Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware.win32.classid-60522


  • This topic is locked This topic is locked
36 replies to this topic

#1 PJack

PJack

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 28 August 2010 - 01:57 AM

I am helping a friend who had an infection on her PC. I have been able to resolve most of the issues, such as Task Manager disabled, File/Folder settings and keyboard disabled.

However, I am unable to remove the last bits of infection. I cannot get on the internet and when I run RRT, I see that the following are listed: Malware-win32.classid-60522 (3 times), Malware-win32.classid-61515, Malware-win32.classid-61348.

I have some experience with removing viruses from friends/relatives PCs and I am usually able to remove most viruses by running different tools like Spybot, BitDefender, Malwarebytes, but these programs no longer find any problems on this PC.

I was able to get on the internet at one point by using NETSH commands (netsh winsock reset catalog, netsh int ip reset reset.log). I would actually get an error stating that the following help files were not found: (napmontr.dll and dot3cfg.dll) but a message would indicate that the command had completed successfully. After a reboot and logging in as the same user, I could get on the internet. These commands no longer work.

After running Malwarebytes, etc. I found that the 'trouble' would always be in the user's LocalSettings\Temp\ directory, with 1 file running in C:\Windows. I eventually deleted everything in the Temp directory to try to tame this beast. I have not deleted anything from the C:\Windows directory.

To top it off, the DVD drive does not work. After much frustration, I have finally installed a spare I have on hand so I could run sfc / scannow, which was asking me to put the WinXP Home install CD in so it could repair some system files. I have now successfully completed sfc / scannow.

Some symptoms I am experiencing are: no internet access, and, sometimes when rebooting, I get a message that other users are logged on to this computer, would you like to reboot anyway? I always say yes, because there cannot be anyone else logged onto the PC because there is not even a CAT5 cable plugged into the machine.

If I do plug the CAT5 in to try to get on the internet, I get the icons in the SysTray showing that the PC is trying to connect, but it never does.

Per your guide for requesting help, I disabled CD Emulators, script blockers and ran DDS. Here is the DDS log. GMER is still running. I will upload that log when it has finished. I will not do any more troubleshooting on the PC while I await your instructions. Any help is appreciated.

-------------------------------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Mark Currier at 20:27:15.85 on Fri 08/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.169 [GMT -7:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: avast! antivirus 4.8.1335 [VPS 100826-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BitDefender\BitDefender 2011\bdagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Mark Currier\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\mark currier\desktop\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2011\IEToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KL AntiFunLove] c:\windows\system32\flcss.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2011\ieshow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2011\bdagent.exe"
mRun: [RRT-Auto] c:\documents and settings\mark currier\desktop\v\RRT.exe auto
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-8-26 114768]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-8-16 3968]
R1 BdRawPr;BdRawPr;c:\windows\system32\drivers\bdrawpr.sys [2010-8-20 12960]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-26 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-8-26 138680]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 KLAntiFL;KLAntiFL;c:\windows\system32\flcss.sys [2010-8-17 12714]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-8-26 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-8-26 352920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-20 135664]
S3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2010-4-22 149520]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2006-7-22 18864]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-6-21 30192]
S3 HDDirect;Hard Disk Direct Control;c:\windows\system32\drivers\hddirect.sys [2010-8-17 12552]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-21 822424]
S3 Update Server;BitDefender Update Server v2;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2010-7-23 307544]
S4 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2010-6-28 633424]
S4 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2010-6-28 970320]
S4 Updatesrv;BitDefender Desktop Update Service;c:\program files\bitdefender\bitdefender 2011\updatesrv.exe [2010-8-10 42400]

