Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After removal of AntiSpyware Soft


  • Please log in to reply
41 replies to this topic

#1 dtjones

dtjones

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 08 June 2010 - 03:05 PM

Following the instructions for MalwareBytes, was able to boot in Safe Mode, go to internet to access the downloads needed, and run the MalwareBytes program to remove AntiSpyware Soft. After MalwareBytes was done, I shut down the computer. When rebooted the next day, the computer cannot access the internet. The LAN connection icon shows that no connection is available. The modem and connections have not been changed. I obtained the DDS log but could not obtain the GMER log, even in Safe Mode. While trying to obtain the GMER log, after scanning for at least 30 minutes, the computer gave the following message"A problem has been detected and windows has been shut down to prevent damage to your computer. The problem seems to be caused by the following file: kwloapog.sys PAGE_FAULT_IN_NONPAGED_AREA If this is the first time you've seen this stop error screen, restart your computer. If this is the first time you've seen this top error screen, restart your computer. If this screen appears again, follow these steps: Check to make sure any ner hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need. If problems continue, disable or remove any newly installed hardware or software; Disable BIOS memory ioptions such as caching or shadowing. If you need to use safe mode to remove or disable components, Restart your computer, press F8 to select advanced start up options, and then select safe mode. Technical information: STOP: 0x00000050 (0xF9CAF000, 0x00000000, 0XF7883FEC, 0x00000000) kwloapog.sys Address F7883FEC base at F7883000, Date Stamp 4b274f8d Beginning dump of physical memory Physical memory dump complete. Contact your system administrator or tech support group for further assistance."


