Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combo fix log


  • This topic is locked This topic is locked
15 replies to this topic

#1 JayMc

JayMc

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 30 June 2010 - 03:53 PM

Summary issue

Last night my laptop was infected/attacked by the AV Security Suite virus. The result was pop-ups and disabled core applications. To address the issue I completed the following...

1. Rebooted and entered safe mode.

2. Disabled the false proxy.

3. Downloaded and performed scans with Spybot S&D and Malwarebyte's Anti-Malware.

I was still getting pop-ups and application errors so I proceeded to #4.

4. Downloaded and ran combo fix (thanks to this wonderful forum) today. During the scan a notification appeared that a rootkit was present and combo fix rebooted the PC before completing the scan.

I am now able to use the applications that were previously blocked and have not had further pop-up issues. I would like an expert review to see if I am in the clear or not based on what's available in the scans below. Thanks!

JayMc


Here is the DDS log for your review


DDS (Ver_10-03-17.01) - NTFSx86
Run by James at 15:44:42.70 on Wed 06/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1187 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:Program FilesGoogleUpdate1.2.183.29GoogleCrashHandler.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCarboniteCarbonite Backupcarboniteservice.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesAVGAVG9avgnsx.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32HPZipm12.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesAVGAVG9avgemc.exe
C:Program FilesAVGAVG9avgcsrvx.exe
svchost.exe 4
svchost.exe 4
C:WINDOWSsystem32notepad.exe
C:WINDOWSexplorer.exe
C:Documents and SettingsJamesLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsJamesLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsJamesLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsJamesLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:WINDOWSsystem32dllhost.exe
C:Documents and SettingsJamesLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Documents and SettingsJamesMy DocumentsDownloadsdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.1.1309.3572swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe
uRun: [Google Update] "c:documents and settingsjameslocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%SigmaTelC-Major AudioWDMstsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"
mRun: [Carbonite Backup] c:program filescarbonitecarbonite backupCarboniteUI.exe
mRun: [Apoint] c:program filesapointApoint.exe
mRun: [LVCOMS] c:program filescommon fileslogitechqcdriver3LVCOMS.EXE
mRun: [RoxWatchTray] "c:program filescommon filesroxio shared9.0sharedcomRoxWatchTray9.exe"
mRun: [AVG9_TRAY] c:progra~1avgavg9avgtray.exe
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportAppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269275953796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg9avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-1-30 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-1-30 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-1-30 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:program filesavgavg9avgemc.exe [2010-3-15 916760]
R2 avg9wd;AVG Free WatchDog;c:program filesavgavg9avgwdsvc.exe [2010-3-15 308064]
S0 cerc6;cerc6; [x]
S2 gupdate1c9bd68156a6534;Google Update Service (gupdate1c9bd68156a6534);c:program filesgoogleupdateGoogleUpdate.exe [2009-4-14 133104]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:windowssystem32driversLV551AV.sys [2009-10-4 220079]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:windowssystem32driverspixmcvc.sys [2009-10-4 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:windowssystem32driverspixmcva.sys [2009-10-4 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:windowssystem32driverspixmcvv.sys [2009-10-4 20953]

=============== Created Last 30 ================

2010-06-30 19:53:59 0 d-sha-r- C:cmdcons
2010-06-30 19:49:22 98816 ----a-w- c:windowssed.exe
2010-06-30 19:49:22 77312 ----a-w- c:windowsMBR.exe
2010-06-30 19:49:22 256512 ----a-w- c:windowsPEV.exe
2010-06-30 19:49:22 161792 ----a-w- c:windowsSWREG.exe
2010-06-30 12:20:36 0 d-----w- c:program filesSpybot - Search & Destroy
2010-06-30 12:20:36 0 d-----w- c:docume~1alluse~1applic~1Spybot - Search & Destroy
2010-06-30 12:15:02 411368 ----a-w- c:windowssystem32deployJava1.dll
2010-06-30 05:03:54 0 d-----w- c:docume~1jamesapplic~1Malwarebytes
2010-06-30 05:03:46 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-06-30 05:03:45 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-06-30 05:03:45 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-06-30 05:03:45 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2010-06-30 04:51:51 767952 ----a-w- c:windowsBDTSupport.dll.old
2010-06-30 04:51:50 1652688 ----a-w- c:windowsPCTBDCore.dll.old
2010-06-30 04:43:17 0 d-----w- c:program filesSpyware Doctor
2010-06-22 01:58:48 0 d-----w- c:program filesiPod
2010-06-22 01:58:41 0 d-----w- c:program filesiTunes
2010-06-22 01:52:52 0 d-----w- c:program filesBonjour
2010-06-10 11:14:50 3250 ----a-w- c:windowssystem32wbemOutlook_01cb088e24aec5ae.mof
2010-06-09 08:17:18 743424 -c----w- c:windowssystem32dllcacheiedvtool.dll
2010-06-08 00:23:51 0 d-----w- c:program filesWindows Media Connect 2
2010-06-08 00:22:09 0 d-----w- c:windowssystem32LogFiles
2010-06-08 00:21:31 0 d-----w- C:38cba56557862e2d64