=============== Created Last 30 ================

2010-08-28 03:01:14 0 ----a-w- c:\documents and settings\mark currier\defogger_reenable
2010-08-28 02:45:58 625466368 ----a-w- C:\Backup.bkf
2010-08-28 02:16:54 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-08-27 03:33:34 68608 ----a-w- c:\windows\system32\dllcache\plugin.ocx
2010-08-26 05:39:11 0 d-----w- C:\SysClean
2010-08-25 03:16:53 0 d-----w- c:\documents and settings\mark currier\DoctorWeb
2010-08-25 02:53:53 0 d-----w- c:\program files\Smart Virus Remover
2010-08-24 01:24:22 82944 ----a-w- c:\windows\sed.exe
2010-08-24 01:24:22 77312 ----a-w- c:\windows\mbr.exe
2010-08-24 01:24:22 278016 ----a-w- c:\windows\swreg.exe
2010-08-24 00:55:07 99422780 ----a-w- C:\MyReg.reg
2010-08-23 05:28:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-23 04:18:21 0 d-----w- c:\docume~1\alluse~1\applic~1\bdch
2010-08-22 18:47:52 0 d-----w- C:\_OTL
2010-08-22 18:40:33 0 d-----w- c:\windows\system32\CatRoot2
2010-08-20 07:37:34 0 ----a-w- c:\windows\system32\imblacklist.dat
2010-08-20 07:29:17 415 ----a-w- c:\windows\system32\user_gensett.xml
2010-08-20 07:24:07 0 d-----w- c:\docume~1\markcu~1\applic~1\BitDefender
2010-08-20 07:23:08 0 d-----w- c:\program files\BitDefender
2010-08-20 07:06:12 0 d-----w- c:\docume~1\markcu~1\applic~1\QuickScan
2010-08-20 07:05:29 0 d-----w- c:\program files\common files\BitDefender
2010-08-20 07:05:29 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-08-20 07:04:46 253072 ----a-w- c:\windows\system32\drivers\Trufos.sys
2010-08-20 07:04:40 327368 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-08-20 07:04:40 12960 ----a-w- c:\windows\system32\drivers\bdrawpr.sys
2010-08-20 07:04:37 516348 ----a-w- c:\docume~1\alluse~1\applic~1\bdinstall.bin
2010-08-20 05:39:21 0 d--h--w- c:\windows\PIF
2010-08-18 06:25:34 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-08-18 06:25:30 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-18 06:25:27 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-08-18 06:25:23 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-08-18 06:25:19 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-08-18 06:25:14 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-08-18 06:25:13 28288 ----a-w- c:\windows\system32\dllcache\xjis.nls
2010-08-18 06:25:10 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-08-18 06:25:09 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-08-18 06:25:07 19328 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-18 06:25:06 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-08-18 06:25:05 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-08-18 06:23:56 86073 ----a-w- c:\windows\system32\dllcache\voicesub.dll
2010-08-18 06:22:58 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-08-18 06:21:57 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2010-08-18 06:20:58 172768 ----a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-08-18 06:19:59 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll
2010-08-18 06:18:58 28160 ----a-w- c:\windows\system32\dllcache\sm91w.dll
2010-08-18 06:17:59 386560 ----a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-08-18 06:16:58 210496 ----a-w- c:\windows\system32\dllcache\s3mvirge.dll
2010-08-18 06:15:55 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys
2010-08-18 06:11:13 70144 ----a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-08-18 06:11:13 53760 ----a-w- c:\windows\system32\dllcache\pintlcsd.dll
2010-08-18 06:11:13 482304 ----a-w- c:\windows\system32\dllcache\pintlgnt.ime
2010-08-18 06:11:12 175104 ----a-w- c:\windows\system32\dllcache\pintlcsa.dll
2010-08-18 06:11:09 79360 ----a-w- c:\windows\system32\dllcache\phon.ime
2010-08-18 06:11:09 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll
2010-08-18 06:11:06 19840 ----a-w- c:\windows\system32\dllcache\philtune.sys
2010-08-18 06:11:03 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys
2010-08-18 06:11:00 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys
2010-08-18 06:09:59 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2010-08-18 06:08:58 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2010-08-18 06:07:59 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2010-08-18 06:06:58 58880 ----a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-08-18 06:05:58 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-08-18 06:04:59 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2010-08-18 06:03:59 542879 ----a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-08-18 06:02:59 15104 ----a-w- c:\windows\system32\dllcache\hidir.sys
2010-08-18 06:01:59 7168 ----a-w- c:\windows\system32\dllcache\f3ahvoas.dll
2010-08-18 06:00:59 455199 ----a-w- c:\windows\system32\dllcache\el985n51.sys
2010-08-18 05:59:58 65622 ----a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-08-18 05:58:59 91264 ----a-w- c:\windows\system32\dllcache\cirrus.dll
2010-08-18 05:57:59 18432 ----a-w- c:\windows\system32\dllcache\bdaplgin.ax
2010-08-18 05:56:59 19456 ----a-w- c:\windows\system32\dllcache\agt0404.dll
2010-08-18 05:17:05 0 ----a-w- c:\windows\system32\bride.exe
2010-08-18 05:17:05 0 ----a-w- c:\windows\system32\aavar.pif
2010-08-18 05:17:05 0 ----a-w- c:\windows\marco!.scr
2010-08-18 05:17:05 0 ----a-w- c:\windows\instit.bat
2010-08-18 05:17:05 0 ----a-w- c:\windows\brasil.pif
2010-08-18 05:17:05 0 ----a-w- c:\windows\brasil.exe
2010-08-18 05:17:05 0 ----a-w- c:\windows\alevir.exe
2010-08-18 04:18:29 0 d-----w- c:\docume~1\markcu~1\applic~1\SUPERAntiSpyware.com
2010-08-18 04:18:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-18 04:17:36 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-18 04:08:01 12714 ----a-w- c:\windows\system32\flcss.sys
2010-08-18 04:01:21 12552 ----a-w- c:\windows\system32\drivers\hddirect.sys
2010-08-17 06:00:54 78848 ----a-w- c:\windows\system32\msiexec.exe
2010-08-17 06:00:54 78848 ----a-w- c:\windows\system32\dllcache\msiexec.exe
2010-08-17 05:49:32 2890240 ----a-w- c:\windows\system32\msi.dll
2010-08-17 05:49:32 2890240 ----a-w- c:\windows\system32\dllcache\msi.dll
2010-08-17 01:28:13 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-08-16 02:07:37 0 d-----w- C:\Sym_LoadPointDiag
2010-08-15 17:19:08 72192 ----a-w- c:\windows\system32\taskkill.exe
2010-08-15 05:43:09 7302 ----a-w- c:\windows\system32\rrt_vf.wav
2010-08-15 05:43:09 7148 ----a-w- c:\windows\system32\rrt_tv.wav
2010-08-15 05:43:09 6282 ----a-w- c:\windows\system32\rrt_tn.wav
2010-08-15 05:43:09 16244 ----a-w- c:\windows\system32\rrt_is.wav
2010-08-15 02:43:40 0 d-----w- c:\docume~1\markcu~1\applic~1\Malwarebytes
2010-08-13 21:57:05 0 d-----w- c:\docume~1\markcu~1\applic~1\Simply Super Software
2010-08-12 20:26:23 0 d-----w- c:\windows\pss
2010-08-11 22:06:05 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-08-11 22:06:05 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-08-11 22:05:55 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-08-11 22:05:55 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-08-11 21:46:38 0 d-----w- c:\windows\system32\NtmsData
2010-08-11 20:47:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-11 20:47:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-11 20:47:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-11 20:47:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-11 16:53:45 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-08-11 16:53:45 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-08-11 16:53:45 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-08-11 16:53:45 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-08-11 16:53:45 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-08-11 16:53:43 0 d-----w- c:\program files\Trojan Remover
2010-08-11 16:53:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