DDS (Ver_10-03-17.01) - NTFSx86
Run by Douglas at 22:27:19.18 on Mon 06/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.21 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\WINDOWS\surfmonkey\smproxy.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PhoTags Express\Photags AutoDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Cobian Backup 9\Cobian.exe
C:\WINDOWS\system32\rundll32.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://start.earthlink.net
uSearch Bar = hxxp://start.earthlink.net/AL/Search
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://websearch.drsnsrch.com/sidesearch.cgi?id=
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
mCustomizeSearch = hxxp://websearch.drsnsrch.com/sidesearch.cgi?id=
uURLSearchHooks: H - No File
uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-d914bd9dcbb3} - c:\program files\earthlink totalaccess\ElnIE.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: Shell=Explorer.exe
BHO: SOFTWARE - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {3E91BE98-614B-4D5F-AE2D-27C73BFA10BA} - No File
BHO: {425B06BD-14A7-4371-AB3D-953F10700E8E} - No File
BHO: ElnkPubBHO Class: {512acf1b-64d9-4928-b382-a80556f28db4} - c:\program files\earthlink totalaccess\toolbar\ElnkPub.dll
BHO: {5E36F443-0EFE-4D8E-9B67-C0ABE7F403D6} - No File
BHO: IE_PopupBlocker Class: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\program files\earthlink totalaccess\accelerator\prpl_IePopupBlocker.dll
BHO: {6B06E2D0-563D-4560-A3D6-EFCFA51C1775} - No File
BHO: {715F39FD-E90F-474C-A7B2-4C5AF2DB3046} - No File
BHO: {73267E03-FB6D-49C5-9FEC-CFB2170E7D51} - No File
BHO: {7AFC5A4F-D9CE-459F-9530-B9BA32F35513} - No File
BHO: {87C52D1C-BF13-4E95-92C6-ADD8035D717B} - No File
BHO: {885ED447-D3FE-42F4-A879-99015FBBBB45} - No File
BHO: {8BE156C4-91DA-4B50-90E3-CB6FB515E528} - No File
BHO: {9212CD4A-71DE-4891-B806-68C22B78B374} - No File
BHO: ElnkProtectionBHO Class: {9579d574-d4d8-4335-9560-fe8641a013bd} - c:\program files\earthlink totalaccess\toolbar\ProtctIE.dll
BHO: {9907E5AD-646D-48DA-940B-FCB575B8E0DF} - No File
BHO: {992D481C-1BF0-47BB-8237-E48D2E51AF5F} - No File
BHO: {9AFCDA7D-BB7E-448F-B6CA-EC00148AABA7} - No File
BHO: {9E625719-0A17-4A64-B774-3F506CEB2D3C} - No File
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: {A18EFFE1-1381-4379-BA8A-82FD3ED56155} - No File
BHO: {A2130036-33C2-4A05-A6BA-9BC8F1540978} - No File
BHO: {A350103D-8325-4C8D-AFDD-501B30692C58} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: {ADFC7678-8E00-4191-99E4-565E29DF8A4B} - No File
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: {B494EF83-611F-4B90-AE4F-D249778246FD} - No File
BHO: {B969096C-3F99-4FF1-898F-488610CF99A8} - No File
BHO: {C04EE4EB-6988-4CED-9925-9800C1DE3ADB} - No File
BHO: {D50B4A53-BD10-40E2-8ECF-269AB948047E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E29CD5B7-5987-49CB-98F6-A253F6E759EF} - No File
BHO: ElnkLegacyUninstBHO Class: {e713904c-df05-4c79-bbad-02db923253be} - c:\program files\earthlink totalaccess\toolbar\uninsttb.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {EAA0F98E-106F-4758-B609-46F80D04D858} - No File
BHO: {F7FA130C-DE42-4F1B-89F2-936E90BBAAFB} - No File
BHO: {FD3FA2B9-33C2-4FB2-92FF-9000C8F601A2} - No File
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {D9227A5A-4E53-C5D1-BEB8-75AE0AA9F2B3} - No File
TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File
TB: {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - No File
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {7FD44536-9DF0-4034-939F-5BD4D98E3187} - No File
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files\earthlink totalaccess\toolbar\Toolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
mRun: [ELNKProxy] c:\windows\surfmonkey\smproxy.exe
mRun: [ConMgr.exe] "c:\program files\earthlink 5.0\ConMgr.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bounce~1.lnk - c:\program files\cms peripherals\bounceback express\BBLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photag~1.lnk - c:\program files\photags express\Photags AutoDetect.exe
mPolicies-explorer: <NO NAME> =
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\program files\earthlink totalaccess\toolbar\SearchUI.dll/search.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
LSP: c:\windows\system32\lsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.38/ttinst.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-10-6 609792]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-10-6 609792]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2007-5-8 14976]
S2 SvcProc;System Startup Service ; [x]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-06-08 02:23:28 0 ----a-w- c:\documents and settings\douglas\defogger_reenable
2010-06-08 02:02:27 0 d-----w- c:\program files\Cobian Backup 9
2010-06-06 16:33:57 0 d-----w- c:\program files\common files\SupportSoft
2010-06-05 18:47:12 135168 ----a-r- c:\windows\system32\WestCoIn.dll
2010-06-03 03:04:19 54016 ----a-w- c:\windows\system32\drivers\fimwpdm.sys
2010-06-03 01:06:44 0 d-----w- c:\docume~1\douglas\applic~1\Malwarebytes
2010-06-03 01:06:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 01:06:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 01:06:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 01:06:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-05-26 22:10:35 42 ----a-w- c:\documents and settings\douglas\jagex_runescape_preferences.dat
2010-05-26 22:10:07 81 ----a-w- c:\documents and settings\douglas\jagex_runescape_preferences2.dat
2010-04-24 15:15:17 0 ----a-w- c:\documents and settings\douglas\jagex__preferences3.dat
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-01-13 19:41:40 10024504 ------w- c:\program files\picasa3-setup.exe
2001-08-22 17:15:48 245760 ------w- c:\windows\inf\i386\viceo.dll
2001-08-22 17:13:38 32768 ------w- c:\windows\inf\i386\Pmicro.dll
2001-08-22 17:13:30 61440 ------w- c:\windows\inf\i386\gl.dll
2001-08-03 22:29:18 13824 ------w- c:\windows\inf\i386\Usbscan.sys
1999-07-19 01:05:04 15716 ------w- c:\windows\inf\i386\Pmxscan.sys
2009-01-26 04:35:29 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012520090126\index.dat

============= FINISH: 22:28:19.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:29 AM

Posted 11 June 2010 - 05:29 PM

Hello dtjones

Welcome to BleepingComputer smile.gif
========================

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 dtjones

dtjones
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 16 June 2010 - 11:43 AM

I ran ComboFix as you suggested, however the Microsoft Windows Recovery Console was not available and I do not have Internet Access. I do have the original disc for XP Professional, so perhaps I can load the recovery console, assuming it is on the disc, if you think it would be helpful. The results of running the ComboFix without the recovery console are listed immediately below.