==================== Find3M ====================

2010-06-26 20:03:26 183003 ----a-w- c:windowssystem32nvModes.dat
2010-06-02 14:04:53 242896 ----a-w- c:windowssystem32driversavgtdix.sys
2010-05-18 21:35:16 91424 ----a-w- c:windowssystem32dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:windowssystem32dns-sd.exe
2010-05-06 10:41:53 916480 ----a-w- c:windowssystem32wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:windowssystem32win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:windowssystem32atmfd.dll
2010-04-20 01:47:44 3062048 ----a-w- c:windowssystem32usbaaplrc.dll
2010-04-09 00:05:58 68294 ----a-w- c:windowshpoins05.dat
2002-08-01 00:55:12 154 --sh--w- c:windowsWSYS049.SYS

============= FINISH: 15:44:51.53 ===============


Here is the combo fix log for your review....


ComboFix 10-06-29.04 - James 06/30/2010 14:59:13.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1558 [GMT -5:00]
Running from: c:documents and settingsJamesDesktopComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:docume~1JamesLOCALS~1Tempinstall_flash_player.exe
c:windowssystem32st325602.dll

Infected copy of c:windowssystem32driversatapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-30 )))))))))))))))))))))))))))))))
.

2010-06-30 19:51 . 2010-06-30 19:51 -------- d-sh--w- c:documents and settingsLocalServiceIETldCache
2010-06-30 19:50 . 2010-06-30 19:50 -------- d-sh--w- c:documents and settingsLocalServicePrivacIE
2010-06-30 12:20 . 2010-06-30 19:41 -------- d-----w- c:program filesSpybot - Search & Destroy
2010-06-30 12:20 . 2010-06-30 19:33 -------- d-----w- c:documents and settingsAll UsersApplication DataSpybot - Search & Destroy
2010-06-30 12:18 . 2010-06-30 12:18 -------- d-----w- c:program filesCommon FilesJava
2010-06-30 12:15 . 2010-06-30 12:15 503808 ----a-w- c:documents and settingsJamesApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-6c55be72-nmsvcp71.dll
2010-06-30 12:15 . 2010-06-30 12:15 499712 ----a-w- c:documents and settingsJamesApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-6c55be72-njmc.dll
2010-06-30 12:15 . 2010-06-30 12:15 348160 ----a-w- c:documents and settingsJamesApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-6c55be72-nmsvcr71.dll
2010-06-30 12:15 . 2010-06-30 12:15 61440 ----a-w- c:documents and settingsJamesApplication DataSunJavaDeploymentSystemCache6.0505535ab32-2f8df486-ndecora-sse.dll
2010-06-30 12:15 . 2010-06-30 12:15 12800 ----a-w- c:documents and settingsJamesApplication DataSunJavaDeploymentSystemCache6.0505535ab32-2f8df486-ndecora-d3d.dll
2010-06-30 12:15 . 2010-04-12 22:29 411368 ----a-w- c:windowssystem32deployJava1.dll
2010-06-30 05:51 . 2010-06-30 05:51 -------- d-----w- c:documents and settingsJamesLocal SettingsApplication DataThreat Expert
2010-06-30 05:03 . 2010-06-30 05:03 -------- d-----w- c:documents and settingsJamesApplication DataMalwarebytes
2010-06-30 05:03 . 2010-04-29 20:39 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-06-30 05:03 . 2010-06-30 05:03 -------- d-----w- c:program filesMalwarebytes' Anti-Malware
2010-06-30 05:03 . 2010-06-30 05:03 -------- d-----w- c:documents and settingsAll UsersApplication DataMalwarebytes
2010-06-30 05:03 . 2010-04-29 20:39 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-06-30 04:43 . 2010-06-30 11:33 -------- d-----w- c:program filesSpyware Doctor
2010-06-30 03:28 . 2010-06-30 03:28 -------- d-sh--w- c:windowssystem32configsystemprofilePrivacIE
2010-06-30 03:25 . 2010-06-30 05:45 -------- d-----w- c:documents and settingsNetworkServiceLocal SettingsApplication Datalqxcofasr
2010-06-30 02:09 . 2010-06-30 02:09 -------- d-sh--w- c:windowssystem32configsystemprofileIETldCache
2010-06-30 02:09 . 2010-06-30 02:09 -------- d-sh--w- c:documents and settingsNetworkServicePrivacIE
2010-06-22 01:58 . 2010-06-22 01:58 -------- d-----w- c:program filesiPod
2010-06-22 01:58 . 2010-06-22 01:59 -------- d-----w- c:program filesiTunes
2010-06-22 01:55 . 2010-06-22 01:56 -------- d-----w- c:program filesQuickTime
2010-06-22 01:54 . 2010-06-22 01:54 -------- d-----w- c:program filesApple Software Update
2010-06-22 01:52 . 2010-06-22 01:52 -------- d-----w- c:program filesBonjour