==================== Find3M ====================

2010-08-20 07:04:48 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-07-08 17:37:14 101544 ----a-w- c:\program files\common files\LinkInstaller.exe
2009-12-27 17:23:34 56 --sha-r- c:\windows\system32\A2C0EDE4F5.sys

============= FINISH: 20:27:58.50 ===============

GMER log attached.

Edited by PJack, 28 August 2010 - 05:35 AM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:32 PM

Posted 03 September 2010 - 12:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 PJack

PJack
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 04 September 2010 - 07:08 PM

I am still having the problem. I have not done anything with the PC since I posted my original request:
===============

I am helping a friend who had an infection on her PC. I have been able to resolve most of the issues, such as Task Manager disabled, File/Folder settings and keyboard disabled.

However, I am unable to remove the last bits of infection. I cannot get on the internet and when I run RRT, I see that the following are listed: Malware-win32.classid-60522 (3 times), Malware-win32.classid-61515, Malware-win32.classid-61348.

I have some experience with removing viruses from friends/relatives PCs and I am usually able to remove most viruses by running different tools like Spybot, BitDefender, Malwarebytes, but these programs no longer find any problems on this PC.

I was able to get on the internet at one point by using NETSH commands (netsh winsock reset catalog, netsh int ip reset reset.log). I would actually get an error stating that the following help files were not found: (napmontr.dll and dot3cfg.dll) but a message would indicate that the command had completed successfully. After a reboot and logging in as the same user, I could get on the internet. These commands no longer work.