ComboFix 10-06-14.03 - Douglas 06/15/2010 23:07:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.192 [GMT -4:00]
Running from: c:\documents and settings\Douglas\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Matthew\Local Settings\Temporary Internet Files\Tvm.log
c:\program files\MBKWBar
c:\windows\Debug\dcpromo.log
c:\windows\system32\Data
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\thinInstOIT61MegaV2s.dlltmp
c:\windows\system32\twain.dll
c:\windows\winhelp.ini
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ISEXENG
-------\Legacy_SVCPROC
-------\Legacy_ZESOFT
-------\Service_SvcProc


((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2010-06-13 16:15 . 2010-06-13 16:19 -------- d-----w- c:\documents and settings\Douglas\Application Data\MSN6
2010-06-13 16:15 . 2010-06-13 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2010-06-13 02:54 . 2010-06-13 02:54 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-06-12 03:30 . 2010-06-12 03:30 -------- d-----w- c:\program files\Runtime Software
2010-06-12 02:16 . 2010-06-13 02:54 -------- d-----w- c:\program files\Cobian Backup 7
2010-06-08 02:02 . 2010-06-13 02:54 -------- d-----w- c:\program files\Cobian Backup 9
2010-06-05 18:47 . 2008-03-14 16:04 135168 ----a-r- c:\windows\system32\WestCoIn.dll
2010-06-03 03:04 . 2010-06-03 03:04 54016 ----a-w- c:\windows\system32\drivers\fimwpdm.sys
2010-06-03 01:06 . 2010-06-03 01:06 -------- d-----w- c:\documents and settings\Douglas\Application Data\Malwarebytes
2010-06-03 01:06 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 01:06 . 2010-06-03 01:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 01:06 . 2010-06-03 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-03 01:06 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-02 01:19 . 2010-06-03 03:01 -------- d-----w- c:\documents and settings\Douglas\Local Settings\Application Data\yjuxmxgbf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-16 03:49 . 2009-01-08 18:47 -------- d-----w- c:\documents and settings\Douglas\Application Data\Skype
2010-06-16 02:20 . 2009-01-08 18:52 -------- d-----w- c:\documents and settings\Douglas\Application Data\skypePM
2010-06-13 02:54 . 2009-10-06 16:24 -------- d-----w- c:\documents and settings\Douglas\Application Data\iolo
2010-06-13 02:54 . 2007-06-14 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-06 21:25 . 2009-10-06 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2010-06-06 20:25 . 2010-06-06 20:25 1531 ------w- c:\documents and settings\Douglas\Application Data\iolo\restore.bat
2010-06-06 20:22 . 2008-11-16 23:32 -------- d-----w- c:\documents and settings\Douglas\Application Data\verizon_broad
2010-06-06 20:22 . 2008-11-16 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-06-06 20:22 . 2003-07-30 06:38 -------- d-----w- c:\program files\EarthLink 5.0
2010-06-06 20:22 . 2005-03-01 16:22 -------- d-----w- c:\program files\eMedia Piano and Keyboard Method
2010-06-06 20:22 . 2003-08-16 18:30 -------- d-----w- c:\program files\LEGO Island
2010-06-05 01:58 . 2007-06-14 18:22 -------- d-----w- c:\program files\McAfee
2010-06-04 03:18 . 2004-06-27 15:50 -------- d-----w- c:\program files\NoAdware
2010-06-04 02:49 . 2009-12-14 01:38 -------- d-----w- c:\program files\McAfee Security Scan
2010-05-31 21:11 . 2010-03-15 21:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-26 22:10 . 2010-04-24 15:13 42 ------w- c:\documents and settings\Douglas\jagex_runescape_preferences.dat
2010-05-26 22:10 . 2010-04-24 15:15 81 ------w- c:\documents and settings\Douglas\jagex_runescape_preferences2.dat
2010-05-24 21:43 . 2010-05-24 21:43 503808 ------w- c:\documents and settings\Douglas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33dabe8c-n\msvcp71.dll
2010-05-24 21:43 . 2010-05-24 21:43 499712 ------w- c:\documents and settings\Douglas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33dabe8c-n\jmc.dll
2010-05-24 21:43 . 2010-05-24 21:43 348160 ------w- c:\documents and settings\Douglas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33dabe8c-n\msvcr71.dll
2010-05-24 21:42 . 2010-05-24 21:42 61440 ------w- c:\documents and settings\Douglas\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-68d81a61-n\decora-sse.dll
2010-05-24 21:42 . 2010-05-24 21:42 12800 ------w- c:\documents and settings\Douglas\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-68d81a61-n\decora-d3d.dll
2010-05-16 04:07 . 2008-09-22 23:58 -------- d-----w- c:\documents and settings\Douglas\Application Data\U3
2010-05-09 21:49 . 2009-01-08 15:41 -------- d-----w- c:\program files\PhoTags Express
2010-05-02 17:30 . 2009-09-05 13:56 -------- d-----w- c:\documents and settings\Douglas\Application Data\AdobeUM
2010-04-24 15:15 . 2010-04-24 15:15 0 ------w- c:\documents and settings\Douglas\jagex__preferences3.dat
2010-04-24 12:54 . 2005-09-11 20:25 -------- d-----w- c:\program files\Common Files\EarthLink
2010-04-18 01:32 . 2008-11-16 23:06 -------- d-----w- c:\program files\Verizon
2009-01-13 19:41 . 2009-01-13 19:41 10024504 ------w- c:\program files\picasa3-setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-12-05 21:20 333192 ------w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-05 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-05 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-20 68856]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-14 4493312]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"LXSUPMON"="c:\windows\System32\LXSUPMON.EXE" [2001-10-01 818688]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-11-16 244512]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-11-16 746520]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-31 284184]
"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"ELNKProxy"="c:\windows\surfmonkey\smproxy.exe" [2004-06-19 385024]
"ConMgr.exe"="c:\program files\EarthLink 5.0\ConMgr.exe" [2002-01-04 290816]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]