2010-06-16 01:01 . 2010-06-16 01:01 72504 ----a-w- c:documents and settingsAll UsersApplication DataApple ComputerInstaller CacheiTunes 9.2.0.61SetupAdmin.exe
2010-06-11 04:06 . 2008-04-14 12:00 26624 ----a-w- c:documents and settingsLocalServiceApplication DataMicrosoftUPnP Device Hostupnphostudhisapi.dll
2010-06-09 08:17 . 2010-05-06 10:41 743424 -c----w- c:windowssystem32dllcacheiedvtool.dll
2010-06-08 00:23 . 2010-06-08 00:23 -------- d-----w- c:program filesWindows Media Connect 2
2010-06-08 00:22 . 2010-06-08 00:22 -------- d-----w- c:windowssystem32driversUMDF
2010-06-08 00:22 . 2010-06-08 00:22 -------- d-----w- c:windowssystem32LogFiles
2010-06-08 00:21 . 2010-06-08 00:22 -------- d-----w- C:38cba56557862e2d64
2010-06-02 14:05 . 2010-06-02 14:05 242896 ----a-w- c:documents and settingsAll UsersApplication Dataavg9updatebackupavgtdix.sys
2010-06-02 14:05 . 2010-06-02 14:05 29512 ----a-w- c:documents and settingsAll UsersApplication Dataavg9updatebackupavgmfx86.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-30 12:14 . 2009-02-18 21:12 -------- d-----w- c:program filesJava
2010-06-30 11:32 . 2010-02-11 00:54 -------- d---a-w- c:documents and settingsAll UsersApplication DataTemp
2010-06-30 03:17 . 2009-04-15 01:17 -------- d-----w- c:documents and settingsAll UsersApplication DataGoogle Updater
2010-06-26 20:03 . 2009-01-30 21:23 183003 ----a-w- c:windowssystem32nvModes.dat
2010-06-22 01:58 . 2009-07-25 14:53 -------- d-----w- c:program filesCommon FilesApple
2010-06-02 14:04 . 2009-01-30 21:35 242896 ----a-w- c:windowssystem32driversavgtdix.sys
2010-06-02 14:04 . 2009-01-30 21:35 29584 ----a-w- c:windowssystem32driversavgmfx86.sys
2010-05-23 12:49 . 2010-05-23 12:49 503808 ----a-w- c:documents and settingsJamesApplication DataSunJavaDeploymentcache6.046f84c6ae-778bc3b0-nmsvcp71.dll
2010-05-23 12:49 . 2010-05-23 12:49 499712 ----a-w- c:documents and settingsJamesApplication DataSunJavaDeploymentcache6.046f84c6ae-778bc3b0-njmc.dll
2010-05-23 12:49 . 2010-05-23 12:49 348160 ----a-w- c:documents and settingsJamesApplication DataSunJavaDeploymentcache6.046f84c6ae-778bc3b0-nmsvcr71.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:windowssystem32dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:windowssystem32dns-sd.exe
2010-05-14 02:20 . 2010-05-14 02:20 -------- d-----w- c:program filesEaston Shaft Selector 2010
2010-05-11 17:55 . 2009-04-15 01:17 -------- d-----w- c:program filesGoogle
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:windowssystem32wininet.dll
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:windowssystem32win32k.sys
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:windowssystem32atmfd.dll
2010-04-20 01:47 . 2009-07-25 14:53 3062048 ----a-w- c:windowssystem32usbaaplrc.dll
2010-04-20 01:47 . 2009-07-25 14:53 41984 ----a-w- c:windowssystem32driversusbaapl.sys
2010-04-14 13:28 . 2009-11-12 03:30 79488 ----a-w- c:documents and settingsJamesApplication DataSunJavajre1.6.0_17gtapi.dll
2010-04-13 18:56 . 2010-04-13 18:56 1925088 ----a-w- c:documents and settingsJamesApplication DataMacromediaFlash Playerwww.macromedia.combinfpupdateplfpupdatepl.exe
2010-04-09 00:05 . 2010-04-09 00:03 68294 ----a-w- c:windowshpoins05.dat
2002-08-01 00:55 . 2009-02-05 20:08 154 --sh--w- c:windowsWSYS049.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionexplorershelliconoverlayidentifiersCarbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOTCLSID{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 21:13 583312 ----a-r- c:program filesCarboniteCarbonite BackupCarboniteNSE.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionexplorershelliconoverlayidentifiersCarbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOTCLSID{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 21:13 583312 ----a-r- c:program filesCarboniteCarbonite BackupCarboniteNSE.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionexplorershelliconoverlayidentifiersCarbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOTCLSID{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 21:13 583312 ----a-r- c:program filesCarboniteCarbonite BackupCarboniteNSE.dll

