Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack!


  • This topic is locked This topic is locked
22 replies to this topic

#1 archtx

archtx

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 10 July 2010 - 11:40 PM

Hope someone here can help, I've been trying to get rid of this for two days.
GMER.exe won't complete it's scan, and I am not able to post from the infected computer. Maybe the malware is blocking it?

Here's the DDS log and attach file, thanks for looking at them.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owen Graham at 21:10:55.65 on Sat 07/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1241 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owen Graham\Local Settings\Temporary Internet Files\Content.IE5\F1W9E7B0\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278706433375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278725793312
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-13 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-13 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-13 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\micro innovations\wireless keyboard & mouse driver\KMWDSrv.exe [2007-4-5 208896]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]

=============== Created Last 30 ================

2010-07-11 02:09:58 0 ----a-w- c:\documents and settings\owen graham\defogger_reenable
2010-07-11 00:19:30 0 d-sh--w- c:\documents and settings\owen graham\PrivacIE
2010-07-11 00:11:45 0 d-sh--w- c:\documents and settings\owen graham\IETldCache
2010-07-11 00:06:32 0 dc-h--w- c:\windows\ie8
2010-07-10 22:30:50 0 d-----w- c:\windows\ServicePackFiles
2010-07-10 22:27:29 19569 ----a-w- c:\windows\002963_.tmp
2010-07-10 22:25:16 0 d-----w- c:\windows\EHome
2010-07-10 20:57:38 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-10 20:57:38 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-10 20:57:38 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-10 20:57:38 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-10 20:57:38 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-10 20:57:38 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-10 20:57:38 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-10 20:57:38 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-10 20:57:38 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-10 20:57:36 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-10 20:57:36 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-10 19:35:48 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-10 19:22:33 0 d-----w- c:\docume~1\owengr~1\applic~1\Malwarebytes
2010-07-10 19:22:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 19:22:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 19:22:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 19:22:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-10 17:50:28 16384 ---ha-w- C:\SZKGFS.dat
2010-07-10 17:49:21 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-10 17:48:44 0 d-----w- c:\program files\common files\iS3
2010-07-10 17:48:44 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-09 20:14:59 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-07-08 21:38:47 0 d-----w- c:\program files\Trend Micro
2010-07-08 00:45:02 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-06-02 13:38:47 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-05 21:47:03 10261 ----a-w- c:\program files\unins000.dat
2010-03-05 21:45:45 694668 ----a-w- c:\program files\unins000.exe
2009-11-03 23:56:21 61 --sh--w- c:\windows\cnerolf.bin

============= FINISH: 21:11:48.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:14 AM

Posted 14 July 2010 - 01:22 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


1. Rerun DDS. Post the fresh DDS and Attach.txt logs in your next post/reply. No need to attach Attach.txt, just post it normally.

2. Go ahead and retry GMER. If you can get it to complete its scan, try running it from Safe Mode. You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Post the GMER log in your next post/reply if you can.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 archtx

archtx
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 14 July 2010 - 07:07 PM

Thank you very much for the help!
Incidentally, somehow this virus is able to prevent me from posting to this site from the infected computer!!

I WAS able to run GMER in safe mode after several attempts. Here are the log files requested:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owen Graham at 14:37:45.64 on Wed 07/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1509 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owen Graham\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278706433375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278725793312
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owengr~1\applic~1\mozilla\firefox\profiles\3hasldfa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-13 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-13 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-13 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\micro innovations\wireless keyboard & mouse driver\KMWDSrv.exe [2007-4-5 208896]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]

=============== Created Last 30 ================

2010-07-12 16:51:27 0 d-sh--w- c:\documents and settings\owen graham\IECompatCache
2010-07-12 16:20:29 0 d-----w- c:\docume~1\owengr~1\applic~1\SUPERAntiSpyware.com
2010-07-12 16:20:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-12 16:20:21 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-12 15:37:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 15:37:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 15:37:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 02:09:58 0 ----a-w- c:\documents and settings\owen graham\defogger_reenable
2010-07-11 00:19:30 0 d-sh--w- c:\documents and settings\owen graham\PrivacIE
2010-07-11 00:11:45 0 d-sh--w- c:\documents and settings\owen graham\IETldCache
2010-07-11 00:06:32 0 dc-h--w- c:\windows\ie8
2010-07-10 22:30:50 0 d-----w- c:\windows\ServicePackFiles
2010-07-10 22:27:29 19569 ----a-w- c:\windows\002963_.tmp
2010-07-10 22:25:16 0 d-----w- c:\windows\EHome
2010-07-10 20:57:38 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-10 20:57:38 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-10 20:57:38 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-10 20:57:38 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-10 20:57:38 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-10 20:57:38 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-10 20:57:38 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-10 20:57:38 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-10 20:57:38 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-10 20:57:36 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-10 20:57:36 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-10 19:35:48 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-10 19:22:33 0 d-----w- c:\docume~1\owengr~1\applic~1\Malwarebytes
2010-07-10 19:22:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-10 17:50:28 16384 ---ha-w- C:\SZKGFS.dat
2010-07-10 17:49:21 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-10 17:48:44 0 d-----w- c:\program files\common files\iS3
2010-07-10 17:48:44 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-09 20:14:59 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-07-08 21:38:47 0 d-----w- c:\program files\Trend Micro
2010-07-08 00:45:02 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-06-02 13:38:47 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-05 21:47:03 10261 ----a-w- c:\program files\unins000.dat
2010-03-05 21:45:45 694668 ----a-w- c:\program files\unins000.exe
2009-11-03 23:56:21 61 --sh--w- c:\windows\cnerolf.bin