c:\documents and settings\Matthew\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-4-22 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Peripherals\BounceBack Express\BBLauncher.exe [2007-5-8 98304]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-7-30 24576]
Photags AutoDetect.lnk - c:\program files\PhoTags Express\Photags AutoDetect.exe [2009-1-8 368640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=usbmn1x1.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\surfmonkey\\SMProxy.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/6/2009 12:36 PM 609792]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/6/2009 12:36 PM 609792]
R2 portD;CMS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [5/8/2007 12:18 PM 14976]
S3 BW2NDIS5;BW2NDIS5;c:\windows\SYSTEM32\DRIVERS\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: c:\windows\system32\lsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

BHO-{3E91BE98-614B-4D5F-AE2D-27C73BFA10BA} - (no file)
BHO-{425B06BD-14A7-4371-AB3D-953F10700E8E} - (no file)
BHO-{5E36F443-0EFE-4D8E-9B67-C0ABE7F403D6} - (no file)
BHO-{6B06E2D0-563D-4560-A3D6-EFCFA51C1775} - (no file)
BHO-{715F39FD-E90F-474C-A7B2-4C5AF2DB3046} - (no file)
BHO-{73267E03-FB6D-49C5-9FEC-CFB2170E7D51} - (no file)
BHO-{7AFC5A4F-D9CE-459F-9530-B9BA32F35513} - (no file)
BHO-{87C52D1C-BF13-4E95-92C6-ADD8035D717B} - (no file)
BHO-{885ED447-D3FE-42F4-A879-99015FBBBB45} - (no file)
BHO-{8BE156C4-91DA-4B50-90E3-CB6FB515E528} - (no file)
BHO-{9212CD4A-71DE-4891-B806-68C22B78B374} - (no file)
BHO-{9907E5AD-646D-48DA-940B-FCB575B8E0DF} - (no file)
BHO-{992D481C-1BF0-47BB-8237-E48D2E51AF5F} - (no file)
BHO-{9AFCDA7D-BB7E-448F-B6CA-EC00148AABA7} - (no file)
BHO-{9E625719-0A17-4A64-B774-3F506CEB2D3C} - (no file)
BHO-{A18EFFE1-1381-4379-BA8A-82FD3ED56155} - (no file)
BHO-{A2130036-33C2-4A05-A6BA-9BC8F1540978} - (no file)
BHO-{A350103D-8325-4C8D-AFDD-501B30692C58} - (no file)
BHO-{ADFC7678-8E00-4191-99E4-565E29DF8A4B} - (no file)
BHO-{B494EF83-611F-4B90-AE4F-D249778246FD} - (no file)
BHO-{B969096C-3F99-4FF1-898F-488610CF99A8} - (no file)
BHO-{C04EE4EB-6988-4CED-9925-9800C1DE3ADB} - (no file)
BHO-{D50B4A53-BD10-40E2-8ECF-269AB948047E} - (no file)
BHO-{E29CD5B7-5987-49CB-98F6-A253F6E759EF} - (no file)
BHO-{EAA0F98E-106F-4758-B609-46F80D04D858} - (no file)
BHO-{F7FA130C-DE42-4F1B-89F2-936E90BBAAFB} - (no file)
BHO-{FD3FA2B9-33C2-4FB2-92FF-9000C8F601A2} - (no file)
Toolbar-{D9227A5A-4E53-C5D1-BEB8-75AE0AA9F2B3} - (no file)
AddRemove-Scooby-Doo™, Jinx At The Sphinx™ - c:\program files\The Learning Company\Scooby-Doo™