After running Malwarebytes, etc. I found that the 'trouble' would always be in the user's LocalSettings\Temp\ directory, with 1 file running in C:\Windows. I eventually deleted everything in the Temp directory to try to tame this beast. I have not deleted anything from the C:\Windows directory.

To top it off, the DVD drive does not work. After much frustration, I have finally installed a spare I have on hand so I could run sfc / scannow, which was asking me to put the WinXP Home install CD in so it could repair some system files. I have now successfully completed sfc / scannow.

Some symptoms I am experiencing are: no internet access, and, sometimes when rebooting, I get a message that other users are logged on to this computer, would you like to reboot anyway? I always say yes, because there cannot be anyone else logged onto the PC because there is not even a CAT5 cable plugged into the machine.

If I do plug the CAT5 in to try to get on the internet, I get the icons in the SysTray showing that the PC is trying to connect, but it never does.

Per your guide for requesting help, I disabled CD Emulators, script blockers and ran DDS. Here is the DDS log. GMER is still running. I will upload that log when it has finished. I will not do any more troubleshooting on the PC while I await your instructions. Any help is appreciated.

-------------------------------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Mark Currier at 20:27:15.85 on Fri 08/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.169 [GMT -7:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: avast! antivirus 4.8.1335 [VPS 100826-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BitDefender\BitDefender 2011\bdagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Mark Currier\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\mark currier\desktop\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2011\IEToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KL AntiFunLove] c:\windows\system32\flcss.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2011\ieshow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2011\bdagent.exe"
mRun: [RRT-Auto] c:\documents and settings\mark currier\desktop\v\RRT.exe auto
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-8-26 114768]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-8-16 3968]
R1 BdRawPr;BdRawPr;c:\windows\system32\drivers\bdrawpr.sys [2010-8-20 12960]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-26 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-8-26 138680]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 KLAntiFL;KLAntiFL;c:\windows\system32\flcss.sys [2010-8-17 12714]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-8-26 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-8-26 352920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-20 135664]
S3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2010-4-22 149520]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2006-7-22 18864]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-6-21 30192]
S3 HDDirect;Hard Disk Direct Control;c:\windows\system32\drivers\hddirect.sys [2010-8-17 12552]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-21 822424]
S3 Update Server;BitDefender Update Server v2;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2010-7-23 307544]
S4 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2010-6-28 633424]
S4 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2010-6-28 970320]
S4 Updatesrv;BitDefender Desktop Update Service;c:\program files\bitdefender\bitdefender 2011\updatesrv.exe [2010-8-10 42400]