============= FINISH: 14:39:01.65 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/2/2008 5:21:33 PM
System Uptime: 7/14/2010 2:36:10 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | Maximus Formula
Processor: Intel® Core™2 Duo CPU E6750 @ 2.66GHz | LGA775 | 2671/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 237.971 GiB free.
D: is FIXED (NTFS) - 75 GiB total, 29.771 GiB free.
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&B6AFFD&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&B6AFFD&0
Service: i8042prt

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_82771043&REV_02\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_82771043&REV_02\3&11583659&0&FB
Service:

==== System Restore Points ===================

RP122: 4/15/2010 5:32:56 PM - System Checkpoint
RP123: 4/16/2010 8:19:09 PM - System Checkpoint
RP124: 4/18/2010 2:59:15 PM - System Checkpoint
RP125: 4/19/2010 3:29:17 PM - System Checkpoint
RP126: 4/20/2010 10:34:42 AM - Avg Update
RP127: 4/20/2010 10:35:37 AM - Avg Update
RP128: 4/21/2010 1:14:21 PM - System Checkpoint
RP129: 4/21/2010 3:01:38 PM - Installed Image Resizer Powertoy for Windows XP
RP130: 4/22/2010 3:15:02 PM - System Checkpoint
RP131: 4/23/2010 4:16:28 PM - System Checkpoint
RP132: 4/24/2010 5:15:26 PM - System Checkpoint
RP133: 4/25/2010 5:59:24 PM - System Checkpoint
RP134: 4/26/2010 8:30:30 PM - System Checkpoint
RP135: 4/28/2010 11:45:17 AM - System Checkpoint
RP136: 4/29/2010 12:18:48 PM - System Checkpoint
RP137: 4/30/2010 12:47:46 PM - System Checkpoint
RP138: 5/1/2010 8:14:29 PM - System Checkpoint
RP139: 5/3/2010 12:10:21 PM - System Checkpoint
RP140: 5/4/2010 12:10:49 PM - System Checkpoint
RP141: 5/5/2010 9:32:23 AM - Avg Update
RP142: 5/6/2010 12:28:09 PM - System Checkpoint
RP143: 5/7/2010 12:29:52 PM - System Checkpoint
RP144: 5/9/2010 8:11:48 PM - System Checkpoint
RP145: 5/10/2010 9:08:56 PM - System Checkpoint
RP146: 5/12/2010 8:59:16 AM - System Checkpoint
RP147: 5/13/2010 9:59:57 AM - System Checkpoint
RP148: 5/16/2010 9:30:31 PM - System Checkpoint
RP149: 5/18/2010 12:35:04 PM - System Checkpoint
RP150: 5/19/2010 2:30:35 PM - System Checkpoint
RP151: 5/20/2010 4:54:11 PM - System Checkpoint
RP152: 5/22/2010 11:04:07 AM - System Checkpoint
RP153: 5/23/2010 11:37:49 AM - System Checkpoint
RP154: 5/24/2010 4:50:45 PM - System Checkpoint
RP155: 5/25/2010 8:12:16 PM - System Checkpoint
RP156: 5/27/2010 10:58:21 AM - System Checkpoint
RP157: 5/28/2010 11:42:29 AM - System Checkpoint
RP158: 5/29/2010 11:53:58 AM - System Checkpoint
RP159: 5/30/2010 2:46:36 PM - System Checkpoint
RP160: 5/31/2010 3:02:44 PM - System Checkpoint
RP161: 6/1/2010 3:29:05 PM - System Checkpoint
RP162: 6/2/2010 8:38:51 AM - Avg Update
RP163: 6/3/2010 10:10:36 AM - System Checkpoint
RP164: 6/4/2010 10:54:44 AM - System Checkpoint
RP165: 6/5/2010 11:56:21 AM - System Checkpoint
RP166: 6/6/2010 4:13:48 PM - System Checkpoint
RP167: 6/7/2010 4:43:38 PM - System Checkpoint
RP168: 6/8/2010 8:08:02 PM - System Checkpoint
RP169: 6/10/2010 11:31:39 AM - System Checkpoint
RP170: 6/11/2010 11:42:47 AM - System Checkpoint
RP171: 6/12/2010 12:58:11 PM - System Checkpoint
RP172: 6/13/2010 1:26:18 PM - System Checkpoint
RP173: 6/14/2010 2:06:06 PM - System Checkpoint
RP174: 6/15/2010 4:44:39 PM - System Checkpoint
RP175: 6/16/2010 6:18:15 PM - System Checkpoint
RP176: 6/17/2010 6:32:29 PM - System Checkpoint
RP177: 6/19/2010 12:19:36 PM - System Checkpoint
RP178: 6/20/2010 12:35:42 PM - System Checkpoint
RP179: 6/21/2010 12:51:05 PM - System Checkpoint
RP180: 6/22/2010 2:03:22 PM - System Checkpoint
RP181: 6/23/2010 2:56:27 PM - System Checkpoint
RP182: 6/24/2010 9:10:31 AM - Avg Update
RP183: 6/25/2010 9:45:14 AM - System Checkpoint
RP184: 6/26/2010 1:23:07 PM - System Checkpoint
RP185: 6/27/2010 2:18:31 PM - System Checkpoint
RP186: 6/28/2010 4:15:54 PM - System Checkpoint
RP187: 6/29/2010 6:14:00 PM - System Checkpoint
RP188: 6/30/2010 6:41:31 PM - System Checkpoint
RP189: 7/1/2010 7:40:06 PM - System Checkpoint
RP190: 7/3/2010 10:21:23 AM - System Checkpoint
RP191: 7/4/2010 11:45:52 AM - System Checkpoint
RP192: 7/5/2010 3:10:02 PM - System Checkpoint
RP193: 7/6/2010 6:02:58 PM - System Checkpoint
RP194: 7/7/2010 6:22:59 PM - System Checkpoint
RP195: 7/7/2010 7:44:11 PM - Restore Operation
RP196: 7/8/2010 4:38:46 PM - Installed HiJackThis
RP197: 7/10/2010 12:06:26 PM - System Checkpoint
RP198: 7/10/2010 12:48:39 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP199: 7/10/2010 5:27:34 PM - Installed Windows XP Service Pack 3.
RP200: 7/10/2010 5:35:17 PM - Installed Windows XP KB938464.
RP201: 7/10/2010 5:35:50 PM - Installed Windows XP KB946648.
RP202: 7/10/2010 5:36:24 PM - Installed Windows XP KB950762.
RP203: 7/10/2010 5:37:00 PM - Installed Windows XP KB950974.
RP204: 7/10/2010 5:37:30 PM - Installed Windows XP KB951066.
RP205: 7/10/2010 5:38:00 PM - Installed Windows XP KB951376-v2.
RP206: 7/10/2010 5:38:31 PM - Installed Windows XP KB951698.
RP207: 7/10/2010 5:39:02 PM - Installed Windows XP KB952287.
RP208: 7/10/2010 5:39:32 PM - Installed Windows XP KB952954.
RP209: 7/10/2010 5:40:04 PM - Installed Windows XP KB954211.
RP210: 7/10/2010 5:40:34 PM - Installed Windows XP KB955069.
RP211: 7/10/2010 5:41:07 PM - Installed Windows XP KB956803.
RP212: 7/10/2010 5:41:40 PM - Installed Windows XP KB956841.
RP213: 7/10/2010 5:42:13 PM - Installed Windows XP KB957095.
RP214: 7/10/2010 5:43:04 PM - Installed Windows XP KB957097.
RP215: 7/10/2010 5:43:35 PM - Installed Windows XP KB958644.
RP216: 7/10/2010 7:07:44 PM - Installed Windows Internet Explorer 8.
RP217: 7/10/2010 11:21:07 PM - Software Distribution Service 3.0
RP218: 7/12/2010 12:16:46 PM - System Checkpoint
RP219: 7/13/2010 11:43:56 AM - Removed Adobe Reader 8.2.3
RP220: 7/13/2010 11:44:32 AM - Installed Adobe Reader 9.3.