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"swg"="c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" [2009-04-15 39408]
"Google Update"="c:documents and settingsJamesLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe" [2010-02-26 135664]
"SpybotSD TeaTimer"="c:program filesSpybot - Search & DestroyTeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"SigmatelSysTrayApp"="c:program filesSigmaTelC-Major AudioWDMstsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:windowssystem32NvCpl.dll" [2008-02-22 13508608]
"nwiz"="nwiz.exe" [2008-02-22 1626112]
"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
"NvMediaCenter"="c:windowssystem32NvMcTray.dll" [2008-02-22 86016]
"SunJavaUpdateSched"="c:program filesCommon FilesJavaJava Updatejusched.exe" [2010-02-18 248040]
"Carbonite Backup"="c:program filesCarboniteCarbonite BackupCarboniteUI.exe" [2009-01-09 669840]
"Apoint"="c:program filesApointApoint.exe" [2005-10-07 176128]
"LVCOMS"="c:program filesCommon FilesLogitechQCDriver3LVCOMS.EXE" [2002-12-10 127022]
"RoxWatchTray"="c:program filesCommon FilesRoxio Shared9.0SharedCOMRoxWatchTray9.exe" [2008-06-08 236016]
"AVG9_TRAY"="c:progra~1AVGAVG9avgtray.exe" [2010-06-02 2065248]
"AppleSyncNotifier"="c:program filesCommon FilesAppleMobile Device SupportAppleSyncNotifier.exe" [2010-03-17 47392]
"Adobe Reader Speed Launcher"="c:program filesAdobeReader 9.0ReaderReader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:program filesCommon FilesAdobeARM1.0AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:program filesQuickTimeQTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:program filesiTunesiTunesHelper.exe" [2010-06-15 141624]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyavgrsstarter]
2010-03-15 13:05 12464 ----a-w- c:windowssystem32avgrsstx.dll

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%Network Diagnosticxpnetdiag.exe"=
"%windir%system32sessmgr.exe"=
"c:WINDOWSsystem32dpvsetup.exe"=
"c:Program FilesAVGAVG9avgemc.exe"=
"c:Program FilesAVGAVG9avgupd.exe"=
"c:Program FilesAVGAVG9avgnsx.exe"=
"c:Program FilesBonjourmDNSResponder.exe"=
"c:Program FilesiTunesiTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [1/30/2009 4:35 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [1/30/2009 4:35 PM 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:program filesAVGAVG9avgemc.exe [3/15/2010 8:05 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:program filesAVGAVG9avgwdsvc.exe [3/15/2010 8:05 AM 308064]
S0 cerc6;cerc6; [x]
S2 gupdate1c9bd68156a6534;Google Update Service (gupdate1c9bd68156a6534);c:program filesGoogleUpdateGoogleUpdate.exe [4/14/2009 8:18 PM 133104]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:windowssystem32driversLV551AV.sys [10/4/2009 9:29 AM 220079]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:windowssystem32driverspixmcvc.sys [10/4/2009 6:39 PM 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:windowssystem32driverspixmcva.sys [10/4/2009 6:41 PM 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:windowssystem32driverspixmcvv.sys [10/4/2009 6:40 PM 20953]
.
Contents of the 'Scheduled Tasks' folder