=============== Created Last 30 ================

2010-08-28 03:01:14 0 ----a-w- c:\documents and settings\mark currier\defogger_reenable
2010-08-28 02:45:58 625466368 ----a-w- C:\Backup.bkf
2010-08-28 02:16:54 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-08-27 03:33:34 68608 ----a-w- c:\windows\system32\dllcache\plugin.ocx
2010-08-26 05:39:11 0 d-----w- C:\SysClean
2010-08-25 03:16:53 0 d-----w- c:\documents and settings\mark currier\DoctorWeb
2010-08-25 02:53:53 0 d-----w- c:\program files\Smart Virus Remover
2010-08-24 01:24:22 82944 ----a-w- c:\windows\sed.exe
2010-08-24 01:24:22 77312 ----a-w- c:\windows\mbr.exe
2010-08-24 01:24:22 278016 ----a-w- c:\windows\swreg.exe
2010-08-24 00:55:07 99422780 ----a-w- C:\MyReg.reg
2010-08-23 05:28:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-23 04:18:21 0 d-----w- c:\docume~1\alluse~1\applic~1\bdch
2010-08-22 18:47:52 0 d-----w- C:\_OTL
2010-08-22 18:40:33 0 d-----w- c:\windows\system32\CatRoot2
2010-08-20 07:37:34 0 ----a-w- c:\windows\system32\imblacklist.dat
2010-08-20 07:29:17 415 ----a-w- c:\windows\system32\user_gensett.xml
2010-08-20 07:24:07 0 d-----w- c:\docume~1\markcu~1\applic~1\BitDefender
2010-08-20 07:23:08 0 d-----w- c:\program files\BitDefender
2010-08-20 07:06:12 0 d-----w- c:\docume~1\markcu~1\applic~1\QuickScan
2010-08-20 07:05:29 0 d-----w- c:\program files\common files\BitDefender
2010-08-20 07:05:29 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-08-20 07:04:46 253072 ----a-w- c:\windows\system32\drivers\Trufos.sys
2010-08-20 07:04:40 327368 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-08-20 07:04:40 12960 ----a-w- c:\windows\system32\drivers\bdrawpr.sys
2010-08-20 07:04:37 516348 ----a-w- c:\docume~1\alluse~1\applic~1\bdinstall.bin
2010-08-20 05:39:21 0 d--h--w- c:\windows\PIF
2010-08-18 06:25:34 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-08-18 06:25:30 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-18 06:25:27 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-08-18 06:25:23 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-08-18 06:25:19 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-08-18 06:25:14 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-08-18 06:25:13 28288 ----a-w- c:\windows\system32\dllcache\xjis.nls
2010-08-18 06:25:10 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-08-18 06:25:09 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-08-18 06:25:07 19328 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-18 06:25:06 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-08-18 06:25:05 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-08-18 06:23:56 86073 ----a-w- c:\windows\system32\dllcache\voicesub.dll
2010-08-18 06:22:58 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-08-18 06:21:57 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2010-08-18 06:20:58 172768 ----a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-08-18 06:19:59 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll
2010-08-18 06:18:58 28160 ----a-w- c:\windows\system32\dllcache\sm91w.dll
2010-08-18 06:17:59 386560 ----a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-08-18 06:16:58 210496 ----a-w- c:\windows\system32\dllcache\s3mvirge.dll
2010-08-18 06:15:55 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys
2010-08-18 06:11:13 70144 ----a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-08-18 06:11:13 53760 ----a-w- c:\windows\system32\dllcache\pintlcsd.dll
2010-08-18 06:11:13 482304 ----a-w- c:\windows\system32\dllcache\pintlgnt.ime
2010-08-18 06:11:12 175104 ----a-w- c:\windows\system32\dllcache\pintlcsa.dll
2010-08-18 06:11:09 79360 ----a-w- c:\windows\system32\dllcache\phon.ime
2010-08-18 06:11:09 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll
2010-08-18 06:11:06 19840 ----a-w- c:\windows\system32\dllcache\philtune.sys
2010-08-18 06:11:03 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys
