Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Bredolab.AA


  • This topic is locked This topic is locked
15 replies to this topic

#1 flinn

flinn

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 03 June 2010 - 05:51 AM

Yesterday my PC (running Windows XP) was infected with Antispyware soft. I followed your instructions at http://www.bleepingcomputer.com/virus-remo...ntispyware-soft however windows defender detects the trojan downloader Bredolab.AA and I am still getting popups/redirects.

Orange Blossom directed me to follow the Prep Guide and post here - thanks!

My DDS logs are a pasted/attached but the GMER log first froze my computer (I waited 2 hours before restarting) then ended in blue screen on the second attempt.

Any further help you could give me to fix this would be greatly appreciated!!!

Many many thanks for all your hard work here at Bleeping Computer,

John



DDS (Ver_10-03-17.01) - NTFSx86
Run by ESTELL WARREN at 9:39:03.90 on 03/06/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1268 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
svchost.exe "C:\WINDOWS\system32\adsldpcz.exe"
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\ESTELL WARREN\Local Settings\Temporary Internet Files\Content.IE5\PKV8V0EN\Defogger[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ESTELL WARREN\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.timesonline.co.uk/tol/news/
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061110
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
uWinlogon: Shell=c:\program files\privacy center\pc.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Google Update] "c:\documents and settings\estell warren\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [skb] rundll32 "jynbbrzn.dll",,Run
mRun: [MChk] c:\windows\system32\nehxyypz.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\estell warren\start menu\programs\startup\netyoz32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart17.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: landmarkinfo.co.uk
Trusted Zone: landmarkinfo.co.uk\www
Trusted Zone: promap.co.uk
Trusted Zone: promap.co.uk\www
Trusted Zone: promapserver.co.uk
Trusted Zone: promapserver.co.uk\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {37309153-EBDD-43BC-9993-0465005041F0} - hxxp://isgplc.mybiw.com/classes/4.2.2.6/BIWViewer_40.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.bcsp-web.org/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165415580281
DPF: {644F656A-013E-4198-BE03-1D7A4F6AB550} - hxxps://www.promapserver.co.uk/controls/latest/promap.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} - hxxp://www.emapsite.com/ecwplugins/ncs.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} - hxxps://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} - hxxp://workspace.office.live.com/Misc/Microsoft.OfficeLive.Workspace.RichUpload.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: nbso - {DF700763-3EAD-4B64-9626-22BEEFF3EA47} - c:\windows\system32\NBSOPProt.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-26 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-28 108552]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-7 565248]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 297752]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-14 136176]
S2 PolicyAgentThemes;IPSEC Services PolicyAgentThemes;c:\windows\system32\adsldpcz.exe srv --> c:\windows\system32\adsldpcz.exe srv [?]

=============== Created Last 30 ================

2010-06-03 08:27:09 0 ----a-w- c:\documents and settings\estell warren\defogger_reenable
2010-06-02 14:25:42 0 d-sh--w- c:\windows\system32\lowsec
2010-06-02 11:56:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-01 17:07:15 0 d-----w- c:\docume~1\estell~1\applic~1\Malwarebytes
2010-06-01 17:07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 17:07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 17:07:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 17:07:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-01 14:32:37 190 --s-a-w- c:\windows\system32\1511960089.dat
2010-06-01 14:32:26 4 ----a-w- c:\docume~1\estell~1\applic~1\ovczpx.dat
2010-06-01 14:31:05 50981 ----a-w- c:\windows\system32\mxwmlagqit.exe
2010-06-01 14:30:35 124928 ----a-w- c:\windows\Wdafua.exe
2010-06-01 14:30:20 0 d-----w- c:\docume~1\estell~1\applic~1\15E6673CFD1A8472671F46B7274A6DE0
2010-05-27 12:13:47 0 d-----w- c:\program files\common files\Canon
2010-05-24 16:31:20 40633 ----a-w- c:\windows\system32\nehxyypz.exe
2010-05-07 10:13:36 0 d-----w- c:\program files\Windows Installer Clean Up
2010-05-05 08:20:50 0 d-----w- c:\program files\Windows Media Connect 2
2010-05-05 08:19:35 0 d-----w- c:\windows\system32\LogFiles

==================== Find3M ====================

2010-05-12 10:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-31 09:03:43 112408 -c--a-w- c:\docume~1\estell~1\applic~1\GDIPFONTCACHEV1.DAT
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2007-02-01 11:59:10 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:40:24.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 05 June 2010 - 09:38 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 flinn

flinn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 08 June 2010 - 05:17 PM

Hi Extremeboy,

Thanks for picking this up. I really appreciate your help.