2010-06-30 c:windowsTasksAppleSoftwareUpdate.job
- c:program filesApple Software UpdateSoftwareUpdate.exe [2009-10-22 16:50]

2010-06-30 c:windowsTasksGoogle Software Updater.job
- c:program filesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe [2009-04-15 01:17]

2010-06-30 c:windowsTasksGoogleUpdateTaskMachineCore.job
- c:program filesGoogleUpdateGoogleUpdate.exe [2009-04-15 01:18]

2010-06-30 c:windowsTasksGoogleUpdateTaskMachineUA.job
- c:program filesGoogleUpdateGoogleUpdate.exe [2009-04-15 01:18]

2010-06-30 c:windowsTasksGoogleUpdateTaskUserS-1-5-21-515967899-412668190-1417001333-1003Core.job
- c:documents and settingsJamesLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2010-02-28 07:42]

2010-06-30 c:windowsTasksGoogleUpdateTaskUserS-1-5-21-515967899-412668190-1417001333-1003UA.job
- c:documents and settingsJamesLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2010-02-28 07:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: E&xport to Microsoft Excel - c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WebCamRT.exe - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-30 15:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINESystemControlSet001Servicesecvbdritvspqjxk]
"imagepath"="??c:windowsTEMP1B4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS.DefaultSoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,ec,b7,1b,a8,66,d4,48,90,02,80,
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,ec,b7,1b,a8,66,d4,48,90,02,80,
.
Completion time: 2010-06-30 15:10:20
ComboFix-quarantined-files.txt 2010-06-30 20:10

Pre-Run: 40,123,396,096 bytes free
Post-Run: 41,305,661,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 081BBFBAB0EEDC5AB10D0AB3A5FEA536

I've also had four or five pop-ups this evening. They have all been in google chrome and have all been for local businesses.

The wave volume on the laptop keeps resetting itself to zero. I adjust it to max and randomly it resets to zero. Probably related to the continued popups?

Merged posts. ~ OB

Edited by hamluis, 01 July 2010 - 03:35 PM.


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:01:19 AM

Posted 04 July 2010 - 11:43 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#3 JayMc

JayMc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 07 July 2010 - 08:07 AM

My issues have not been resolved; however, I am traveling for a couple days and will not be able to follow up until the weekend. I will complete steps as instructed at that time. Thanks.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 07 July 2010 - 04:18 PM

Hello.

I'll be ready to help you when you get back.

With Regards,
The Panda

#5 JayMc

JayMc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 09 July 2010 - 11:10 PM

I tried to run a GMER log, but it keeps shutting down my computer.

I ran a definitions update for malwarebytes and spybot. Neither found the black internet virus thing.

DDS Log....



DDS (Ver_10-03-17.01) - NTFSx86
Run by James at 23:09:00.66 on Fri 07/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.966 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

svchost.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe 4
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\James\My Documents\Downloads\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\documents and settings\james\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269275953796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-30 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-30 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-30 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-15 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
S0 cerc6;cerc6; [x]
S2 gupdate1c9bd68156a6534;Google Update Service (gupdate1c9bd68156a6534);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [2009-10-4 220079]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2009-10-4 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2009-10-4 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2009-10-4 20953]

=============== Created Last 30 ================

2010-07-03 01:06:07 0 d-s---w- C:\ComboFix
2010-06-30 19:53:59 0 d-sha-r- C:\cmdcons
2010-06-30 19:49:22 98816 ----a-w- c:\windows\sed.exe
2010-06-30 19:49:22 77312 ----a-w- c:\windows\MBR.exe
2010-06-30 19:49:22 256512 ----a-w- c:\windows\PEV.exe
2010-06-30 12:20:36 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-30 12:20:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-30 12:15:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 05:03:54 0 d-----w- c:\docume~1\james\applic~1\Malwarebytes
2010-06-30 05:03:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 05:03:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 05:03:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 05:03:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-30 04:51:51 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-06-30 04:51:50 1652688 ----a-w- c:\windows\PCTBDCore.dll.old
2010-06-30 04:43:17 0 d-----w- c:\program files\Spyware Doctor
2010-06-22 01:58:48 0 d-----w- c:\program files\iPod
2010-06-22 01:58:41 0 d-----w- c:\program files\iTunes
2010-06-22 01:52:52 0 d-----w- c:\program files\Bonjour
2010-06-10 11:14:50 3250 ----a-w- c:\windows\system32\wbem\Outlook_01cb088e24aec5ae.mof