2010-08-18 06:11:00 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys
2010-08-18 06:09:59 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2010-08-18 06:08:58 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2010-08-18 06:07:59 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2010-08-18 06:06:58 58880 ----a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-08-18 06:05:58 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-08-18 06:04:59 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2010-08-18 06:03:59 542879 ----a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-08-18 06:02:59 15104 ----a-w- c:\windows\system32\dllcache\hidir.sys
2010-08-18 06:01:59 7168 ----a-w- c:\windows\system32\dllcache\f3ahvoas.dll
2010-08-18 06:00:59 455199 ----a-w- c:\windows\system32\dllcache\el985n51.sys
2010-08-18 05:59:58 65622 ----a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-08-18 05:58:59 91264 ----a-w- c:\windows\system32\dllcache\cirrus.dll
2010-08-18 05:57:59 18432 ----a-w- c:\windows\system32\dllcache\bdaplgin.ax
2010-08-18 05:56:59 19456 ----a-w- c:\windows\system32\dllcache\agt0404.dll
2010-08-18 05:17:05 0 ----a-w- c:\windows\system32\bride.exe
2010-08-18 05:17:05 0 ----a-w- c:\windows\system32\aavar.pif
2010-08-18 05:17:05 0 ----a-w- c:\windows\marco!.scr
2010-08-18 05:17:05 0 ----a-w- c:\windows\instit.bat
2010-08-18 05:17:05 0 ----a-w- c:\windows\brasil.pif
2010-08-18 05:17:05 0 ----a-w- c:\windows\brasil.exe
2010-08-18 05:17:05 0 ----a-w- c:\windows\alevir.exe
2010-08-18 04:18:29 0 d-----w- c:\docume~1\markcu~1\applic~1\SUPERAntiSpyware.com
2010-08-18 04:18:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-18 04:17:36 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-18 04:08:01 12714 ----a-w- c:\windows\system32\flcss.sys
2010-08-18 04:01:21 12552 ----a-w- c:\windows\system32\drivers\hddirect.sys
2010-08-17 06:00:54 78848 ----a-w- c:\windows\system32\msiexec.exe
2010-08-17 06:00:54 78848 ----a-w- c:\windows\system32\dllcache\msiexec.exe
2010-08-17 05:49:32 2890240 ----a-w- c:\windows\system32\msi.dll
2010-08-17 05:49:32 2890240 ----a-w- c:\windows\system32\dllcache\msi.dll
2010-08-17 01:28:13 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-08-16 02:07:37 0 d-----w- C:\Sym_LoadPointDiag
2010-08-15 17:19:08 72192 ----a-w- c:\windows\system32\taskkill.exe
2010-08-15 05:43:09 7302 ----a-w- c:\windows\system32\rrt_vf.wav
2010-08-15 05:43:09 7148 ----a-w- c:\windows\system32\rrt_tv.wav
2010-08-15 05:43:09 6282 ----a-w- c:\windows\system32\rrt_tn.wav
2010-08-15 05:43:09 16244 ----a-w- c:\windows\system32\rrt_is.wav
2010-08-15 02:43:40 0 d-----w- c:\docume~1\markcu~1\applic~1\Malwarebytes
2010-08-13 21:57:05 0 d-----w- c:\docume~1\markcu~1\applic~1\Simply Super Software
2010-08-12 20:26:23 0 d-----w- c:\windows\pss
2010-08-11 22:06:05 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-08-11 22:06:05 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-08-11 22:05:55 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-08-11 22:05:55 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-08-11 21:46:38 0 d-----w- c:\windows\system32\NtmsData
2010-08-11 20:47:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-11 20:47:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-11 20:47:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-11 20:47:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-11 16:53:45 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-08-11 16:53:45 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-08-11 16:53:45 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-08-11 16:53:45 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-08-11 16:53:45 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-08-11 16:53:43 0 d-----w- c:\program files\Trojan Remover
2010-08-11 16:53:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