==== Installed Programs ======================

AAC Decoder
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Photoshop 5.0 Limited Edition
Adobe Reader 9.3
Adobe Shockwave Player 11.5
aerosoft's - Mission Lear 1 - FSX
AI Swapper V1.42
Air France and CIDNA Fokker FVIIb_3m for FSX or FS2004
Airport Design Editor 9x Version 1.45.6.0
Amelia Earhart's L10E Electra
Antonov An-24RV
Ares 2.1.2
Audacity 1.2.6
AutoUpdate
AVG Free 9.0
Avro 504N for FSX or FS2004
Avro 618 Ten for FSX or FS2004
Balloon Rescue
Bejeweled 2 Deluxe
Bristol Britannia for FSX
CCleaner
CDex extraction audio
Chief Architect 9.0 Full Version
Chief Architect 9.5 Full Version
Chief Architect 9.5 Premium Content
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.7
DC-3-NH-FSX Version2 Aircraft and Panels
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
Douglas DC-4 for FSX or FS2004
Douglas DC-6 for FS2004
Douglas DC-6 for FSX
EditVoicepack X
Explorer Suite II
FanVista Audio Converter Version 2.5
Fokker C.V-M26 for FSX and FS2004
Fokker FVII-3m Southern Cross for FSX or FS2004
FS Panel Studio FSPS Demo
FSX Mission Editor
FWTools 2.2.8
Golden Age Simulations New Standard D 25A For FSX
Google Earth
Google Update Helper
Google Updater
H.264 Decoder
Hairy Landing at PAKP
Handley Page Hastings for FSX
HASP Device Drivers
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
hp deskjet 5600 series
Iditarod Supply Run
Image Resizer Powertoy for Windows XP
InfraRecorder
LAME v3.98.2 for Audacity
Lockheed L188A Package
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Flight Simulator X
Microsoft Flight Simulator X SDK
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Standard for Students and Teachers
Microsoft Text-To-Speech Voices
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mision Radio Control Beta 002
MKV Splitter
Mountain Fire
Mozilla Firefox (3.6.6)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Netflix Movie Viewer
NVIDIA Drivers
Polar Express
Pratt & Whitney JT3D-7 Sound Package Installer
SAAB Scandia for FSX
SBuilderX
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
SOCAL Approach - ATC Flight
Socal Approach IFR Adventure
SoundMAX
SUPERAntiSpyware
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.0.3
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip 11.1
Wireless Keyboard & Mouse Driver
WordBiz version 1.8
XML Notepad 2007
ZD Soft Screen Recorder 4.1.2.0

==== Event Viewer Messages From Past Week ========

7/7/2010 7:44:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/7/2010 7:43:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips i8042prt intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
7/7/2010 7:43:28 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/7/2010 7:43:28 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/7/2010 7:43:28 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/7/2010 7:43:28 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/7/2010 7:42:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/14/2010 2:34:50 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg9wd service.
7/10/2010 5:06:16 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/10/2010 5:06:16 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
7/10/2010 5:04:14 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
7/10/2010 5:03:44 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
7/10/2010 2:34:35 PM, error: Service Control Manager [7000] - The hpdj service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

==== End Of File ===========================

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-14 18:45:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\OWENGR~1\LOCALS~1\Temp\pxtdapog.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\aksusb \Device\0000007f AKSCLASS.SYS (Aladdin Class Driver/Aladdin Knowledge Systems Ltd.)