Attached are the logs. Finally got the GMER to run after it crashing my computer a few times. Symptoms are continued popups and trojanhorse downloaders being detected by resident shield alert. Also error loading ykagqdtn.dll on startup.

Many many thanks for any help you are able to give me.

John.


DDS (Ver_10-03-17.01) - NTFSx86
Run by ESTELL WARREN at 14:43:23.07 on 07/06/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1292 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Documents and Settings\ESTELL WARREN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\Documents and Settings\ESTELL WARREN\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.timesonline.co.uk/tol/news/
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061110
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
uWinlogon: Shell=c:\program files\privacy center\pc.exe
BHO: moigh Object: {1b52f48a-e882-4df9-8d75-9df47e8904bc} - c:\windows\system32\jcobveid.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Google Update] "c:\documents and settings\estell warren\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [skb] rundll32 "ykagqdtn.dll",,Run
mRun: [MChk] c:\windows\system32\nehxyypz.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\estell warren\start menu\programs\startup\netyoz32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart17.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: landmarkinfo.co.uk
Trusted Zone: landmarkinfo.co.uk\www
Trusted Zone: promap.co.uk
Trusted Zone: promap.co.uk\www
Trusted Zone: promapserver.co.uk
Trusted Zone: promapserver.co.uk\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {37309153-EBDD-43BC-9993-0465005041F0} - hxxp://isgplc.mybiw.com/classes/4.2.2.6/BIWViewer_40.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.bcsp-web.org/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165415580281
DPF: {644F656A-013E-4198-BE03-1D7A4F6AB550} - hxxps://www.promapserver.co.uk/controls/latest/promap.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} - hxxp://www.emapsite.com/ecwplugins/ncs.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} - hxxps://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} - hxxp://workspace.office.live.com/Misc/Microsoft.OfficeLive.Workspace.RichUpload.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: nbso - {DF700763-3EAD-4B64-9626-22BEEFF3EA47} - c:\windows\system32\NBSOPProt.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-26 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-28 108552]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-7 565248]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 297752]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-14 136176]
S2 PolicyAgentThemes;IPSEC Services PolicyAgentThemes;c:\windows\system32\adsldpcz.exe srv --> c:\windows\system32\adsldpcz.exe srv [?]

=============== Created Last 30 ================

2010-06-07 12:22:32 112 ----a-w- c:\docume~1\alluse~1\applic~1\P3aK72F.dat
2010-06-04 08:12:03 0 d-----w- c:\docume~1\estell~1\applic~1\Street-Ads
2010-06-03 22:13:36 309760 ----a-w- c:\windows\system32\jcobveid.dll
2010-06-03 08:27:09 0 ----a-w- c:\documents and settings\estell warren\defogger_reenable
2010-06-02 14:25:42 0 d-sh--w- c:\windows\system32\lowsec
2010-06-02 11:56:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-01 17:07:15 0 d-----w- c:\docume~1\estell~1\applic~1\Malwarebytes
2010-06-01 17:07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 17:07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 17:07:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 17:07:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-01 14:32:37 190 --s-a-w- c:\windows\system32\1511960089.dat
2010-06-01 14:32:26 4 ----a-w- c:\docume~1\estell~1\applic~1\ovczpx.dat
2010-06-01 14:31:05 50981 ----a-w- c:\windows\system32\mxwmlagqit.exe
2010-06-01 14:30:35 124928 ----a-w- c:\windows\Wdafua.exe
2010-06-01 14:30:20 0 d-----w- c:\docume~1\estell~1\applic~1\15E6673CFD1A8472671F46B7274A6DE0
2010-05-27 12:13:47 0 d-----w- c:\program files\common files\Canon
2010-05-24 16:31:20 40633 ----a-w- c:\windows\system32\nehxyypz.exe

==================== Find3M ====================

2010-06-07 12:20:34 38912 ----a-w- c:\windows\fonts\gf5hbyDI.com
2010-05-12 10:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-31 09:03:43 112408 -c--a-w- c:\docume~1\estell~1\applic~1\GDIPFONTCACHEV1.DAT
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2007-02-01 11:59:10 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 14:44:40.35 ===============

Attached Files


Edited by flinn, 08 June 2010 - 05:18 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 09 June 2010 - 06:34 PM

That error on startup is because that file is gone and the empty registry key pointing to it is still there.

Don't worry we can remove that easily.

