Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Unknown Malware


  • This topic is locked This topic is locked
18 replies to this topic

#1 Eddie_H

Eddie_H

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 17 June 2010 - 09:20 AM

I am not sure what problem actually is, Malwarebytes and AVG both give my computer a clean bill of health but when I click on links in internet explorer often I go to some random sight, the only way around it is by right clicking and opening the link in a new window (though this does not work always). Also, sometimes a new IE program opens at either www.yahoo.com www.google.com when I navigate to a new site

Also, when I am in Windows Explorer I sometimes get a message "Dr. Watson Postmortum Debugger has encountered a problem and needs to close" which usually causes the computer to lockup on me. I did find a way around this by closing all open programs first.

I was not able to run the gmer.exe file successfuly, I tried a couple of times and my computer locked up and when I tried this morning it ran for about 20 minutes then I received a blue screen saying : PFN_LIST_Corrupt
Stop:00000004E (0X00000007, 0X00008645, 0X00000002, 0X0000000)


Below is the DDS log and attachements.

Any help would be appreciated!

Eddie


DDS (Ver_10-03-17.01) - NTFSx86
Run by Stacey Hoyt at 16:06:54.93 on Wed 06/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1369 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\sol.exe
C:\Documents and Settings\Stacey Hoyt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\stacey~1\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275484110046
DPF: {F5131C24-E56D-11CF-B78A-444553540000} - hxxps://wc.wachovia.com/common/cab/ikcntrls.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-2 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-2 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-2 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-2 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-2 308064]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-4 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-2 430152]