==================== Find3M ====================

2010-06-26 20:03:26 183003 ----a-w- c:\windows\system32\nvModes.dat
2010-06-02 14:04:53 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 01:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2002-08-01 00:55:12 154 --sh--w- c:\windows\WSYS049.SYS

============= FINISH: 23:09:22.46 ===============

Edited by JayMc, 10 July 2010 - 09:12 AM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 10 July 2010 - 10:35 AM

Hello.

Looks like you may have a bootloader rootkit. We'll need to access the recovery console that ComboFix installed to disable it.

Using Recovery Console
You may want to print out these instructions.

Shutdown your computer. Start it again.
After hearing the beep, tap the F8 key repeatitively until you see the boot selection screen.
Use the arrow keys to select "Microsoft Windows Recovery Console" and hit Enter.
You will be asked which installation you want to log into. This is usually 1 - C:\WINDOWS. Type 1 followed by Enter.

Type each of the following lines one at a time followed by Enter:
CODE
fixmbr
exit


Allow your computer to restart normally. If everything goes well, please run ComboFix and try running GMER again.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

With Regards,
The Panda

#7 JayMc

JayMc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 10 July 2010 - 11:49 AM

I performed those steps.

One item to note is that ComboFix also performed an app upgrade in the process. May or may not be useful info...

GMER is running right now.

Here is the combofix log for your review. Thanks!


ComboFix 10-07-09.02 - James 07/10/2010 11:39:07.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1417 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-06-10 to 2010-07-10 )))))))))))))))))))))))))))))))
.

2010-07-10 03:11 . 2010-07-10 03:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-06-30 19:51 . 2010-06-30 19:51 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-30 19:50 . 2010-06-30 19:50 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-30 12:20 . 2010-06-30 19:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-30 12:20 . 2010-06-30 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-30 12:18 . 2010-06-30 12:18 -------- d-----w- c:\program files\Common Files\Java
2010-06-30 12:15 . 2010-06-30 12:15 503808 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c55be72-n\msvcp71.dll
2010-06-30 12:15 . 2010-06-30 12:15 499712 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c55be72-n\jmc.dll
2010-06-30 12:15 . 2010-06-30 12:15 348160 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c55be72-n\msvcr71.dll
2010-06-30 12:15 . 2010-06-30 12:15 61440 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2f8df486-n\decora-sse.dll
2010-06-30 12:15 . 2010-06-30 12:15 12800 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2f8df486-n\decora-d3d.dll
2010-06-30 12:15 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 05:51 . 2010-06-30 05:51 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Threat Expert
2010-06-30 05:03 . 2010-06-30 05:03 -------- d-----w- c:\documents and settings\James\Application Data\Malwarebytes
2010-06-30 05:03 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 05:03 . 2010-06-30 05:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 05:03 . 2010-06-30 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-30 05:03 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 04:43 . 2010-06-30 11:33 -------- d-----w- c:\program files\Spyware Doctor
2010-06-30 03:28 . 2010-06-30 03:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-06-30 03:25 . 2010-06-30 05:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\lqxcofasr
2010-06-30 02:09 . 2010-06-30 02:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-30 02:09 . 2010-06-30 02:09 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-06-22 01:58 . 2010-06-22 01:58 -------- d-----w- c:\program files\iPod
2010-06-22 01:58 . 2010-06-22 01:59 -------- d-----w- c:\program files\iTunes
2010-06-22 01:55 . 2010-06-22 01:56 -------- d-----w- c:\program files\QuickTime
2010-06-22 01:54 . 2010-06-22 01:54 -------- d-----w- c:\program files\Apple Software Update
2010-06-22 01:52 . 2010-06-22 01:52 -------- d-----w- c:\program files\Bonjour
2010-06-16 01:01 . 2010-06-16 01:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-11 04:06 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-10 03:00 . 2009-04-15 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-30 12:14 . 2009-02-18 21:12 -------- d-----w- c:\program files\Java
2010-06-30 11:32 . 2010-02-11 00:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-26 20:03 . 2009-01-30 21:23 183003 ----a-w- c:\windows\system32\nvModes.dat
2010-06-22 01:58 . 2009-07-25 14:53 -------- d-----w- c:\program files\Common Files\Apple
2010-06-08 00:23 . 2010-06-08 00:23 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-02 14:04 . 2009-01-30 21:35 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-02 14:04 . 2009-01-30 21:35 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-23 12:49 . 2010-05-23 12:49 503808 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-778bc3b0-n\msvcp71.dll
2010-05-23 12:49 . 2010-05-23 12:49 499712 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-778bc3b0-n\jmc.dll
2010-05-23 12:49 . 2010-05-23 12:49 348160 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-778bc3b0-n\msvcr71.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-14 02:20 . 2010-05-14 02:20 -------- d-----w- c:\program files\Easton Shaft Selector 2010
2010-05-11 17:55 . 2009-04-15 01:17 -------- d-----w- c:\program files\Google
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 01:47 . 2009-07-25 14:53 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 01:47 . 2009-07-25 14:53 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-14 13:28 . 2009-11-12 03:30 79488 ----a-w- c:\documents and settings\James\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-13 18:56 . 2010-04-13 18:56 1925088 ----a-w- c:\documents and settings\James\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2002-08-01 00:55 . 2009-02-05 20:08 154 --sh--w- c:\windows\WSYS049.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-15 39408]
"Google Update"="c:\documents and settings\James\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-26 135664]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"nwiz"="nwiz.exe" [2008-02-22 1626112]
"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-08 236016]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-10-28 257440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 13:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/30/2009 4:35 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/30/2009 4:35 PM 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/15/2010 8:05 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 8:05 AM 308064]
S0 cerc6;cerc6; [x]
S2 gupdate1c9bd68156a6534;Google Update Service (gupdate1c9bd68156a6534);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2009 8:18 PM 133104]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [10/4/2009 9:29 AM 220079]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [10/4/2009 6:39 PM 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [10/4/2009 6:41 PM 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [10/4/2009 6:40 PM 20953]
.
Contents of the 'Scheduled Tasks' folder