---- EOF - GMER 1.0.15 ----


Thanks again for any help you can offer!!

Edited by archtx, 14 July 2010 - 07:21 PM.


#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:14 AM

Posted 14 July 2010 - 09:04 PM

Thanks for the logs. smile.gif

The GMER log is very small on details, let's try another rootkit scanner to see if we can get a more detailed log.


IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Ares 2.1.2

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).



Step # 1 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items only:
      Process
      Kernel Modes
      SSDT
      Kernel Hooks
      Hidden Files
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 archtx

archtx
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 14 July 2010 - 10:36 PM

Thanks again for the help.
I uninstalled Ares per your advice.

Here is the new log requested:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 784
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 836
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 860
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 908
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 920
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1096
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1168
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1460
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1540
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1652
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG9\avgchsvx.exe
PID: 1696
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG9\avgrsx.exe
PID: 1704
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG9\avgcsrvx.exe
PID: 1864
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 464
Hidden: No
Window Visible: No

Name: C:\Program Files\Analog Devices\Core\smax4pnp.exe
PID: 720
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG9\avgtray.exe
PID: 400
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 980
Hidden: No
Window Visible: No

Name: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PID: 924
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1364
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG9\avgwdsvc.exe
PID: 1724
Hidden: No
Window Visible: No

Name: C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
PID: 828
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\nvsvc32.exe
PID: 1212
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1368
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG9\avgnsx.exe
PID: 2336
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 3160
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 3744
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Owen Graham\Desktop\SysProt\SysProt.exe
PID: 3288
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Owen Graham\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B6BC9000
Module End: B6BD4000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: BADA8000
Module End: BADAA000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BACB8000
Module End: BACBB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: BA779000
Module End: BA7A7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BADAA000
Module End: BADAC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: BA768000
Module End: BA779000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA8A8000
Module End: BA8B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: BA8B8000
Module End: BA8C8000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: BA8C8000
Module End: BA8D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: BAE70000
Module End: BAE71000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: BAB28000
Module End: BAB2F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA8D8000
Module End: BA8E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: BA749000
Module End: BA768000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BAB30000
Module End: BAB35000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA8E8000
Module End: BA8F5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: BA731000
Module End: BA749000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA8F8000
Module End: BA901000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA908000
Module End: BA915000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: BA711000
Module End: BA731000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: BA6FF000
Module End: BA711000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA918000
Module End: BA921000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: BA6E8000
Module End: BA6FF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: BA65B000
Module End: BA6E8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: BA62E000
Module End: BA65B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: BA614000
Module End: BA62E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: BA988000
Module End: BA998000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: BA2B2000
Module End: BA2BB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: B98E3000
Module End: B9FFB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B98CF000
Module End: B98E3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: BAC58000
Module End: BAC5E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B98AB000
Module End: B98CF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BAC60000
Module End: BAC68000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: B9883000
Module End: B98AB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\yk51x86.sys
Service Name: yukonwxp
Module Base: B9842000
Module End: B9883000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: BA2A2000
Module End: BA2AD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: BA292000
Module End: BA2A2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: BA282000
Module End: BA291000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: B981F000
Module End: B9842000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Service Name: MTsensor
Module Base: BADD0000
Module End: BADD2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BAC70000
Module End: BAC76000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BAF40000
Module End: BAF41000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BA9A8000
Module End: BA9B5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: BAD88000
Module End: BAD8B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B9808000
Module End: B981F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: BA9B8000
Module End: BA9C3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: BA9C8000
Module End: BA9D4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BAC78000
Module End: BAC7D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B97F7000
Module End: B9808000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: BA9D8000
Module End: BA9E1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: BAC80000
Module End: BAC85000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: BAC88000
Module End: BAC8D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: BA9E8000
Module End: BA9F2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: BAC90000
Module End: BAC96000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BADD2000
Module End: BADD4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: B9799000
Module End: B97F7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: BAD94000
Module End: BAD98000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: BA9F8000
Module End: BAA02000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: BAA08000
Module End: BAA17000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BADD4000
Module End: BADD6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ADIHdAud.sys
Service Name: ADIHdAudAddService
Module Base: B762E000
Module End: B767A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B760A000
Module End: B762E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: BAA18000
Module End: BAA27000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\AEAudio.sys
Service Name: AEAudio
Module Base: B75F3000
Module End: B760A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Senfilt.sys
Service Name: SenFiltService
Module Base: B7593000
Module End: B75F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: BACB0000
Module End: BACB5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BADFE000
Module End: BAE00000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: BAECB000
Module End: BAECC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: BAE00000
Module End: BAE02000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: BAA88000
Module End: BAA95000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: BAB80000
Module End: BAB87000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: BAB88000
Module End: BAB8E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: BAE02000
Module End: BAE04000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: BAE04000
Module End: BAE06000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: BAB90000
Module End: BAB95000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: BAB98000
Module End: BABA0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: BAD40000
Module End: BAD43000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B7538000
Module End: B754B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B74DF000
Module End: B7538000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: B74A5000
Module End: B74DF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B747F000
Module End: B74A5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: BAA98000
Module End: BAAA1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: BAAA8000
Module End: BAAB7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B73B7000
Module End: B73DF000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B7395000
Module End: B73B7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: BAAB8000
Module End: BAAC1000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
Service Name: SASKUTIL
Module Base: B7373000
Module End: B7395000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Service Name: SASDIFSV
Module Base: BABA0000
Module End: BABA6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B7348000
Module End: B7373000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B72D8000
Module End: B7348000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: BAAC8000
Module End: BAAD3000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: BABA8000
Module End: BABAE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: B72A4000
Module End: B72D8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: BABB0000
Module End: BABB7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: hidusb
Module Base: BAD68000
Module End: BAD6B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: BAAF8000
Module End: BAB01000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\aksusb.sys
Service Name: aksusb
Module Base: B7263000
Module End: B727C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AKSCLASS.SYS
Service Name: ---
Module Base: B7249000
Module End: B7263000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: BABF0000
Module End: BABF8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: B7298000
Module End: B729B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\akshasp.sys
Service Name: akshasp
Module Base: B71F9000
Module End: B7249000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\Drivers\KMWDFilter.SYS
Service Name: KMWDFilter
Module Base: BAC00000
Module End: BAC05000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: B7290000
Module End: B7294000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: BA2C2000
Module End: BA2D2000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: BAD60000
Module End: BAD63000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: BAC08000
Module End: BAC0D000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BAFDD000
Module End: BAFDE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: B6EC1000
Module End: B6EC5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B69F4000
Module End: B6A09000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B6B69000
Module End: B6B78000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B6640000
Module End: B666D000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\Haspnt.sys
Service Name: Haspnt
Module Base: B6DB1000
Module End: B6DBD000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\hardlock.sys
Service Name: hardlock
Module Base: B64A6000
Module End: B6550000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B6482000
Module End: B64A6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B63E0000
Module End: B6432000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: B6550000
Module End: B655A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B5F8F000
Module End: B5FD0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B5EC4000
Module End: B5EEF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: BAC68000
Module End: BAC6F000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwTerminateProcess
Address: B737D620
Driver Base: B7373000
Driver End: B7395000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