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-15 23:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5072)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\program files\Skype\Phone\Skype.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-06-15 23:59:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-16 03:58

Pre-Run: 28,642,029,568 bytes free
Post-Run: 28,728,975,360 bytes free

- - End Of File - - B1B5F3ED89CDA42881D22FE56B016012





#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:29 AM

Posted 16 June 2010 - 01:15 PM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>

File::
c:\documents and settings\Matthew\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
=============
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 dtjones

dtjones
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 17 June 2010 - 11:35 PM

Thank you for your help. I followed your directions. The Combofix.txt follows:




ComboFix 10-06-14.03 - Douglas 06/17/2010 23:53:08.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.189 [GMT -4:00]

Running from: c:\documents and settings\Douglas\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Douglas\Desktop\CFScript.txt



WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!



FILE ::

"c:\documents and settings\Matthew\Start Menu\Programs\Startup\"

.



((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))

.



2010-06-13 16:15 . 2010-06-13 16:19 -------- d-----w- c:\documents and settings\Douglas\Application Data\MSN6

2010-06-13 16:15 . 2010-06-13 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6

2010-06-13 02:54 . 2010-06-13 02:54 -------- d-----w- c:\program files\Common Files\SupportSoft

2010-06-12 03:30 . 2010-06-12 03:30 -------- d-----w- c:\program files\Runtime Software

2010-06-12 02:16 . 2010-06-13 02:54 -------- d-----w- c:\program files\Cobian Backup 7

2010-06-08 02:02 . 2010-06-13 02:54 -------- d-----w- c:\program files\Cobian Backup 9

2010-06-05 18:47 . 2008-03-14 16:04 135168 ----a-r- c:\windows\system32\WestCoIn.dll

2010-06-03 03:04 . 2010-06-03 03:04 54016 ----a-w- c:\windows\system32\drivers\fimwpdm.sys

2010-06-03 01:06 . 2010-06-03 01:06 -------- d-----w- c:\documents and settings\Douglas\Application Data\Malwarebytes

2010-06-03 01:06 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-03 01:06 . 2010-06-03 01:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-03 01:06 . 2010-06-03 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-03 01:06 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-02 01:19 . 2010-06-03 03:01 -------- d-----w- c:\documents and settings\Douglas\Local Settings\Application Data\yjuxmxgbf



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-18 04:07 . 2009-01-08 18:52 -------- d-----w- c:\documents and settings\Douglas\Application Data\skypePM

2010-06-18 03:17 . 2009-01-08 18:47 -------- d-----w- c:\documents and settings\Douglas\Application Data\Skype

2010-06-13 02:54 . 2009-10-06 16:24 -------- d-----w- c:\documents and settings\Douglas\Application Data\iolo

2010-06-13 02:54 . 2007-06-14 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-06-06 21:25 . 2009-10-06 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo

2010-06-06 20:25 . 2010-06-06 20:25 1531 ------w- c:\documents and settings\Douglas\Application Data\iolo\restore.bat

2010-06-06 20:22 . 2008-11-16 23:32 -------- d-----w- c:\documents and settings\Douglas\Application Data\verizon_broad

2010-06-06 20:22 . 2008-11-16 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive

2010-06-06 20:22 . 2003-07-30 06:38 -------- d-----w- c:\program files\EarthLink 5.0

2010-06-06 20:22 . 2005-03-01 16:22 -------- d-----w- c:\program files\eMedia Piano and Keyboard Method

2010-06-06 20:22 . 2003-08-16 18:30 -------- d-----w- c:\program files\LEGO Island