First...

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 flinn

flinn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 10 June 2010 - 11:33 AM

extremeboy...

here's the combofix log.

thanks again!

Attached Files

  • Attached File  log.txt   16.69KB   1 downloads


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 10 June 2010 - 07:02 PM

Hello.

Quite a bit got removed, but still more to remove.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/321253/infected-by-bredolabaa/
    Collect::[68]
    c:\windows\system32\reaad.dll
    c:\windows\system32\veaad.dll
    c:\windows\system32\ieaad.exe
    RenV::
    c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
    c:\program files\AVG\AVG8\avgtray .exe
    c:\program files\Dell\Media Experience\DMXLauncher .exe
    c:\program files\Dell Support\DSAgnt .exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif .exe
    c:\program files\Java\jre6\bin\jusched .exe
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24BFF57A-25E0-46D3-AE1C-973406BB636C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{720EDB25-83C2-4C67-8D81-B793A61E8B06}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"=-
    "QuickTime Task"=-
    "skb"=-
    DDS::
    uInternet Settings,ProxyOverride =
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.


Let me know how it goes and if the upload went successfully or not in your next reply.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 flinn

flinn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 11 June 2010 - 08:41 AM

Upload seemed to work fine. I've attached the new log - not sure if you needed that.

Thanks again extremeboy!

Attached Files

  • Attached File  log2.txt   12.33KB   2 downloads


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 14 June 2010 - 07:25 PM

Hello.

I apologize for the delay and to others I am helping with, I was sick recently and had some other personal work that had to be done. Sorry. sad.gif

Let's continue here...

I still see a few things we need to do here, but before we continue with that...

Please update your Malwarebytes and do a quick scan with it. Post the log once done and then...

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 flinn

flinn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 15 June 2010 - 04:44 AM

Hi Extremeboy - hope you're feeling better!

here are my logs - still getting a few trojanhorse downloaders detected but no pop ups anymore.

thanks for all you're doing to sort this out...

MALWAREBYTES LOG:

Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mxwmlagqit (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mchk (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nehxyypz.exe (Adware.Lifze) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mxwmlagqit.exe (Adware.Adrotator) -> Quarantined and deleted successfully.



DSS:



DDS (Ver_10-03-17.01) - NTFSx86
Run by ESTELL WARREN at 10:40:18.89 on 15/06/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1119 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Documents and Settings\ESTELL WARREN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\ESTELL WARREN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ESTELL WARREN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ESTELL WARREN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Documents and Settings\ESTELL WARREN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.timesonline.co.uk/tol/news/
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061110
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Google Update] "c:\documents and settings\estell warren\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart17.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: landmarkinfo.co.uk
Trusted Zone: landmarkinfo.co.uk\www
Trusted Zone: promap.co.uk
Trusted Zone: promap.co.uk\www
Trusted Zone: promapserver.co.uk
Trusted Zone: promapserver.co.uk\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {37309153-EBDD-43BC-9993-0465005041F0} - hxxp://isgplc.mybiw.com/classes/4.2.2.6/BIWViewer_40.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.bcsp-web.org/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165415580281
DPF: {644F656A-013E-4198-BE03-1D7A4F6AB550} - hxxps://www.promapserver.co.uk/controls/latest/promap.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} - hxxp://www.emapsite.com/ecwplugins/ncs.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} - hxxps://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} - hxxp://workspace.office.live.com/Misc/Microsoft.OfficeLive.Workspace.RichUpload.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: nbso - {DF700763-3EAD-4B64-9626-22BEEFF3EA47} - c:\windows\system32\NBSOPProt.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-26 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-28 108552]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-7 565248]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 297752]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-14 136176]

=============== Created Last 30 ================

2010-06-15 09:30:08 616 ----a-w- c:\windows\system\dkxd
2010-06-15 09:30:08 54016 ----a-w- c:\windows\system32\drivers\axcb.sys
2010-06-10 16:16:56 0 d-----w- c:\docume~1\estell~1\applic~1\Sky-Banners
2010-06-10 14:26:01 0 d-sha-r- C:\cmdcons
2010-06-10 14:22:02 98816 ----a-w- c:\windows\sed.exe
2010-06-10 14:22:02 77312 ----a-w- c:\windows\MBR.exe
2010-06-10 14:22:02 256512 ----a-w- c:\windows\PEV.exe
2010-06-10 14:22:02 161792 ----a-w- c:\windows\SWREG.exe
2010-06-08 10:24:53 59446 ----a-w- C:\debug
2010-06-07 12:22:32 112 ----a-w- c:\docume~1\alluse~1\applic~1\P3aK72F.dat
2010-06-04 08:12:03 0 d-----w- c:\docume~1\estell~1\applic~1\Street-Ads
2010-06-03 08:27:09 0 ----a-w- c:\documents and settings\estell warren\defogger_reenable
2010-06-02 11:56:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-01 17:07:15 0 d-----w- c:\docume~1\estell~1\applic~1\Malwarebytes
2010-06-01 17:07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 17:07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 17:07:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 17:07:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-01 14:32:26 4 ----a-w- c:\docume~1\estell~1\applic~1\ovczpx.dat
2010-05-27 12:13:47 0 d-----w- c:\program files\common files\Canon