=============== Created Last 30 ================

2010-06-16 19:53:00 0 ----a-w- c:\documents and settings\stacey hoyt\defogger_reenable
2010-06-14 21:25:08 4194721 ----a-w- c:\windows\pfirewall.log.old
2010-06-10 16:27:53 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 20:54:40 0 d-----w- c:\windows\system32\appmgmt
2010-06-09 13:26:08 0 d-----w- c:\docume~1\stacey~1\applic~1\Uniblue
2010-06-04 20:01:28 0 d-----w- c:\program files\common files\DivX Shared
2010-06-04 20:00:22 0 d-----w- c:\program files\DivX
2010-06-04 20:00:13 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-06-04 18:34:30 0 d-----w- c:\docume~1\stacey~1\applic~1\uTorrent
2010-06-03 21:07:59 0 d-----w- c:\docume~1\stacey~1\applic~1\Xerox
2010-06-02 16:56:18 0 d-----w- c:\docume~1\stacey~1\applic~1\Malwarebytes
2010-06-02 16:56:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 16:56:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-02 16:56:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 16:56:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-02 16:45:55 0 d-----w- c:\program files\common files\Adobe Systems Shared
2010-06-02 16:30:25 0 d-----w- c:\program files\MSXML 4.0
2010-06-02 16:14:37 3246 ----a-w- c:\windows\system32\wbem\Outlook_01cb026eb232ed72.mof
2010-06-02 15:51:22 3246 ----a-w- c:\windows\system32\wbem\Outlook_01cb026b72b6d1f2.mof
2010-06-02 15:50:43 0 d-----w- c:\program files\FrRefEng
2010-06-02 15:35:14 376 ----a-w- c:\windows\ODBC.INI
2010-06-02 15:35:07 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-06-02 15:34:09 0 d-----w- c:\program files\Microsoft ActiveSync
2010-06-02 15:33:39 0 d-----w- c:\windows\SHELLNEW
2010-06-02 15:13:23 1650688 ----a-w- c:\windows\system32\cdintf250.dll
2010-06-02 15:09:42 0 d-----w- c:\program files\common files\AnswerWorks 4.0
2010-06-02 15:08:53 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-06-02 15:08:01 0 d-----w- c:\program files\Intuit
2010-06-02 15:08:01 0 d-----w- c:\program files\common files\Intuit
2010-06-02 15:08:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit
2010-06-02 15:06:03 0 d-----w- c:\windows\system32\URTTemp
2010-06-02 15:05:16 0 d-----w- c:\program files\common files\SWF Studio
2010-06-02 14:43:27 0 d-----w- c:\windows\system32\scripting
2010-06-02 14:43:19 0 d-----w- c:\windows\l2schemas
2010-06-02 14:43:10 0 d-----w- c:\windows\system32\en
2010-06-02 14:43:09 0 d-----w- c:\windows\system32\bits
2010-06-02 14:14:46 0 d-----w- c:\windows\network diagnostic
2010-06-02 14:05:32 0 d-sh--w- c:\documents and settings\stacey hoyt\IECompatCache
2010-06-02 14:04:56 0 d-sh--w- c:\documents and settings\stacey hoyt\PrivacIE
2010-06-02 14:04:09 0 d-sh--w- c:\documents and settings\stacey hoyt\IETldCache
2010-06-02 13:58:46 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-02 13:57:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-02 13:57:28 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-02 13:57:26 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-02 13:57:21 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-02 13:57:16 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-06-02 13:56:44 143360 ----a-r- c:\windows\apptune1020.exe
2010-06-02 13:56:42 86016 ----a-w- c:\windows\system32\ZSPOOL.DLL
2010-06-02 13:56:42 28672 ----a-w- c:\windows\system32\IMF32.DLL
2010-06-02 13:56:42 24576 ----a-w- c:\windows\system32\ZTAG32.DLL
2010-06-02 13:56:42 102400 ----a-w- c:\windows\system32\ZLhp1020.DLL
2010-06-02 13:56:41 7294 ----a-w- c:\windows\system32\ZSHP1020.HLP
2010-06-02 13:56:41 442368 ----a-w- c:\windows\system32\ZSHP1020.EXE
2010-06-02 13:56:41 28672 ----a-w- c:\windows\system32\zlm.dll
2010-06-02 13:56:41 128820 ----a-w- c:\windows\system32\hp1020.img
2010-06-02 13:56:41 106496 ----a-w- c:\windows\system32\VSHP1020.DLL
2010-06-02 13:56:40 0 d--h--w- c:\program files\Zenographics
2010-06-02 13:53:51 0 d-----w- c:\program files\AVG
2010-06-02 13:53:32 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-06-02 13:52:12 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-02 13:51:58 0 d-----w- c:\windows\ie8updates
2010-06-02 13:51:14 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-02 13:51:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-02 13:51:14 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-02 13:51:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-06-02 13:51:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-02 13:51:14 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-06-02 13:49:04 0 dc-h--w- c:\windows\ie8
2010-06-02 13:44:52 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-06-02 13:38:59 76800 ------w- c:\windows\system32\msshavmsg.dll
2010-06-02 13:30:15 0 d-----w- c:\windows\ServicePackFiles
2010-06-02 13:23:56 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-02 13:23:55 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-02 13:23:43 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-02 13:23:42 0 d-----w- c:\docume~1\stacey~1\applic~1\Trillian
2010-06-02 13:22:30 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-02 13:21:26 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-02 13:21:26 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-02 13:21:23 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-06-02 13:19:53 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-02 13:19:11 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-06-02 13:18:54 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-06-02 13:18:53 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-02 13:18:09 0 d-sh--w- c:\documents and settings\stacey hoyt\UserData
2010-06-02 13:14:11 0 d-----w- c:\windows\system32\PreInstall
2010-06-02 13:14:10 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-02 13:14:09 0 d--h--w- c:\windows\$hf_mig$
2010-06-02 13:08:55 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-06-02 13:08:54 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-06-02 13:08:54 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-06-02 13:08:54 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-06-02 13:08:54 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-06-02 13:00:56 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2010-06-02 13:00:37 0 d-----w- c:\program files\Analog Devices
2010-06-02 12:59:17 1902 ------w- c:\windows\system32\SetupBD.din
2010-06-02 12:58:56 5110 ----a-w- c:\windows\system32\e100b325.din
2010-06-02 12:58:56 24064 ----a-w- c:\windows\system32\IntelNic.dll
2010-06-02 12:58:56 154112 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
2010-06-02 12:58:56 154112 ----a-w- c:\windows\system32\drivers\e100b325.sys
2010-06-02 12:58:56 12288 ----a-w- c:\windows\system32\e100bmsg.dll
2010-06-02 12:58:56 118784 ----a-w- c:\windows\system32\Prounstl.exe
2010-06-02 12:58:56 0 d-----w- C:\drvrtmp
2010-06-02 12:57:16 446464 ----a-r- c:\windows\system32\hhactivex.dll
2010-06-02 12:57:16 414944 ----a-w- c:\windows\system32\COMCT332.OCX
2010-06-02 12:57:16 328480 ----a-w- c:\windows\system32\ssa3d30.ocx
2010-06-02 12:57:16 176128 ----a-w- c:\windows\system32\RcdScan.dll
2010-06-02 12:57:15 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-06-02 12:57:15 7348 ----a-w- c:\windows\system32\Odbcjet.cnt
2010-06-02 12:57:15 171967 ----a-w- c:\windows\system32\Odbcjet.hlp
2010-06-02 12:57:14 13632 ------w- c:\windows\system32\drivers\omci.sys
2010-06-01 23:02:57 0 d-s---w- c:\windows\system32\Microsoft
2010-06-01 23:02:51 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-06-01 23:00:59 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-06-01 22:58:55 0 d-sh--w- c:\documents and settings\all users\DRM
2010-06-01 22:58:33 0 d--h--w- c:\program files\WindowsUpdate
2010-06-01 22:57:46 0 d-----w- c:\program files\common files\MSSoap
2010-06-01 22:56:33 0 d-----w- c:\program files\Online Services
2010-06-01 22:56:27 0 d-----w- c:\program files\Messenger
2010-06-01 22:56:25 0 d-----w- c:\program files\MSN Gaming Zone
2010-06-01 22:55:50 0 d-----w- c:\program files\Windows NT
2010-06-01 18:50:43 0 d-----w- c:\program files\common files\ODBC
2010-06-01 18:50:40 0 d-----w- c:\program files\common files\SpeechEngines
2010-06-01 18:50:16 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-06-01 22:56:55 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:40:40 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-04-27 18:40:40 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-04-27 18:40:40 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-04-27 18:40:40 133616 ------w- c:\windows\system32\pxafs.dll
2010-04-27 18:40:40 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-27 18:40:40 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 16:07:14.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 19 June 2010 - 01:39 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



==============================================



Please try to run GMER in safe mode. How to boot in safe mode => http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Unchecked the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.