2010-06-05 01:58 . 2007-06-14 18:22 -------- d-----w- c:\program files\McAfee

2010-06-04 03:18 . 2004-06-27 15:50 -------- d-----w- c:\program files\NoAdware

2010-06-04 02:49 . 2009-12-14 01:38 -------- d-----w- c:\program files\McAfee Security Scan

2010-05-31 21:11 . 2010-03-15 21:11 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-26 22:10 . 2010-04-24 15:13 42 ------w- c:\documents and settings\Douglas\jagex_runescape_preferences.dat

2010-05-26 22:10 . 2010-04-24 15:15 81 ------w- c:\documents and settings\Douglas\jagex_runescape_preferences2.dat

2010-05-24 21:43 . 2010-05-24 21:43 503808 ------w- c:\documents and settings\Douglas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33dabe8c-n\msvcp71.dll

2010-05-24 21:43 . 2010-05-24 21:43 499712 ------w- c:\documents and settings\Douglas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33dabe8c-n\jmc.dll

2010-05-24 21:43 . 2010-05-24 21:43 348160 ------w- c:\documents and settings\Douglas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33dabe8c-n\msvcr71.dll

2010-05-24 21:42 . 2010-05-24 21:42 61440 ------w- c:\documents and settings\Douglas\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-68d81a61-n\decora-sse.dll

2010-05-24 21:42 . 2010-05-24 21:42 12800 ------w- c:\documents and settings\Douglas\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-68d81a61-n\decora-d3d.dll

2010-05-16 04:07 . 2008-09-22 23:58 -------- d-----w- c:\documents and settings\Douglas\Application Data\U3

2010-05-09 21:49 . 2009-01-08 15:41 -------- d-----w- c:\program files\PhoTags Express

2010-05-02 17:30 . 2009-09-05 13:56 -------- d-----w- c:\documents and settings\Douglas\Application Data\AdobeUM

2010-04-24 15:15 . 2010-04-24 15:15 0 ------w- c:\documents and settings\Douglas\jagex__preferences3.dat

2010-04-24 12:54 . 2005-09-11 20:25 -------- d-----w- c:\program files\Common Files\EarthLink

2009-01-13 19:41 . 2009-01-13 19:41 10024504 ------w- c:\program files\picasa3-setup.exe

.



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-12-05 21:20 333192 ------w- c:\program files\AskBarDis\bar\bin\askBar.dll



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-05 333192]



[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]



[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-05 333192]



[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-20 68856]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-14 4493312]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]

"LXSUPMON"="c:\windows\System32\LXSUPMON.EXE" [2001-10-01 818688]

"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-11-16 244512]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-11-16 746520]

"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-31 284184]

"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]

"ELNKProxy"="c:\windows\surfmonkey\smproxy.exe" [2004-06-19 385024]

"ConMgr.exe"="c:\program files\EarthLink 5.0\ConMgr.exe" [2002-01-04 290816]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]



c:\documents and settings\Matthew\Start Menu\Programs\Startup\

PowerReg Scheduler V3.exe [2005-4-22 225280]



c:\documents and settings\All Users\Start Menu\Programs\Startup\

BounceBack Launcher.lnk - c:\program files\CMS Peripherals\BounceBack Express\BBLauncher.exe [2007-5-8 98304]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-7-30 24576]

Photags AutoDetect.lnk - c:\program files\PhoTags Express\Photags AutoDetect.exe [2009-1-8 368640]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=usbmn1x1.dll



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\surfmonkey\\SMProxy.exe"=

"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=

"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=



R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/6/2009 12:36 PM 609792]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/6/2009 12:36 PM 609792]

R2 portD;CMS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [5/8/2007 12:18 PM 14976]

S3 BW2NDIS5;BW2NDIS5;c:\windows\SYSTEM32\DRIVERS\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

LSP: c:\windows\system32\lsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab

.