==================== Find3M ====================

2010-05-21 13:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 12:39:27 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 11:43:25 634656 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-04-16 11:43:23 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2010-04-06 03:52:46 2462720 ------w- c:\windows\system32\dllcache\WMVCore.dll
2010-03-31 09:03:43 112408 -c--a-w- c:\docume~1\estell~1\applic~1\GDIPFONTCACHEV1.DAT
2007-02-01 11:59:10 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:40:50.09 ===============





Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 17 June 2010 - 07:38 PM

Looking good. Let's update your Java and get an online scan performed.

Update Java to Version 6 Update 20

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 flinn

flinn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 18 June 2010 - 11:41 AM

Thanks again!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, June 18, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, June 18, 2010 04:54:23
Records in database: 4291233
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
Y:\

Scan statistics:
Objects scanned: 223397
Threats found: 14
Infected objects found: 52
Suspicious objects found: 6
Scan duration: 04:13:13


File name / Threat / Threats count
C:\Documents and Settings\ESTELL WARREN\Application Data\Sun\Java\Deployment\cache\6.0\13\5754a58d-6925e0d0 Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\ESTELL WARREN\Application Data\Sun\Java\Deployment\cache\6.0\13\5754a58d-6925e0d0 Infected: Trojan-Downloader.Java.OpenStream.af 1
C:\Documents and Settings\ESTELL WARREN\Application Data\Sun\Java\Deployment\cache\6.0\19\60e1dc13-4dce7de6 Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\ESTELL WARREN\Application Data\Sun\Java\Deployment\cache\6.0\19\60e1dc13-4dce7de6 Infected: Trojan-Downloader.Java.OpenStream.af 1
C:\Documents and Settings\ESTELL WARREN\Application Data\Thunderbird\Profiles\k6muvdcm.default\ImapMail\192.168.123.10\INBOX Suspicious: Trojan-Spy.HTML.Fraud.gen 6
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\59\126f93fb-1b143bc4 Infected: Trojan-Downloader.Java.Agent.en 3
C:\Program Files\TightVNC-unstable\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Program Files\TightVNC-unstable\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.j 1
C:\Qoobox\Quarantine\C\Documents and Settings\ESTELL WARREN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Documents and Settings\ESTELL WARREN\Start Menu\Programs\Startup\netyoz32.exe.vir Infected: Packed.Win32.Krap.ar 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\issch.exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\Dell\Media Experience\DMXLauncher.exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jusched.exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\Messenger\msmsgs.exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\Program Files\Windows Defender\MSASCui.exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\PROGRA~1\AVG\AVG8\avgtray.exe.vir Infected: Trojan.Win32.Powp.dff 1
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\gf5hbyDI.com.vir Infected: Trojan.Win32.Powp.bax 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\Qoobox\Quarantine\[68]-Submit_2010-06-11_13.26.49.zip Infected: not-a-virus:AdWare.Win32.BHO.mid 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP886\A0089164.exe Infected: Trojan.Win32.FraudPack.axhb 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP886\A0089167.exe Infected: Backdoor.Win32.DeAlfa.ww 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP890\A0095462.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP890\A0095463.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0095965.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096008.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096009.exe Infected: Packed.Win32.Krap.ar 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096010.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096011.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096012.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096013.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096014.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096015.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096016.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096017.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096018.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096019.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096020.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096021.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096022.exe Infected: Trojan.Win32.Powp.dff 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096023.com Infected: Trojan.Win32.Powp.bax 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894\A0096285.dll Infected: not-a-virus:AdWare.Win32.BHO.mid 1
Y:\useful software\tightvnc-1.3dev6-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.am 1
Y:\useful software\tightvnc-1.3dev6-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
Y:\useful software\tightvnc-1.3dev6-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.j 1

Selected area has been scanned.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 20 June 2010 - 11:03 AM

Hello.