~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Eddie_H

Eddie_H
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 22 June 2010 - 11:30 AM

Hi Sempai,

Thank you for you help. I tried running GMER in safe mode last night, it did completely run but I was unable to save the file. In safe mode my fonts are large and stretching the GMER program window as much as possible I was unable to get to the save button.

In the normal windows mode I reran GMER this morning and while it did finish, my computer was running extremely slowly towards the end. After pressing the save button I had a hourglass for 15 - 20 minutes. I am not sure if the computer was locked, frozen or just running extemely slow. I manually rebooted the computer but the ark.txt file was not saved.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 23 June 2010 - 05:07 AM

Hi Eddie_H,

We need to see a fresh DDS log, the previous report that you've posted is a week old. Please run another DDS scan and post the new report so we can begin cleaning your PC. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Eddie_H

Eddie_H
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 23 June 2010 - 08:29 AM

Thank you Sempai, here is the log

DS (Ver_10-03-17.01) - NTFSx86
Run by Stacey Hoyt at 9:20:25.68 on Wed 06/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1573 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\x2jobtCO.exe
C:\Documents and Settings\Stacey Hoyt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\stacey~1\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275484110046
DPF: {F5131C24-E56D-11CF-B78A-444553540000} - hxxps://wc.wachovia.com/common/cab/ikcntrls.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-2 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-2 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-2 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-2 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-2 308064]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-4 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-2 430152]