******************************************************************************************
******************************************************************************************

#6 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:14 AM

Posted 15 July 2010 - 01:17 PM

Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#7 archtx

archtx
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 15 July 2010 - 03:13 PM

I did not see an option to save combofix to my desktop, so it saved to My Documents instead; please let me know if I need to rerun it.
All of the Chief Architect stuff is my CAD software, so I was a little nervous about it being deleted...but it also seems to only be the start menu, so hopefully doesn't really alter anything.

Another thing, new today (before running Combofix) I keep getting a Windows Security Alert that my AVG is turned off. I don't seem to be able to turn it back on, so I'm going to uninstall it and install a new one.

Thanks for your help, here is the Combofix.txt:



ComboFix 10-07-15.01 - Owen Graham 07/15/2010 14:42:21.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1673 [GMT -5:00]
Running from: c:\documents and settings\Owen Graham\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Chief Architect
c:\documents and settings\All Users\Start Menu\Programs\Chief Architect \ Chief Architect 9.0 Full Version.lnk
c:\documents and settings\All Users\Start Menu\Programs\Chief Architect \ Chief Architect 9.5 Full Version.lnk
c:\documents and settings\All Users\Start Menu\Programs\Chief Architect \ View Getting Started Guide.lnk
c:\documents and settings\All Users\Start Menu\Programs\Chief Architect \ View Reference Manual.lnk
c:\documents and settings\All Users\Start Menu\Programs\Chief Architect \ Uninstall Chief Architect 9.0 Full Version.lnk
c:\documents and settings\All Users\Start Menu\Programs\Chief Architect \ Uninstall Chief Architect 9.5 Full Version.lnk
c:\documents and settings\All Users\Start Menu\Programs\Chief Architect \ View IRC Checklist.lnk
c:\program files\driver
c:\windows\system32\UNWISE.EXE