**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-18 00:05

Windows 5.1.2600 Service Pack 3 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'explorer.exe'(1040)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-18 00:17:39

ComboFix-quarantined-files.txt 2010-06-18 04:17

ComboFix2.txt 2010-06-16 03:59



Pre-Run: 28,747,919,360 bytes free

Post-Run: 28,729,008,128 bytes free



- - End Of File - - AE72C238B76E846150D85553C66C94DC


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:29 AM

Posted 18 June 2010 - 06:46 AM

You should be able to get online now let me know if you cannot.
========================
I will need you to show hidden Files \Folders.
To do this:
    *Click Start.
    *Open My Computer.
    *Select the Tools menu and click Folder Options.
    *Select the View Tab.
    *Under the Hidden files and folders heading select Show hidden files and folders.
    *Uncheck the Hide protected operating system files (recommended) option.
    *Click Yes to confirm.
    *Click OK

After that using Windows Explorer (to get there right-click your Start button and go to "Explore")
Delete these folders/files listed below:

c:\documents and settings\Douglas\Local Settings\Application Data\yjuxmxgbf
c:\documents and settings\Matthew\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
Now close Windows Explorer.

Now reset your Hidden files\folders to hidden.
To do this:
To reset:
    *Click Start.
    *Open My Computer.
    *Select the Tools menu and click Folder Options.
    *Select the View Tab.
    *Under the Hidden files and folders heading select Do not Show hidden files and folders.
    *Check the Hide protected operating system files (recommended) option.
    *Click Yes to confirm.
    *Click OK
==================
Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
================Update\Run===================
Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 dtjones

dtjones
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 22 June 2010 - 02:21 PM

I still cannot connect to the internet. I went ahead and ran MBAM again, but I could not download updates. Below is the text file from the run:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4165

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/21/2010 11:17:45 PM
mbam-log-2010-06-21 (23-17-45).txt

Scan type: Quick scan
Objects scanned: 172654
Time elapsed: 10 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks again for your help.

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:29 AM

Posted 22 June 2010 - 05:53 PM

Hi can you get online at this moment?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 dtjones

dtjones
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 24 June 2010 - 12:10 AM

No, I cannot connect.

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:29 AM

Posted 24 June 2010 - 06:28 AM

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  1. Please download LSPFix from here.
  2. Run the LSPFix.exe that you have just finished downloading.
  3. Check the I know what I'm doing box.
  4. In the Keep box you should see one or more instances of lsp.dll.
  5. Select every instance of lsp.dll and move each one to the Remove box by clicking the >> button.
  6. When you are done click Finish>>.
=========
Then update mbam and see if you can then get online.
May have to reboot for the changes to take affect.

Edited by kahdah, 24 June 2010 - 06:29 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 dtjones

dtjones
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 29 June 2010 - 10:40 PM

I ran LSPfix.exe. lsp.dll did not appear in the "keep" box. It appeared once in the "Remove" box, so I just clicked "Finish" and rebooted. I could not update mbam because I could not connect to the internet. After rebooting, still cannot connect to the internet.

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:29 AM

Posted 30 June 2010 - 06:57 AM

Please go to Start>Run type in Notepad.
Copy what is in the code box below into the open Notepad window.
Change the "Save As Type" to "All Files". Save it as ip.bat on your Desktop.
CODE
@Echo off
ipconfig /all >log.txt
notepad log.txt
del %0
exit

Then please double click on ip.bat a window will open and close quickly.This is normal.
Post the contents of the log that opens please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 dtjones

dtjones
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 30 June 2010 - 10:16 PM

Contents of log:




Windows IP Configuration





Host Name . . . . . . . . . . . . : D5CSB631


Primary Dns Suffix . . . . . . . :


Node Type . . . . . . . . . . . . : Hybrid


IP Routing Enabled. . . . . . . . : No


WINS Proxy Enabled. . . . . . . . : No





Ethernet adapter Local Area Connection:





Connection-specific DNS Suffix . :


Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection


Physical Address. . . . . . . . . : 00-07-E9-64-D4-B5


Dhcp Enabled. . . . . . . . . . . : Yes


Autoconfiguration Enabled . . . . : Yes


Autoconfiguration IP Address. . . : 169.254.94.233


Subnet Mask . . . . . . . . . . . : 255.255.0.0


Default Gateway . . . . . . . . . :



#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:29 AM

Posted 01 July 2010 - 06:48 AM

Ok if you are hooked into a router please unplug the router temporarily until all the lights go out on it then unplug the cable modem as well and make sure all of oit's lights are off.
Then plug in the modem then the router.
See then if you can get online.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 dtjones

dtjones
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 06 July 2010 - 10:48 PM

I just tried removing power from the modem and disconnecting it from the computer. After repowering the modem and connecting it to the computer, still no active connection can be made to the internet.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users