=============== Created Last 30 ================

2010-06-16 19:53:00 0 ----a-w- c:\documents and settings\stacey hoyt\defogger_reenable
2010-06-14 21:25:08 4194322 ----a-w- c:\windows\pfirewall.log.old
2010-06-10 16:27:53 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 20:54:40 0 d-----w- c:\windows\system32\appmgmt
2010-06-09 13:26:08 0 d-----w- c:\docume~1\stacey~1\applic~1\Uniblue
2010-06-04 20:01:28 0 d-----w- c:\program files\common files\DivX Shared
2010-06-04 20:00:22 0 d-----w- c:\program files\DivX
2010-06-04 20:00:13 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-06-04 18:34:30 0 d-----w- c:\docume~1\stacey~1\applic~1\uTorrent
2010-06-03 21:07:59 0 d-----w- c:\docume~1\stacey~1\applic~1\Xerox
2010-06-02 16:56:18 0 d-----w- c:\docume~1\stacey~1\applic~1\Malwarebytes
2010-06-02 16:56:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 16:56:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-02 16:56:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 16:56:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-02 16:45:55 0 d-----w- c:\program files\common files\Adobe Systems Shared
2010-06-02 16:30:25 0 d-----w- c:\program files\MSXML 4.0
2010-06-02 16:14:37 3246 ----a-w- c:\windows\system32\wbem\Outlook_01cb026eb232ed72.mof
2010-06-02 15:51:22 3246 ----a-w- c:\windows\system32\wbem\Outlook_01cb026b72b6d1f2.mof
2010-06-02 15:50:43 0 d-----w- c:\program files\FrRefEng
2010-06-02 15:35:14 376 ----a-w- c:\windows\ODBC.INI
2010-06-02 15:35:07 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-06-02 15:34:09 0 d-----w- c:\program files\Microsoft ActiveSync
2010-06-02 15:33:39 0 d-----w- c:\windows\SHELLNEW
2010-06-02 15:13:23 1650688 ----a-w- c:\windows\system32\cdintf250.dll
2010-06-02 15:09:42 0 d-----w- c:\program files\common files\AnswerWorks 4.0
2010-06-02 15:08:53 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-06-02 15:08:01 0 d-----w- c:\program files\Intuit
2010-06-02 15:08:01 0 d-----w- c:\program files\common files\Intuit
2010-06-02 15:08:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit
2010-06-02 15:06:03 0 d-----w- c:\windows\system32\URTTemp
2010-06-02 15:05:16 0 d-----w- c:\program files\common files\SWF Studio
2010-06-02 14:43:27 0 d-----w- c:\windows\system32\scripting
2010-06-02 14:43:19 0 d-----w- c:\windows\l2schemas
2010-06-02 14:43:10 0 d-----w- c:\windows\system32\en
2010-06-02 14:43:09 0 d-----w- c:\windows\system32\bits
2010-06-02 14:14:46 0 d-----w- c:\windows\network diagnostic
2010-06-02 14:05:32 0 d-sh--w- c:\documents and settings\stacey hoyt\IECompatCache
2010-06-02 14:04:56 0 d-sh--w- c:\documents and settings\stacey hoyt\PrivacIE
2010-06-02 14:04:09 0 d-sh--w- c:\documents and settings\stacey hoyt\IETldCache
2010-06-02 13:58:46 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-02 13:57:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-02 13:57:28 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-02 13:57:26 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-02 13:57:21 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-02 13:57:16 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-06-02 13:56:44 143360 ----a-r- c:\windows\apptune1020.exe
2010-06-02 13:56:42 86016 ----a-w- c:\windows\system32\ZSPOOL.DLL
2010-06-02 13:56:42 28672 ----a-w- c:\windows\system32\IMF32.DLL
2010-06-02 13:56:42 24576 ----a-w- c:\windows\system32\ZTAG32.DLL
2010-06-02 13:56:42 102400 ----a-w- c:\windows\system32\ZLhp1020.DLL
2010-06-02 13:56:41 7294 ----a-w- c:\windows\system32\ZSHP1020.HLP
2010-06-02 13:56:41 442368 ----a-w- c:\windows\system32\ZSHP1020.EXE
2010-06-02 13:56:41 28672 ----a-w- c:\windows\system32\zlm.dll
2010-06-02 13:56:41 128820 ----a-w- c:\windows\system32\hp1020.img
2010-06-02 13:56:41 106496 ----a-w- c:\windows\system32\VSHP1020.DLL
2010-06-02 13:56:40 0 d--h--w- c:\program files\Zenographics
2010-06-02 13:53:51 0 d-----w- c:\program files\AVG
2010-06-02 13:53:32 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-06-02 13:52:12 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-02 13:51:58 0 d-----w- c:\windows\ie8updates
2010-06-02 13:51:14 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-02 13:51:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-02 13:51:14 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-02 13:51:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-06-02 13:51:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-02 13:51:14 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-06-02 13:49:04 0 dc-h--w- c:\windows\ie8
2010-06-02 13:44:52 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-06-02 13:38:59 76800 ------w- c:\windows\system32\msshavmsg.dll
2010-06-02 13:30:15 0 d-----w- c:\windows\ServicePackFiles
2010-06-02 13:23:56 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-02 13:23:55 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-02 13:23:43 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-02 13:23:42 0 d-----w- c:\docume~1\stacey~1\applic~1\Trillian
2010-06-02 13:22:30 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-02 13:21:26 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-02 13:21:26 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-02 13:21:23 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-06-02 13:19:53 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-02 13:19:11 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-06-02 13:18:54 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-06-02 13:18:53 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-02 13:18:09 0 d-sh--w- c:\documents and settings\stacey hoyt\UserData
2010-06-02 13:14:11 0 d-----w- c:\windows\system32\PreInstall
2010-06-02 13:14:10 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-02 13:14:09 0 d--h--w- c:\windows\$hf_mig$
2010-06-02 13:08:55 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-06-02 13:08:54 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-06-02 13:08:54 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-06-02 13:08:54 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-06-02 13:08:54 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-06-02 13:00:56 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2010-06-02 13:00:37 0 d-----w- c:\program files\Analog Devices
2010-06-02 12:59:17 1902 ------w- c:\windows\system32\SetupBD.din
2010-06-02 12:58:56 5110 ----a-w- c:\windows\system32\e100b325.din
2010-06-02 12:58:56 24064 ----a-w- c:\windows\system32\IntelNic.dll
2010-06-02 12:58:56 154112 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
2010-06-02 12:58:56 154112 ----a-w- c:\windows\system32\drivers\e100b325.sys
2010-06-02 12:58:56 12288 ----a-w- c:\windows\system32\e100bmsg.dll
2010-06-02 12:58:56 118784 ----a-w- c:\windows\system32\Prounstl.exe
2010-06-02 12:58:56 0 d-----w- C:\drvrtmp
2010-06-02 12:57:16 446464 ----a-r- c:\windows\system32\hhactivex.dll
2010-06-02 12:57:16 414944 ----a-w- c:\windows\system32\COMCT332.OCX
2010-06-02 12:57:16 328480 ----a-w- c:\windows\system32\ssa3d30.ocx
2010-06-02 12:57:16 176128 ----a-w- c:\windows\system32\RcdScan.dll
2010-06-02 12:57:15 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-06-02 12:57:15 7348 ----a-w- c:\windows\system32\Odbcjet.cnt
2010-06-02 12:57:15 171967 ----a-w- c:\windows\system32\Odbcjet.hlp
2010-06-02 12:57:14 13632 ------w- c:\windows\system32\drivers\omci.sys
2010-06-01 23:02:57 0 d-s---w- c:\windows\system32\Microsoft
2010-06-01 23:02:51 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-06-01 23:00:59 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-06-01 22:58:55 0 d-sh--w- c:\documents and settings\all users\DRM
2010-06-01 22:58:33 0 d--h--w- c:\program files\WindowsUpdate
2010-06-01 22:57:46 0 d-----w- c:\program files\common files\MSSoap
2010-06-01 22:56:33 0 d-----w- c:\program files\Online Services
2010-06-01 22:56:27 0 d-----w- c:\program files\Messenger
2010-06-01 22:56:25 0 d-----w- c:\program files\MSN Gaming Zone
2010-06-01 22:55:50 0 d-----w- c:\program files\Windows NT
2010-06-01 18:50:43 0 d-----w- c:\program files\common files\ODBC
2010-06-01 18:50:40 0 d-----w- c:\program files\common files\SpeechEngines
2010-06-01 18:50:16 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-06-01 22:56:55 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:40:40 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-04-27 18:40:40 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-04-27 18:40:40 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-04-27 18:40:40 133616 ------w- c:\windows\system32\pxafs.dll
2010-04-27 18:40:40 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-27 18:40:40 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 9:20:47.56 ===============

Attached Files



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 23 June 2010 - 09:15 AM

You're welcome Eddie_H smile.gif


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Eddie_H

Eddie_H
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 23 June 2010 - 09:53 AM

Sempai,

Below is the ComboFix log

ComboFix 10-06-22.03 - Stacey Hoyt 06/23/2010 10:34:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1501 [GMT -4:00]
Running from: c:\documents and settings\Stacey Hoyt\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.