==================== Find3M ====================

2010-08-20 07:04:48 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-07-08 17:37:14 101544 ----a-w- c:\program files\common files\LinkInstaller.exe
2009-12-27 17:23:34 56 --sha-r- c:\windows\system32\A2C0EDE4F5.sys

============= FINISH: 20:27:58.50 ===============

GMER log attached.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 06 September 2010 - 10:33 AM

Hello, PJack.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!


Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case RegCure). Here at BC, we do not recommend using registry cleaners. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578


Two Antiviruses Warning


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either BitDefender Antivirus Pro 2011 or Avast! Antivirus.





This is infected with a worm, but I want to look deeper before we start.



Step 1

Scan With RKUnHooker
  • Please Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

QUOTE
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"




Step 2

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 PJack

PJack
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 06 September 2010 - 02:07 PM

Thank you for the reply. I have followed your instructions and removed AVG.
Here is the log for RKUnhooked, followed by the MBR log:

RKUnhooked:
=========================
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2142208 bytes
0x804D7000 RAW 2142208 bytes
0x804D7000 WMIxWDM 2142208 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF77E8000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1306624 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xAA6C8000 C:\WINDOWS\system32\drivers\sthda.sys 1015808 bytes (SigmaTel, Inc., NDRC)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 929792 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xF81BF000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAA3E6000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF76C1000 C:\WINDOWS\system32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)
0xAA57B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA9CD3000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xF828F000 bdfsfltr.sys 323584 bytes (BitDefender, BitDefender AntiVirus FS filter driver)
0xAA21E000 C:\WINDOWS\system32\DRIVERS\Trufos.sys 294912 bytes (BitDefender S.R.L., Trufos Kernel Module)
0xA95E7000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xF8346000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA9E3D000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF8192000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAA455000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAA514000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7765000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xF77AE000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 155648 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0)
0xA9111000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF7742000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF778B000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xAA4F2000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xAA6A6000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xAA480000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0xAA53C000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806E2000 ACPI_HAL 134272 bytes
0x806E2000 C:\WINDOWS\system32\hal.dll 134272 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF82DE000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF8316000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xAA55D000 C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys 122880 bytes (BitDefender LLC, BitDefender Firewall TDI Filter Driver)
0xF8177000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF82FE000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAA1C8000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component)
0xAA3A6000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF824C000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF772B000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAA208000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xAA1B2000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8279000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
0xF8263000 SymSnap.sys 90112 bytes (StorageCraft, StorageCraft Volume Snap-Shot)
0xA98D6000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF77D4000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAA5D3000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF8335000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF771A000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF8585000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF84E5000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF8665000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA9F92000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF86E5000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF8655000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF84B5000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8675000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8495000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF8695000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF8645000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF8485000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8685000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xAA656000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF86C5000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF86B5000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF8535000 C:\WINDOWS\System32\Drivers\V2IMount.SYS 40960 bytes (Symantec Corporation, V2iMount.sys - Image Mounting Device Driver)
0xF84A5000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF8545000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8555000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF8635000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF8475000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF86A5000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF8515000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA9648000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF84C5000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF8505000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF87FD000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8815000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF883D000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF880D000 C:\WINDOWS\System32\Drivers\GearAspiWDM.SYS 28672 bytes (GEAR Software Inc., CDRom Class Filter Driver)
0xF87E5000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF86F5000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF879D000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF887D000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF87DD000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF87BD000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF87C5000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8805000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF885D000 C:\WINDOWS\system32\drivers\symlcbrd.sys 24576 bytes (Symantec Corporation, Symantec Core Component)
0xF87ED000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF87F5000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF86FD000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF87AD000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF87B5000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF87A5000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF8795000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF882D000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xAA2DA000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xAA096000 C:\WINDOWS\system32\flcss.sys 16384 bytes (Kaspersky Lab., Lock list of files to prevent infection of some viruses like FuneLove.)
0xF76A9000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF812E000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAA286000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8885000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xAA4E6000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF76B1000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF76AD000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF813A000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF893D000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8979000 avgarkt.sys 8192 bytes (GRISOFT, s.r.o., AVG Anti-Rootkit Driver)
0xF89AD000 C:\WINDOWS\system32\DRIVERS\bdrawpr.sys 8192 bytes (BITDEFENDER LLC, BitDefender Raw Protect)
0xF89B3000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF89AF000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF89C3000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8A03000 C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys 8192 bytes (Gteko Ltd., Process Trigger Driver)
0xF89DD000 C:\WINDOWS\system32\DRIVERS\dsunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
0xF89B9000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF89B1000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF89AB000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 8192 bytes (Microsoft Corporation, I2O Utility Filter)
0xF897B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF8975000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF89B5000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF89B7000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF89A3000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF89A5000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8977000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8B23000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8B25000 C:\WINDOWS\System32\DRIVERS\AvgArCln.sys 4096 bytes (GRISOFT, s.r.o., AVG7 Clean Driver)
0xF8BCA000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF8B97000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8B24000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8A3D000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================