.
((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-15 19:20 . 2010-07-15 19:20 -------- d-----w- c:\windows\LastGood
2010-07-15 15:39 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-15 15:39 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-07-15 13:47 . 2010-07-15 13:47 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-15 13:47 . 2010-07-15 13:47 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-15 13:46 . 2010-07-15 13:46 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15 13:46 . 2010-07-15 13:46 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-15 13:46 . 2010-07-15 13:46 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-15 13:46 . 2010-07-15 13:46 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-15 03:23 . 2010-07-15 03:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-07-15 00:49 . 2010-07-15 00:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-07-13 16:32 . 2010-07-13 16:32 0 ----a-w- c:\windows\nsreg.dat
2010-07-13 16:32 . 2010-07-13 16:32 -------- d-----w- c:\documents and settings\Owen Graham\Local Settings\Application Data\Mozilla
2010-07-12 16:51 . 2010-07-12 16:51 -------- d-sh--w- c:\documents and settings\Owen Graham\IECompatCache
2010-07-12 16:20 . 2010-07-12 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-12 15:37 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 15:37 . 2010-07-12 15:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-12 15:37 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-11 20:25 . 2010-07-11 20:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-11 20:24 . 2010-07-11 20:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-11 20:05 . 2010-07-11 20:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-11 00:21 . 2010-07-11 00:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-11 00:19 . 2010-07-11 00:19 -------- d-sh--w- c:\documents and settings\Owen Graham\PrivacIE
2010-07-11 00:11 . 2010-07-11 00:11 -------- d-sh--w- c:\documents and settings\Owen Graham\IETldCache
2010-07-11 00:06 . 2010-07-11 00:07 -------- dc-h--w- c:\windows\ie8
2010-07-10 22:30 . 2010-07-10 22:30 -------- d-----w- c:\windows\ServicePackFiles
2010-07-10 22:25 . 2010-07-10 22:25 -------- d-----w- c:\windows\EHome
2010-07-10 20:57 . 2008-04-14 10:39 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-10 20:57 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-10 20:57 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-10 20:57 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-10 20:57 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-10 20:57 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-10 20:57 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-10 20:57 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-10 20:57 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-10 20:57 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-10 20:57 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-10 19:22 . 2010-07-10 19:22 -------- d-----w- c:\documents and settings\Owen Graham\Application Data\Malwarebytes
2010-07-10 19:22 . 2010-07-10 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-10 17:50 . 2010-07-10 17:50 16384 ---ha-w- C:\SZKGFS.dat
2010-07-10 17:49 . 2010-07-10 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-10 17:48 . 2010-07-10 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-10 17:48 . 2010-07-10 17:48 -------- d-----w- c:\program files\Common Files\iS3
2010-07-08 21:38 . 2010-07-08 21:38 388096 ----a-r- c:\documents and settings\Owen Graham\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-08 21:38 . 2010-07-08 21:38 -------- d-----w- c:\program files\Trend Micro
2010-07-08 00:45 . 2010-07-08 00:45 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 16:09 . 2008-03-03 01:04 21480 ----a-w- c:\documents and settings\Owen Graham\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-15 13:47 . 2009-10-13 18:31 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-14 23:52 . 2008-03-23 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-13 16:44 . 2008-03-30 20:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-10 22:34 . 2008-03-02 23:19 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-10 19:36 . 2010-07-10 19:35 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-29 20:38 . 2009-12-09 17:40 -------- d-----w- c:\documents and settings\Owen Graham\Application Data\vlc
2010-06-07 04:15 . 2009-09-12 21:23 757336 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-06 16:39 . 2010-01-18 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\EditVoicepackX
2010-06-02 13:38 . 2009-10-13 18:31 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 01:15 . 2009-05-26 19:53 16 ----a-w- c:\windows\popcinfo.dat
2010-05-17 03:47 . 2008-03-16 15:39 -------- d-----w- c:\program files\Google
2010-03-05 21:47 . 2010-03-05 21:47 10261 ----a-w- c:\program files\unins000.dat
2010-03-05 21:45 . 2010-03-05 21:47 694668 ----a-w- c:\program files\unins000.exe
2009-11-03 23:56 . 2009-11-03 23:56 61 --sh--w- c:\windows\cnerolf.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-17 14:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\FSX\\fsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/13/2009 1:31 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 9:49 AM 308064]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 12:30 PM 135664]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-23 18:46]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 17:30]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-03 17:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uInternet Settings,ProxyOverride = 127.0.0.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Owen Graham\Application Data\Mozilla\Firefox\Profiles\3hasldfa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-Amelia Earhart's L10E Electra - c:\ae temp\Earhart_L10E_Uninstal.exe
AddRemove-Antonov An-24RV - c:\fsx dummy\Uninstal An-24RV.exe
AddRemove-HASP Device Drivers - c:\windows\system32\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-15 14:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-15 14:59:40
ComboFix-quarantined-files.txt 2010-07-15 19:59

Pre-Run: 254,870,568,960 bytes free
Post-Run: 255,885,664,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D79ACCADAB4FBC6A77CE807D42E12E23


#8 archtx

archtx
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 15 July 2010 - 06:00 PM

WOW!!!!
Can it be?
Everything seems back to normal!!!

#9 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:14 AM

Posted 15 July 2010 - 06:48 PM

Great to hear that things appear to be back to normal. thumbup2.gif


QUOTE
I did not see an option to save combofix to my desktop, so it saved to My Documents instead; please let me know if I need to rerun it.


If you go to the link I gave you earlier ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix ) and scroll down to the Downloading ComboFix to the Desktop graphic, you can see a Desktop button on the left side of the Save As box. Clicking that and then Save will save ComboFix to your Desktop. smile.gif

Go ahead and delete ComboFix.exe from your computer and download the latest version of one of the two links below:

Link 1
Link 2

Be sure to save ComboFix.exe to your Desktop. smile.gif


QUOTE
All of the Chief Architect stuff is my CAD software, so I was a little nervous about it being deleted...but it also seems to only be the start menu, so hopefully doesn't really alter anything.


Don't know why that happened, but I'll have in this post ComboFix restore the Chief Architect stuff it deleted back to its proper place.


QUOTE
Another thing, new today (before running Combofix) I keep getting a Windows Security Alert that my AVG is turned off. I don't seem to be able to turn it back on, so I'm going to uninstall it and install a new one.


Ok, let me know when you've done this.



Step # 1 Upload Files

Go to Jotti
Copy the following line into the white textbox:
c:\windows\cnerolf.bin
Click Submit.
Please post the results of this scan to this thread.

If Jotti is busy, Go to VirusTotal and scan the file(s) there.