2010-06-10 16:27 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 13:26 . 2010-06-09 13:26 -------- d-----w- c:\documents and settings\Stacey Hoyt\Application Data\Uniblue
2010-06-07 13:23 . 2010-06-07 13:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-04 20:03 . 2010-06-04 20:03 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 20:03 . 2010-06-04 20:03 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-04 20:03 . 2010-06-04 20:00 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 20:03 . 2010-06-04 20:00 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-04 20:03 . 2010-06-04 20:03 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-04 20:03 . 2010-06-04 20:03 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-04 20:03 . 2010-06-04 20:03 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-04 20:01 . 2010-06-04 20:01 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-04 20:00 . 2010-06-04 20:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-06-04 20:00 . 2010-06-04 20:05 -------- d-----w- c:\documents and settings\Stacey Hoyt\Local Settings\Application Data\Google
2010-06-04 20:00 . 2010-06-04 20:02 -------- d-----w- c:\program files\Google
2010-06-04 20:00 . 2010-06-04 20:03 -------- d-----w- c:\program files\DivX
2010-06-04 20:00 . 2010-06-04 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-04 18:34 . 2010-06-04 18:47 -------- d-----w- c:\documents and settings\Stacey Hoyt\Application Data\uTorrent
2010-06-03 21:07 . 2010-06-03 21:08 -------- d-----w- c:\documents and settings\Stacey Hoyt\Application Data\Xerox
2010-06-03 21:03 . 2009-03-02 17:00 32768 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\x5pp.dll
2010-06-03 21:03 . 2009-03-02 17:00 11264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\x5print.dll
2010-06-03 13:31 . 2010-06-03 13:31 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-03 13:31 . 2010-06-03 13:31 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-06-02 20:46 . 2010-06-02 20:46 47704 ----a-w- c:\documents and settings\Stacey Hoyt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-02 16:56 . 2010-06-02 16:56 -------- d-----w- c:\documents and settings\Stacey Hoyt\Application Data\Malwarebytes
2010-06-02 16:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 16:56 . 2010-06-02 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 16:56 . 2010-06-02 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-02 16:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-02 16:47 . 2010-06-02 17:15 -------- d-----w- c:\documents and settings\Stacey Hoyt\Application Data\AdobeUM
2010-06-02 16:47 . 2010-06-02 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-06-02 16:45 . 2010-06-02 16:47 -------- d-----w- c:\documents and settings\Stacey Hoyt\Local Settings\Application Data\Adobe
2010-06-02 16:45 . 2010-06-02 16:45 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-06-02 16:44 . 2010-06-02 17:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-02 16:30 . 2010-06-02 16:30 -------- d-----w- c:\program files\MSXML 4.0
2010-06-02 15:50 . 2010-06-02 15:50 -------- d-----w- c:\program files\FrRefEng
2010-06-02 15:35 . 2007-04-09 17:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-06-02 15:35 . 2007-04-09 17:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-06-02 15:34 . 2010-06-02 15:34 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-02 15:33 . 2010-06-02 15:34 -------- d-----w- c:\windows\SHELLNEW
2010-06-02 15:33 . 2010-06-02 15:33 -------- d-----w- c:\program files\Microsoft.NET
2010-06-02 15:26 . 2010-06-02 15:26 -------- d-----r- C:\MSOCache
2010-06-02 15:20 . 2010-06-02 15:20 134 ----a-w- c:\documents and settings\Stacey Hoyt\Local Settings\Application Data\fusioncache.dat
2010-06-02 15:20 . 2010-06-10 16:34 -------- d-----w- c:\documents and settings\Stacey Hoyt\Local Settings\Application Data\ApplicationHistory
2010-06-02 15:17 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\Stacey Hoyt\Application Data\U3\temp\cleanup.exe
2010-06-02 15:14 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Stacey Hoyt\Application Data\U3\temp\Launchpad Removal.exe
2010-06-02 15:14 . 2010-06-21 20:22 -------- d-----w- c:\documents and settings\Stacey Hoyt\Application Data\U3
2010-06-02 15:13 . 2005-08-23 16:54 1650688 ----a-w- c:\windows\system32\cdintf250.dll
2010-06-02 15:09 . 2010-06-10 16:51 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-06-02 15:08 . 2008-04-13 18:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-06-02 15:08 . 2010-06-02 15:10 -------- d-----w- c:\program files\Common Files\Intuit
2010-06-02 15:08 . 2010-06-02 15:08 -------- d-----w- c:\program files\Intuit
2010-06-02 15:08 . 2010-06-02 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-06-02 15:06 . 2010-06-02 15:06 -------- d-----w- c:\windows\system32\URTTemp
2010-06-02 15:05 . 2010-06-02 15:05 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-06-02 15:03 . 2010-06-02 15:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-02 14:43 . 2010-06-02 14:43 -------- d-----w- c:\windows\system32\scripting
2010-06-02 14:43 . 2010-06-02 14:43 -------- d-----w- c:\windows\l2schemas
2010-06-02 14:43 . 2010-06-02 14:43 -------- d-----w- c:\windows\system32\en
2010-06-02 14:43 . 2010-06-02 14:43 -------- d-----w- c:\windows\system32\bits
2010-06-02 14:05 . 2010-06-02 14:05 -------- d-sh--w- c:\documents and settings\Stacey Hoyt\IECompatCache
2010-06-02 14:04 . 2010-04-19 14:25 2117704 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-06-02 14:04 . 2010-06-02 14:04 -------- d-sh--w- c:\documents and settings\Stacey Hoyt\PrivacIE
2010-06-02 14:04 . 2010-06-02 14:04 -------- d-sh--w- c:\documents and settings\Stacey Hoyt\IETldCache
2010-06-02 13:58 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-02 13:57 . 2010-06-02 13:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-02 13:57 . 2010-06-03 13:31 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-02 13:57 . 2010-06-02 13:57 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-02 13:57 . 2010-06-23 13:16 -------- d-----w- c:\windows\system32\drivers\Avg