2010-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2010-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-15 01:17]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 01:18]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 01:18]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-412668190-1417001333-1003Core.job
- c:\documents and settings\James\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-28 07:42]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-412668190-1417001333-1003UA.job
- c:\documents and settings\James\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-28 07:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-10 11:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ecvbdritvspqjxk]
"imagepath"="\??\c:\windows\TEMP\1B4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,ec,b7,1b,a8,66,d4,48,90,02,80,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,ec,b7,1b,a8,66,d4,48,90,02,80,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3188)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-10 11:45:14
ComboFix-quarantined-files.txt 2010-07-10 16:44
ComboFix2.txt 2010-07-03 01:03

Pre-Run: 44,681,854,976 bytes free
Post-Run: 44,816,060,416 bytes free

- - End Of File - - F10927A9E81B82C96DA4CAD320FC66FC

Edited by JayMc, 10 July 2010 - 11:52 AM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 10 July 2010 - 12:12 PM

Hello JayMc.

Please also throw in a new DDS scan smile.gif .

The Panda

#9 JayMc

JayMc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 10 July 2010 - 12:16 PM

Will do. GMER is still running...I'm posting from another laptop.

#10 JayMc

JayMc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 10 July 2010 - 04:19 PM

Here's the GMER file...


And the DDS log...



DDS (Ver_10-03-17.01) - NTFSx86
Run by James at 16:27:56.81 on Sat 07/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1290 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\James\My Documents\Downloads\dds (2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\documents and settings\james\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269275953796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-30 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-30 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-30 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-15 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
S0 cerc6;cerc6; [x]
S2 gupdate1c9bd68156a6534;Google Update Service (gupdate1c9bd68156a6534);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [2009-10-4 220079]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2009-10-4 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2009-10-4 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2009-10-4 20953]

=============== Created Last 30 ================

2010-07-10 16:36:30 161792 ----a-w- c:\windows\SWREG.exe
2010-06-30 19:53:59 0 d-sha-r- C:\cmdcons
2010-06-30 19:49:22 98816 ----a-w- c:\windows\sed.exe
2010-06-30 19:49:22 77312 ----a-w- c:\windows\MBR.exe
2010-06-30 19:49:22 256512 ----a-w- c:\windows\PEV.exe
2010-06-30 12:20:36 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-30 12:20:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-30 12:15:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 05:03:54 0 d-----w- c:\docume~1\james\applic~1\Malwarebytes
2010-06-30 05:03:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 05:03:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 05:03:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 05:03:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-30 04:51:51 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-06-30 04:51:50 1652688 ----a-w- c:\windows\PCTBDCore.dll.old
2010-06-30 04:43:17 0 d-----w- c:\program files\Spyware Doctor
2010-06-22 01:58:48 0 d-----w- c:\program files\iPod
2010-06-22 01:58:41 0 d-----w- c:\program files\iTunes
2010-06-22 01:52:52 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-06-26 20:03:26 183003 ----a-w- c:\windows\system32\nvModes.dat
2010-06-02 14:04:53 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 01:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2002-08-01 00:55:12 154 --sh--w- c:\windows\WSYS049.SYS