Step # 2: Run CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    CODE
    KILLALL::

    DeQuarantine::

    C:\QooBox\Quarantine\c\documents and settings\All Users\Start Menu\Programs\Chief Architect

    Quit::



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







    Note: This CFScript is for use on archtx's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



In your next post/reply, I need to see the following:

1. The Jotti/Virustotal Results
2. The DeQuarantine_log.txt Log that appears after Step 2 has been completed.
3. A fresh DDS Log taken after Step 2 has been completed.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#10 archtx

archtx
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 15 July 2010 - 08:14 PM

AVG was reinstalled and seems to be functioning normally. However, when it is deactivated, there seems to be a problem reactivating it.


Result of VirusTotal scan:

a-squared 5.0.0.31 2010.07.15 -
AhnLab-V3 2010.07.16.00 2010.07.15 -
AntiVir 8.2.4.12 2010.07.15 -
Antiy-AVL 2.0.3.7 2010.07.15 -
Authentium 5.2.0.5 2010.07.15 -
Avast 4.8.1351.0 2010.07.15 -
Avast5 5.0.332.0 2010.07.15 -
AVG 9.0.0.836 2010.07.15 -
BitDefender 7.2 2010.07.16 -
CAT-QuickHeal 11.00 2010.07.15 -
ClamAV 0.96.0.3-git 2010.07.15 -
Comodo 5441 2010.07.16 -
DrWeb 5.0.2.03300 2010.07.16 -
eSafe 7.0.17.0 2010.07.15 -
eTrust-Vet 36.1.7710 2010.07.15 -
F-Prot 4.6.1.107 2010.07.15 -
F-Secure 9.0.15370.0 2010.07.15 -
Fortinet 4.1.143.0 2010.07.15 -
GData 21 2010.07.16 -
Ikarus T3.1.1.84.0 2010.07.15 -
Jiangmin 13.0.900 2010.07.15 -
Kaspersky 7.0.0.125 2010.07.16 -
McAfee 5.400.0.1158 2010.07.16 -
McAfee-GW-Edition 2010.1 2010.07.15 -
Microsoft 1.5902 2010.07.15 -
NOD32 5282 2010.07.15 -
Norman 6.05.11 2010.07.15 -
nProtect 2010-07-15.02 2010.07.15 -
Panda 10.0.2.7 2010.07.15 -
PCTools 7.0.3.5 2010.07.16 -
Prevx 3.0 2010.07.16 -
Rising 22.56.03.04 2010.07.15 -
Sophos 4.55.0 2010.07.16 -
Sunbelt 6590 2010.07.16 -
Symantec 20101.1.1.7 2010.07.15 -
TheHacker 6.5.2.1.316 2010.07.15 -
TrendMicro 9.120.0.1004 2010.07.15 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.16 -
VBA32 3.12.12.6 2010.07.15 -
ViRobot 2010.7.12.3932 2010.07.15 -
VirusBuster 5.0.27.0 2010.07.15 -
Additional information
File size: 61 bytes
MD5 : 18f100aa5ef65fe3c82973e9ed39d5e4
SHA1 : 69e4985d0a0b4c7e37aeded387c48a8675156812
SHA256: c2644ad1915137319b9f2dba75ff0697afaadba5fc5e1944bbe8a08e9e9be33b
TrID : File type identification
Generic INI configuration (100.0%)
ssdeep: 3:1ExySmZcxbEDlRh8r:1qyVZcqY
sigcheck: publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD : -
RDS : NSRL Reference Data Set
-


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.


#11 archtx

archtx
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 15 July 2010 - 08:40 PM

Results of running dequarantine on Combofix:

"0 File(s) copied"

Results of DDS.exe:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owen Graham at 20:40:50.71 on Thu 07/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1541 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owen Graham\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278706433375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278725793312
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owengr~1\applic~1\mozilla\firefox\profiles\3hasldfa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-15 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-15 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-15 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\micro innovations\wireless keyboard & mouse driver\KMWDSrv.exe [2007-4-5 208896]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]

=============== Created Last 30 ================


==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-05 21:47:03 10261 ----a-w- c:\program files\unins000.dat
2010-03-05 21:45:45 694668 ----a-w- c:\program files\unins000.exe
2009-11-03 23:56:21 61 --sh--w- c:\windows\cnerolf.bin

============= FINISH: 20:42:02.96 ===============


Thanks a million for your continued attention! I have been in a real funk for the past week because of this, and I feel a weight lifted off of my shoulders!

Edited by archtx, 15 July 2010 - 08:45 PM.


#12 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:14 AM

Posted 16 July 2010 - 01:42 PM

QUOTE
AVG was reinstalled and seems to be functioning normally. However, when it is deactivated, there seems to be a problem reactivating it.


Ok. For the forseeable future, I don't see the need to deactivate/disable AVG again, so you can keep it enabled for now. If we do run into any more problems with it during the duration of the fix, we can always replace it with another AntiVirus. smile.gif


QUOTE
Results of running dequarantine on Combofix:

"0 File(s) copied"


Ok, not sure why ComboFix didn't dequarantine anything. Is your Chief Architect still working properly? If not, you can uninstall/reinstall it.


QUOTE
Thanks a million for your continued attention! I have been in a real funk for the past week because of this, and I feel a weight lifted off of my shoulders!


