27 19:31 . 2010-04-27 19:31 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-27 19:31 . 2010-04-27 19:31 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-27 14:51 . 2010-04-28 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-27 14:20 . 2010-04-27 14:20 -------- d-----w- c:\documents and settings\Gary\Application Data\Windows Search
2010-04-27 12:19 . 2010-04-27 12:19 -------- d-----w- c:\documents and settings\Gary\Application Data\Malwarebytes
2010-04-27 12:19 . 2010-04-27 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-08 19:48 . 2010-04-13 06:45 -------- d-----w- c:\documents and settings\Gary\Application Data\13C75E78DEE4DE0D27EE06D042DC9594
2010-04-07 02:02 . 2010-04-07 02:02 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-04-07 02:01 . 2010-04-07 02:03 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\AIM
2010-04-07 02:01 . 2010-04-07 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-04-07 01:59 . 2009-10-05 19:11 1225352 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\msvc9rt.exe
2010-04-07 01:59 . 2009-10-05 19:11 243048 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\migrator.exe
2010-04-07 01:59 . 2009-10-05 19:11 10088 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\imappver.dll
2010-04-07 01:59 . 2009-10-05 19:10 1025384 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\gui.dll
2010-04-07 01:59 . 2009-10-05 19:11 97128 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\bsetutil.exe
2010-04-07 01:59 . 2009-10-05 19:11 180824 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\dlupd.exe
2010-04-07 01:59 . 2009-10-05 19:11 111976 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLSearch.dll
2010-04-07 01:59 . 2007-08-17 13:34 107872 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\aolsetup.exe
2010-04-07 01:59 . 2009-10-05 19:10 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLFirewallMgr.dll
2010-04-07 01:59 . 2009-10-05 19:11 2314768 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AIMLang.exe
2010-04-07 01:59 . 2009-10-05 19:11 3547096 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AIMinst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 00:15 . 2002-08-29 12:00 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2010-04-28 15:46 . 2010-04-28 04:18 117760 ----a-w- c:\documents and settings\Gary\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-28 14:10 . 2010-04-28 14:10 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-28 14:10 . 2010-04-28 14:10 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-28 14:10 . 2010-04-28 14:10 -------- d-----w- c:\program files\AVG
2010-04-28 14:10 . 2010-04-28 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-28 12:14 . 2010-04-28 12:14 0 ----a-w- c:\documents and settings\Chjw\cm-4-p.dat
2010-04-28 12:14 . 2010-04-28 12:14 0 ----a-w- c:\documents and settings\Chjw\cm-3-p.dat
2010-04-28 04:18 . 2010-04-28 04:18 52224 ----a-w- c:\documents and settings\Gary\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-28 04:17 . 2010-04-28 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-28 04:16 . 2010-04-28 04:16 -------- d-----w- c:\documents and settings\Gary\Application Data\SUPERAntiSpyware.com
2010-04-28 02:33 . 2008-12-30 16:22 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-28 01:21 . 2009-11-26 17:57 -------- d-----w- c:\program files\CCleaner
2010-04-27 19:41 . 2008-12-22 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-27 19:22 . 2009-04-23 14:34 -------- d-----w- c:\documents and settings\Gary\Application Data\MSN6
2010-04-17 18:10 . 2008-12-25 01:55 -------- d-----w- c:\documents and settings\Gary\Application Data\LimeWire
2010-04-07 02:00 . 2008-12-22 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-04-07 02:00 . 2008-12-22 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-03-11 05:48 . 2008-12-20 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 06:24 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-20 22:27 . 2010-02-20 22:27 50354 ----a-w- c:\documents and settings\Gary\Application Data\Facebook\uninstall.exe
2010-02-01 23:26 . 2009-11-06 23:08 79488 -c--a-w- c:\documents and settings\Gary\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Gary\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Gary\Application Data\Facebook\npfbplugin_1_0_1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"nwiz"="nwiz.exe" [2005-02-24 1495040]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-02-24 5537792]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Mal\hgtukjj.exe" [2010-03-29 1086856]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Gary\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-28 14:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/28/2010 10:10 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/28/2010 10:10 AM 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/28/2010 10:10 AM 308064]
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/26/2008 9:02 PM 34136]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 23:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1956)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\System32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-28 23:15:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-29 03:15
ComboFix2.txt 2010-04-29 02:34

Pre-Run: 37,684,056,064 bytes free
Post-Run: 37,544,824,832 bytes free

- - End Of File - - FA6AD3A47101B03CA3045739AF92ED92


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:22 AM

Posted 28 April 2010 - 11:22 PM

Hello,

Everything looks good lets do some final checking.

1.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply:
MBAM log
Eset log
A new DDS log
Your machine still running good?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Rob81

Rob81
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 29 April 2010 - 08:11 AM

I ran the malware bytes and it came up clean, when I try to run the online scanner it pops open a new window I click accept the terms and when it tries to load the next screen it just sits there blank for a bit then all my windows close and internet explorer shuts down. I have dissabled AVG. And when I right click internet explorer and try to run it as administrator it asks for a password which I dont know.

Edited by Rob81, 29 April 2010 - 09:56 AM.


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:22 AM

Posted 29 April 2010 - 01:55 PM

Hello,

Nothing we did should have affected the Internet Explorer.

Les try a different online scanner

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Please post this log along with another DDS log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 Rob81

Rob81
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 29 April 2010 - 02:13 PM

I will try this online scanner now. My updates were set to automaitc it downloaded them lastnight on its own then when I restarted it installed them. I am not sure if this will effect anything, just letting you know incase some things on the logs look different. I will keep you posted thanks for your response.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:22 AM

Posted 29 April 2010 - 02:19 PM

Hello,

QUOTE
My updates were set to automaitc it downloaded them lastnight on its own then when I restarted it installed them. I am not sure if this will effect anything, just letting you know incase some things on the logs look different. I will keep you posted thanks for your response.

No biggie, the main infection is gone. We are just doing some final checking for any stragglers!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Rob81

Rob81
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 29 April 2010 - 02:20 PM

The same thing happens with this scanner. When I am waiting for the active x to load it tries to open then it doesnt load it just closes my whole internet explorer. sad.gif

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:22 AM

Posted 29 April 2010 - 02:28 PM

Hello,

OK lets try this one it dont require an active X

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Rob81

Rob81
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 29 April 2010 - 03:18 PM

I was running the scan and it just froze and said it wasnt responding. I am running it again.

#14 Rob81

Rob81
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 29 April 2010 - 03:54 PM

During the scan the screen went black and the time capsle was on the screen. The time capsle has dissapeared and now its just a black screen????

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:22 AM

Posted 29 April 2010 - 04:41 PM

Hello,

Seems to me you have other issues going on.

Did you run Drweb in SAFEmode?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users