============= FINISH: 16:29:00.96 ===============

Attached Files

  • Attached File  ark.txt   1.4KB   4 downloads

Edited by JayMc, 10 July 2010 - 04:30 PM.


#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 10 July 2010 - 09:56 PM

Hello.

That looks much better. Let's do a final online scan.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    CODE
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyServer"=-
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like .

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.


Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please also include a fresh DDS log and give a description of any problems you are still having.

With Regards,
The Panda

#12 JayMc

JayMc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 10 July 2010 - 11:17 PM

No problems this evening. Kapersky is running now - report now attached.

Here is the updated DDS report....


DDS (Ver_10-03-17.01) - NTFSx86
Run by James at 23:13:46.87 on Sat 07/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.190 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\James\My Documents\Downloads\dds (3).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\documents and settings\james\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269275953796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-30 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-30 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-30 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-15 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
S0 cerc6;cerc6; [x]
S2 gupdate1c9bd68156a6534;Google Update Service (gupdate1c9bd68156a6534);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [2009-10-4 220079]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2009-10-4 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2009-10-4 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2009-10-4 20953]

=============== Created Last 30 ================

2010-07-10 16:36:30 161792 ----a-w- c:\windows\SWREG.exe
2010-06-30 19:53:59 0 d-sha-r- C:\cmdcons
2010-06-30 19:49:22 98816 ----a-w- c:\windows\sed.exe
2010-06-30 19:49:22 77312 ----a-w- c:\windows\MBR.exe
2010-06-30 19:49:22 256512 ----a-w- c:\windows\PEV.exe
2010-06-30 12:20:36 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-30 12:20:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-30 12:15:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 05:03:54 0 d-----w- c:\docume~1\james\applic~1\Malwarebytes
2010-06-30 05:03:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 05:03:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 05:03:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 05:03:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-30 04:51:51 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-06-30 04:51:50 1652688 ----a-w- c:\windows\PCTBDCore.dll.old
2010-06-30 04:43:17 0 d-----w- c:\program files\Spyware Doctor
2010-06-22 01:58:48 0 d-----w- c:\program files\iPod
2010-06-22 01:58:41 0 d-----w- c:\program files\iTunes
2010-06-22 01:52:52 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-06-26 20:03:26 183003 ----a-w- c:\windows\system32\nvModes.dat
2010-06-02 14:04:53 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 01:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2002-08-01 00:55:12 154 --sh--w- c:\windows\WSYS049.SYS

============= FINISH: 23:16:45.14 ===============

Attached Files


Edited by JayMc, 11 July 2010 - 06:45 AM.


#13 JayMc

JayMc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 11 July 2010 - 07:12 AM

Panda - thank you for the help. I haven't had any problems. Unless you see something "bad" in the logs I would say you've fixed it. I really appreciate you taking the time to help. You're a lifesaver.

Can you explain what we did in layman's terms please? Obviously I understand the virus scans, but what about the other steps? I ran them quite blindly :D

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 11 July 2010 - 10:56 AM

Glad I could help smile.gif .

The logs look good.

QUOTE
Can you explain what we did in layman's terms please? Obviously I understand the virus scans, but what about the other steps? I ran them quite blindly :D
Sure. You had a couple different infections on your machine. An infected system file was repaired the first time you ran ComboFix. We then had to remove an infection that loaded from the bootsector. This had to be done from the recovery console where Windows itself doesn't load and the infection is inactive. A registry edit was needed to remove a malicious proxy server setting.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    CODE
    ComboFix /uninstall



    Set New System Restore Point
    Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:[list]
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    CODE
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Please re-enable any antimalware programs that were disabled during the fix.

Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#15 JayMc

JayMc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 11 July 2010 - 12:19 PM

Thanks Panda! I think I'm good to go now. I appreciate all your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users