No problem. Thanks for sticking with me. thumbup.gif



Step # 1 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
  • Then select the items you wish to clean up.
  • In the Windows Tab:
  • Clean all entries in the Internet Explorer section except Cookies
  • Clean all the entries in the Windows Explorer section
  • Clean all entries in the System section
  • Clean all entries in the Advanced section
  • Clean any others that you choose
  • In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it
  • Clean all in the Opera section if you use it
  • Clean Sun Java in the Internet Section
  • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO



Step # 2 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


Post the MalwareBytes' Log in your next post/reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#13 archtx

archtx
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 16 July 2010 - 02:05 PM

Malwarebytes log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4320

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/16/2010 2:03:06 PM
mbam-log-2010-07-16 (14-03-06).txt

Scan type: Quick scan
Objects scanned: 131091
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks for the continued help!

#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:14 AM

Posted 16 July 2010 - 07:03 PM

Your version of Adobe Acrobat Reader is out of date. Open up Adobe Reader, click Help then click Check for Updates. Once Adobe is done checking for updates, have it download and install the update for Adobe Reader 9.3.3


Downloading and Installing Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u21.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • From your desktop double-click on the download to install the newest version.




Step # 1: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 archtx

archtx
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 16 July 2010 - 11:19 PM

Result of Kaspersky scan:

The computer has been fine, operating better than it has in some time. I'm surprised this scan turned up something, I wonder why my AVG didn't catch it?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, July 16, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, July 16, 2010 22:12:23
Records in database: 4226373
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 306394
Threats found: 2
Infected objects found: 1
Suspicious objects found: 2
Scan duration: 03:12:39


File name / Threat / Threats count
C:\Documents and Settings\Owen Graham\Local Settings\Application Data\Microsoft\Outlook\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\System Volume Information\_restore{12298E1A-0584-419E-84BC-DBAE35A43E41}\RP223\A0029368.old Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Owen Graham at 23:21:41.56 on Fri 07/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1375 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owen Graham\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278706433375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278725793312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owengr~1\applic~1\mozilla\firefox\profiles\3hasldfa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-15 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-15 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-15 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\micro innovations\wireless keyboard & mouse driver\KMWDSrv.exe [2007-4-5 208896]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]

=============== Created Last 30 ================

2010-07-17 00:14:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-17 00:14:15 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 18:21:00 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-07-16 01:19:51 0 d-s---w- C:\ComboFix
2010-07-15 21:38:03 0 d--h--w- C:\$AVG
2010-07-15 20:47:18 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 20:47:17 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 20:47:13 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-15 20:47:07 0 d-----w- c:\windows\system32\drivers\Avg
2010-07-15 20:45:09 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-07-15 20:22:39 0 d-----w- c:\windows\ie8updates
2010-07-15 19:34:25 0 d-sha-r- C:\cmdcons
2010-07-15 19:29:33 98816 ----a-w- c:\windows\sed.exe
2010-07-15 19:29:33 77312 ----a-w- c:\windows\MBR.exe
2010-07-15 19:29:33 256512 ----a-w- c:\windows\PEV.exe
2010-07-15 19:29:33 161792 ----a-w- c:\windows\SWREG.exe
2010-07-15 19:21:28 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-07-15 19:21:18 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 19:21:07 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-07-15 19:21:01 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-07-15 19:21:01 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-07-15 19:20:43 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-07-15 19:20:42 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-07-15 19:17:02 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-15 19:17:01 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-15 19:17:01 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-15 15:39:53 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-07-15 15:39:41 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-15 15:39:41 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-07-15 15:39:41 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-07-15 13:47:35 12536 ----a-w- c:\windows\system32\avgrsstx.dll.prepare
2010-07-12 16:51:27 0 d-sh--w- c:\documents and settings\owen graham\IECompatCache
2010-07-12 16:20:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-12 15:37:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 15:37:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 15:37:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 02:09:58 0 ----a-w- c:\documents and settings\owen graham\defogger_reenable
2010-07-11 00:19:30 0 d-sh--w- c:\documents and settings\owen graham\PrivacIE
2010-07-11 00:11:45 0 d-sh--w- c:\documents and settings\owen graham\IETldCache
2010-07-11 00:06:32 0 dc-h--w- c:\windows\ie8
2010-07-10 22:30:50 0 d-----w- c:\windows\ServicePackFiles
2010-07-10 22:27:29 19569 ----a-w- c:\windows\002963_.tmp
2010-07-10 22:25:16 0 d-----w- c:\windows\EHome
2010-07-10 20:57:38 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-10 20:57:38 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-10 20:57:38 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-10 20:57:38 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-10 20:57:38 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-10 20:57:38 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-10 20:57:38 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-10 20:57:38 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-10 20:57:38 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-10 20:57:36 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-10 20:57:36 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-10 19:35:48 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-10 19:22:33 0 d-----w- c:\docume~1\owengr~1\applic~1\Malwarebytes
2010-07-10 19:22:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-10 17:50:28 16384 ---ha-w- C:\SZKGFS.dat
2010-07-10 17:49:21 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-10 17:48:44 0 d-----w- c:\program files\common files\iS3
2010-07-10 17:48:44 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-09 20:14:59 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-07-08 21:38:47 0 d-----w- c:\program files\Trend Micro
2010-07-08 00:45:02 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-06-09 23:01:10 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-06-09 23:01:10 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-06-09 23:01:10 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-06-09 23:01:10 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-09 23:01:10 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01:10 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-05 21:47:03 10261 ----a-w- c:\program files\unins000.dat
2010-03-05 21:45:45 694668 ----a-w- c:\program files\unins000.exe
2009-11-03 23:56:21 61 --sh--w- c:\windows\cnerolf.bin

============= FINISH: 23:22:30.14 ===============

Edited by archtx, 16 July 2010 - 11:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users