2010-06-02 13:53 . 2010-06-02 13:53 -------- d-----w- c:\program files\AVG
2010-06-02 13:53 . 2010-06-02 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-02 13:52 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-02 13:51 . 2010-06-02 13:52 -------- d-----w- c:\windows\ie8updates
2010-06-02 13:51 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-02 13:51 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-02 13:51 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-02 13:51 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-02 13:51 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-06-02 13:51 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-06-02 13:49 . 2010-06-02 13:51 -------- dc-h--w- c:\windows\ie8
2010-06-02 13:44 . 2005-09-20 13:31 135168 ----a-w- c:\windows\system32\igfxres.dll
2010-06-02 13:38 . 2008-04-14 00:12 155136 ------w- c:\windows\system32\mssha.dll
2010-06-02 13:30 . 2010-06-02 14:16 -------- d-----w- c:\windows\ServicePackFiles
2010-06-02 13:23 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-02 13:23 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-02 13:23 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-02 13:23 . 2010-06-02 13:23 -------- d-----w- c:\documents and settings\Stacey Hoyt\Application Data\Trillian
2010-06-02 13:23 . 2010-06-23 14:26 -------- d-----w- c:\program files\Trillian
2010-06-02 13:22 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-02 13:21 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-02 13:21 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-02 13:21 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-06-02 13:20 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-06-02 13:20 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-06-02 13:20 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-06-02 13:20 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-06-02 13:20 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-06-02 13:20 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-06-02 13:20 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-06-02 13:20 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-06-02 13:20 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-06-02 13:20 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-02 13:20 . 2010-02-17 13:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-06-02 13:20 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-02 13:19 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-02 13:19 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-06-02 13:18 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-06-02 13:18 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-02 13:18 . 2010-06-02 13:18 -------- d-sh--w- c:\documents and settings\Stacey Hoyt\UserData
2010-06-02 13:14 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-02 13:14 . 2010-06-10 16:33 -------- d--h--w- c:\windows\$hf_mig$
2010-06-02 13:08 . 2009-08-06 23:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-06-02 13:08 . 2010-06-02 13:08 -------- d-s---w- c:\documents and settings\Administrator\UserData
2010-06-02 13:00 . 2008-04-13 18:45 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2010-06-02 12:58 . 2010-06-02 12:59 -------- d-----w- C:\drvrtmp
2010-06-02 12:58 . 2004-02-18 21:40 12288 ----a-w- c:\windows\system32\e100bmsg.dll
2010-06-02 12:58 . 2004-02-10 19:49 154112 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
2010-06-02 12:58 . 2004-02-10 19:49 154112 ----a-w- c:\windows\system32\drivers\e100b325.sys
2010-06-02 12:58 . 2003-11-21 19:26 118784 ----a-w- c:\windows\system32\Prounstl.exe
2010-06-02 12:58 . 2003-07-28 10:55 24064 ----a-w- c:\windows\system32\IntelNic.dll
2010-06-02 12:57 . 2002-01-08 21:00 176128 ----a-w- c:\windows\system32\RcdScan.dll
2010-06-02 12:57 . 2000-03-23 16:50 446464 ----a-r- c:\windows\system32\hhactivex.dll
2010-06-02 12:57 . 1998-06-18 03:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-06-02 12:57 . 2010-06-02 13:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-02 12:57 . 2001-08-22 12:42 13632 ------w- c:\windows\system32\drivers\omci.sys
2010-06-02 12:57 . 2010-06-02 12:57 -------- d-----w- c:\program files\Common Files\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 21:35 . 2010-06-04 20:02 -------- d-----w- c:\documents and settings\Stacey Hoyt\Application Data\DivX
2010-06-04 20:02 . 2010-06-04 20:02 84062 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-06-03 16:29 . 2010-06-02 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-06-03 13:31 . 2010-06-02 13:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-02 14:52 . 2010-06-01 22:59 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-02 13:57 . 2010-06-02 13:56 -------- d--h--w- c:\program files\Zenographics
2010-06-02 13:56 . 2010-06-02 13:56 -------- d-----w- c:\program files\Hewlett-Packard
2010-06-02 13:00 . 2010-06-02 13:00 -------- d-----w- c:\program files\Analog Devices
2010-06-01 23:00 . 2010-06-01 23:00 -------- d-----w- c:\program files\microsoft frontpage
2010-06-01 22:56 . 2010-06-01 22:56 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:40 . 2010-06-04 20:02 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-04-27 18:40 . 2010-06-04 20:02 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-04-27 18:40 . 2010-06-04 20:02 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-04-27 18:40 . 2010-06-04 20:02 133616 ------w- c:\windows\system32\pxafs.dll
2010-04-27 18:40 . 2010-06-04 20:02 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-27 18:40 . 2010-06-04 20:02 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-03 2065248]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 98304]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