Kaspersky detected mostly Combofix quarantined files and some infected system restore points, which those can be dealt with easily once we uninstall Combofix.

The other stuff are some Java caches and other stuff that we can take care of.

First, delete this file if you no longer use it: Y:\useful software\tightvnc-1.3dev6-setup.exe

Then, I suggest go empty out your Thunderbird Inbox folder as there appears to be an infected mail, but unable to locate which one. Be suspicious of ones with attachments/unknown senders.

Then...

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Let's get a new scan..

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 flinn

flinn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 09 July 2010 - 05:56 AM

Extremeboy...

Just got back from my hols. Computer seems to be running fine so I think all your help did the trick!

Here are the logs to double check,

Thanks again for all your help.


DDS (Ver_10-03-17.01) - NTFSx86
Run by ESTELL WARREN at 11:53:21.23 on 09/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1362 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\ESTELL WARREN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ESTELL WARREN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ESTELL WARREN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ESTELL WARREN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ESTELL WARREN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.timesonline.co.uk/tol/news/
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0061110
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Google Update] "c:\documents and settings\estell warren\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart17.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: landmarkinfo.co.uk
Trusted Zone: landmarkinfo.co.uk\www
Trusted Zone: promap.co.uk
Trusted Zone: promap.co.uk\www
Trusted Zone: promapserver.co.uk
Trusted Zone: promapserver.co.uk\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {37309153-EBDD-43BC-9993-0465005041F0} - hxxp://isgplc.mybiw.com/classes/4.2.2.6/BIWViewer_40.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.bcsp-web.org/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165415580281
DPF: {644F656A-013E-4198-BE03-1D7A4F6AB550} - hxxps://www.promapserver.co.uk/controls/latest/promap.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} - hxxp://www.emapsite.com/ecwplugins/ncs.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} - hxxps://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} - hxxp://workspace.office.live.com/Misc/Microsoft.OfficeLive.Workspace.RichUpload.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: nbso - {DF700763-3EAD-4B64-9626-22BEEFF3EA47} - c:\windows\system32\NBSOPProt.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-25 165456]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-11 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-25 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-25 40384]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-25 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-25 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-14 136176]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

=============== Created Last 30 ================

2010-06-30 10:10:48 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-06-30 10:10:48 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-06-30 08:04:26 38848 ----a-w- c:\windows\avastSS.scr
2010-06-29 15:04:48 0 d-----w- c:\docume~1\estell~1\applic~1\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-06-28 15:00:05 0 d-----w- c:\docume~1\alluse~1\applic~1\regid.1986-12.com.adobe
2010-06-28 10:45:22 0 d-----w- c:\program files\common files\Akamai
2010-06-25 12:53:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-18 08:44:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-17 09:35:11 0 d-----w- c:\windows\system32\scripting
2010-06-17 09:35:11 0 d-----w- c:\windows\system32\en
2010-06-17 09:35:11 0 d-----w- c:\windows\system32\bits
2010-06-17 09:35:11 0 d-----w- c:\windows\l2schemas
2010-06-17 09:21:41 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-10 16:16:56 0 d-----w- c:\docume~1\estell~1\applic~1\Sky-Banners
2010-06-10 14:26:01 0 d-sha-r- C:\cmdcons
2010-06-10 14:22:02 98816 ----a-w- c:\windows\sed.exe
2010-06-10 14:22:02 77312 ----a-w- c:\windows\MBR.exe
2010-06-10 14:22:02 256512 ----a-w- c:\windows\PEV.exe
2010-06-10 14:22:02 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-06-08 21:22:16 112 ----a-w- c:\docume~1\alluse~1\applic~1\P3aK72F.dat
2010-06-01 14:32:26 4 ----a-w- c:\docume~1\estell~1\applic~1\ovczpx.dat
2010-05-21 13:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 12:39:27 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 11:43:25 634656 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-04-16 11:43:23 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2007-02-01 11:59:10 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 11:54:01.40 ===============

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 AM

Posted 10 July 2010 - 11:12 AM

That looks good. smile.gif

Let's wrap up here.

Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips >over here<. Is your system a bit slow? If so, try some of the points and things suggested here.

If you would like, visit my http://computermalwaresecurity.blogspot.com/ and Subscribe/Follow along.


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 flinn

flinn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 28 July 2010 - 06:05 AM

Thank you very much!

This can be closed now. Thanks again for all your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users