c:\documents and settings\Stacey Hoyt\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2010-5-21 2065760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2010-6-2 25214]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-02 13:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2010 9:57 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/2/2010 9:57 AM 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/2/2010 9:55 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/2/2010 9:55 AM 308064]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/4/2010 4:00 PM 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [6/2/2010 9:57 AM 430152]
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 20:00]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 20:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-23 10:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-23 10:40:36
ComboFix-quarantined-files.txt 2010-06-23 14:40

Pre-Run: 61,416,902,656 bytes free
Post-Run: 61,625,749,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A280DCF2BF57C31C690A04FC9BA5385E

Attached Files



#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 24 June 2010 - 08:09 AM

Hi,

1. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\documents and settings\Stacey Hoyt\Application Data\U3\temp\cleanup.exe
    c:\documents and settings\Stacey Hoyt\Application Data\U3\temp\Launchpad Removal.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.




2. I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Eddie_H

Eddie_H
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 24 June 2010 - 09:01 AM

Hi Sempai

Below is the virscan reports, I'll run ESET next

VirSCAN.org Scanned Report :
Scanned time : 2010/06/24 21:18:47 (CST)
Scanner results: Scanners did not find malware!
File Name : cleanup.exe
File Size : 110592 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 50d61d7ca5f711d78d2b50b93dccf97c
SHA1 : 6a751f408ba30c7fc4d024aa8acd078822b2fafc
Online report : http://virscan.org/report/eabde573550f7c0b...3a8f15e41d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100624063430 2010-06-24 40.10 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 40.21 -
AntiVir 8.2.4.2 7.10.8.182 2010-06-24 0.39 -
Antiy 2.0.18 20100620.4774407 2010-06-20 0.10 -
Arcavir 2009 201006231702 2010-06-23 0.13 -
Authentium 5.1.1 201006241030 2010-06-24 2.79 -
AVAST! 4.7.4 100624-0 2010-06-24 0.01 -
AVG 8.5.793 271.1.1/2960 2010-06-24 2.05 -
BitDefender 7.90123.6274875 7.32386 2010-06-24 7.49 -
ClamAV 0.96.1 11254 2010-06-24 0.05 -
Comodo 3.13.579 5199 2010-06-24 40.25 -
CP Secure 1.3.0.5 2010.06.24 2010-06-24 0.07 -
Dr.Web 5.0.2.3300 2010.06.24 2010-06-24 10.14 -
F-Prot 4.4.4.56 20100623 2010-06-23 3.15 -
F-Secure 7.02.73807 2010.06.24.01 2010-06-24 0.23 -
Fortinet 4.1.133 12.80 2010-06-23 40.14 -
GData 21.402/21.144 20100624 2010-06-24 40.09 -
ViRobot 20100623 2010.06.23 2010-06-23 40.11 -
Ikarus T3.1.01.84 2010.06.24.76131 2010-06-24 7.26 -
JiangMin 13.0.900 2010.06.23 2010-06-23 40.10 -
Kaspersky 5.5.10 2010.06.24 2010-06-24 0.16 -
KingSoft 2009.2.5.15 2010.6.24.18 2010-06-24 40.11 -
McAfee 5400.1158 6022 2010-06-23 20.29 -
Microsoft 1.5902 2010.06.24 2010-06-24 40.18 -
Norman 6.05.10 6.05.00 2010-06-23 6.01 -
Panda 9.05.01 2010.06.23 2010-06-23 40.10 -
Trend Micro 9.120-1004 7.264.10 2010-06-24 0.04 -
Quick Heal 10.00 2010.06.24 2010-06-24 40.09 -
Rising 20.0 22.53.03.03 2010-06-24 40.09 -
Sophos 3.07.1 4.54 2010-06-24 4.11 -
Sunbelt 3.9.2426.2 6498 2010-06-23 40.12 -
Symantec 1.3.0.24 20100615.005 2010-06-15 0.34 -
nProtect 20100622.01 8754154 2010-06-22 40.19 -
The Hacker 6.5.2.0 v00303 2010-06-23 40.09 -
VBA32 3.12.12.5 20100624.0925 2010-06-24 3.25 -
VirusBuster 4.5.11.10 10.126.100/20226352010-06-24 2.57 -



VirSCAN.org Scanned Report :
Scanned time : 2010/06/24 21:44:17 (CST)
Scanner results: Scanners did not find malware!
File Name : Launchpad Removal.exe
File Size : 3493888 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0c3deb8c545a2c4d8f84278234cec3a2
SHA1 : 50d2987dad04cb9fd256b7d1a02ce0ce268a9410
Online report : http://virscan.org/report/3d34055aaf3ad66d...f642a81714.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100624063430 2010-06-24 40.10 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 40.09 -
AntiVir 8.2.4.2 7.10.8.182 2010-06-24 0.49 -
Antiy 2.0.18 20100620.4774407 2010-06-20 0.02 -
Arcavir 2009 201006231702 2010-06-23 0.11 -
Authentium 5.1.1 201006241030 2010-06-24 5.94 -
AVAST! 4.7.4 100624-0 2010-06-24 0.21 -
AVG 8.5.793 271.1.1/2960 2010-06-24 0.38 -
BitDefender 7.90123.6274875 7.32386 2010-06-24 4.25 -
ClamAV 0.96.1 11254 2010-06-24 1.00 -
Comodo 3.13.579 5199 2010-06-24 28.39 -
CP Secure 1.3.0.5 2010.06.24 2010-06-24 1.02 -
Dr.Web 5.0.2.3300 2010.06.24 2010-06-24 17.45 -
F-Prot 4.4.4.56 20100623 2010-06-23 4.71 -
F-Secure 7.02.73807 2010.06.24.01 2010-06-24 0.27 -
Fortinet 4.1.133 12.80 2010-06-23 40.11 -
GData 21.402/21.144 20100624 2010-06-24 40.14 -
ViRobot 20100623 2010.06.23 2010-06-23 40.09 -
Ikarus T3.1.01.84 2010.06.24.76131 2010-06-24 8.45 -
JiangMin 13.0.900 2010.06.23 2010-06-23 40.09 -
Kaspersky 5.5.10 2010.06.24 2010-06-24 0.20 -
KingSoft 2009.2.5.15 2010.6.24.18 2010-06-24 40.09 -
McAfee 5400.1158 6022 2010-06-23 16.47 -
Microsoft 1.5902 2010.06.24 2010-06-24 40.09 -
Norman 6.05.10 6.05.00 2010-06-23 6.01 -
Panda 9.05.01 2010.06.23 2010-06-23 40.09 -
Trend Micro 9.120-1004 7.264.10 2010-06-24 0.04 -
Quick Heal 10.00 2010.06.24 2010-06-24 40.09 -
Rising 20.0 22.53.03.03 2010-06-24 40.09 -
Sophos 3.07.1 4.54 2010-06-24 3.67 -
Sunbelt 3.9.2426.2 6498 2010-06-23 40.09 -
Symantec 1.3.0.24 20100615.005 2010-06-15 1.89 -
nProtect 20100622.01 8754154 2010-06-22 40.11 -
The Hacker 6.5.2.0 v00303 2010-06-23 40.09 -
VBA32 3.12.12.5 20100624.0925 2010-06-24 4.74 -
VirusBuster 4.5.11.10 10.126.100/20226352010-06-24 3.98 -

Attached Files



#10 Eddie_H

Eddie_H
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 24 June 2010 - 09:38 AM

I just ran eset, and no viruses were found.

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 24 June 2010 - 09:47 AM

How's the computer running now?



1. Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




2. Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Unchecked the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 Eddie_H

Eddie_H
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 25 June 2010 - 09:45 AM

Hi Sempai,

I rans Malwarebytes yesterday and below is the log. I also ran GMER last night (log below and attached) but was not sure if it actually finished. When I tried running GMER again this morning, after about 80 minutes or so I got a blue screen with a error message PFN_LIST_CORRUPT. I still seem to be having the same problems as before where ie opens a google window when I click on links or I get redirected (especially from search sites like yahoo or google).

In case I do not hear from you later today, have a great weekend!!!!


alwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4233

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/24/2010 11:34:09 AM
mbam-log-2010-06-24 (11-34-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 179489
Time elapsed: 41 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-25 09:19:07
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\STACEY~1\LOCALS~1\Temp\uxtdypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files



#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 25 June 2010 - 10:21 AM

Hi,

Are you using a router? Can you tell me the brand/model please?

Do you have the redirection issue on any browser?


=======================


Please do this:

1. Click start > run > type cmd and hit the enter key, command prompt will open > copy/paste or type exactly the bolded text below > Hit the enter key.
ipconfig /flushdns
You will see a message "Windows IP Configuration Successfully flushed the DNS Resolver Cache" if done properly.



2. Enter your control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
  • Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
  • Press OK twice to get out of the properties screen and reboot if it asks.



3. Download and Run Sysprot Antirootkit
Link 1, Link 2, Link 3
  1. Unzip it into a folder on your desktop.
  2. Double click Sysprot.exe to run the program.  (For Vista, right click and run as administrator)
  3. Go to Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Select Scan all drives and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • The log will be created and saved automatically in the same folder. Post the log when you reply.




~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 Eddie_H

Eddie_H
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 25 June 2010 - 11:33 AM

Hi,

Using Linksys router and linksys 24 port Model Sr224. I have not tried other browsers, but will download one and let you know in my next post.

I ran the dnsflush, not sure if it worked or not, a screen flashed to quick to read. My TCP/IP connections was already set to obtain DNS server automatically.

Attached is the Spyprot log

Attached Files



#15 Eddie_H

Eddie_H
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 25 June 2010 - 11:42 AM

I tried google chrome, sometimes it allows me to click through other times I get redirected. Most times opens a new page (at either the correct or incorrect address)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users