MBR Log:
======================================
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 132):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E2000 \WINDOWS\system32\hal.dll
0xF8975000 \WINDOWS\system32\KDCOM.DLL
0xF8885000 \WINDOWS\system32\BOOTVID.dll
0xF8346000 ACPI.sys
0xF8977000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8335000 pci.sys
0xF8475000 isapnp.sys
0xF8979000 avgarkt.sys
0xF8A3D000 pciide.sys
0xF86F5000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF897B000 intelide.sys
0xF8485000 MountMgr.sys
0xF8316000 ftdisk.sys
0xF86FD000 PartMgr.sys
0xF8495000 VolSnap.sys
0xF82FE000 atapi.sys
0xF84A5000 disk.sys
0xF84B5000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF82DE000 fltmgr.sys
0xF828F000 bdfsfltr.sys
0xF8279000 DRVMCDB.SYS
0xF84C5000 PxHelp20.sys
0xF8263000 SymSnap.sys
0xF824C000 KSecDD.sys
0xF81BF000 Ntfs.sys
0xF8192000 NDIS.sys
0xF8177000 Mup.sys
0xF8635000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF77E8000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF77D4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77AE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF8795000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF778B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF879D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7765000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF8645000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8655000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8665000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7742000 \SystemRoot\system32\DRIVERS\ks.sys
0xF8B23000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8675000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF813A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF772B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8685000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF8695000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF87A5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF771A000 \SystemRoot\system32\DRIVERS\psched.sys
0xF86A5000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF87AD000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF87B5000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF86B5000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF87BD000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF87C5000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF89A3000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF76C1000 \SystemRoot\system32\DRIVERS\update.sys
0xF812E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF86C5000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF86E5000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF89A5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAA6C8000 \SystemRoot\system32\drivers\sthda.sys
0xAA6A6000 \SystemRoot\system32\drivers\portcls.sys
0xF84E5000 \SystemRoot\system32\drivers\drmk.sys
0xF89AB000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF89AD000 \SystemRoot\system32\DRIVERS\bdrawpr.sys
0xF89AF000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF89B1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8B24000 \SystemRoot\System32\Drivers\Null.SYS
0xF89B3000 \SystemRoot\System32\Drivers\Beep.SYS
0xF87DD000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF8B25000 \SystemRoot\System32\DRIVERS\AvgArCln.sys
0xF87E5000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF87ED000 \SystemRoot\System32\drivers\vga.sys
0xF89B5000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF89B7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF87F5000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF87FD000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF893D000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA5D3000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA57B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA55D000 \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys
0xF8505000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA53C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA514000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA4F2000 \SystemRoot\System32\drivers\afd.sys
0xF8515000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF8535000 \SystemRoot\System32\Drivers\V2IMount.SYS
0xAA480000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF8805000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xAA455000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA3E6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF880D000 \SystemRoot\System32\Drivers\GearAspiWDM.SYS
0xF8545000 \SystemRoot\System32\Drivers\Fips.SYS
0xF76B1000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF8555000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF8815000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF76AD000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF76A9000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF8585000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAA3A6000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF89B9000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA4E6000 \SystemRoot\System32\drivers\Dxapi.sys
0xF882D000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8B97000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xAA21E000 \SystemRoot\system32\DRIVERS\Trufos.sys
0xAA656000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF8BCA000 \SystemRoot\System32\DLA\DLADResN.SYS
0xAA208000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xAA2DA000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF89C3000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF883D000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xAA1C8000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xAA1B2000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xAA286000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9E3D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAA096000 \??\C:\WINDOWS\system32\flcss.sys
0xF89DD000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xA9CD3000 \SystemRoot\system32\DRIVERS\srv.sys
0xF885D000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xA98D6000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9F92000 \SystemRoot\system32\drivers\sysaudio.sys
0xA95E7000 \SystemRoot\System32\Drivers\HTTP.sys
0xF8A03000 \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
0xF887D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA9111000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 36):
0 System Idle Process
4 System
684 C:\WINDOWS\system32\smss.exe
736 csrss.exe
760 C:\WINDOWS\system32\winlogon.exe
804 C:\WINDOWS\system32\services.exe
816 C:\WINDOWS\system32\lsass.exe
1004 C:\WINDOWS\system32\svchost.exe
1092 svchost.exe
1132 C:\WINDOWS\system32\svchost.exe
1244 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1296 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1508 C:\WINDOWS\system32\spoolsv.exe
1592 svchost.exe
1640 C:\WINDOWS\system32\gearsec.exe
1688 C:\Program Files\Norton Ghost\Agent\VProSvc.exe
1764 C:\Program Files\Google\Update\GoogleUpdate.exe
1880 C:\WINDOWS\system32\svchost.exe
1960 wdfmgr.exe
1036 alg.exe
2056 C:\WINDOWS\explorer.exe
2224 svchost.exe
2272 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2288 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
2316 C:\WINDOWS\system32\igfxpers.exe
2332 C:\WINDOWS\system32\hkcmd.exe
2340 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
2348 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
2392 C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
2404 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2448 C:\Program Files\BitDefender\BitDefender 2011\bdagent.exe
2500 C:\Documents and Settings\Mark Currier\Desktop\V\RRT.exe
2532 C:\WINDOWS\system32\ctfmon.exe
2552 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2560 C:\Program Files\DellSupport\DSAgnt.exe
3876 C:\Documents and Settings\Mark Currier\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001b`27f4c800 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600JS-75NCB2, Rev: 10.02E03

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Dell MBR code detected
SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E


Done!



Thanks again. I await your next instructions.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 06 September 2010 - 02:42 PM

Hello, PJack.
Good...two clean scans. Looks like we're dealing only with the worm.



Viewpoint (foistware) Warning"

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/clickz/news/1714488/viewpoint-plunge-into-adware

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.


Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 PJack

PJack
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 06 September 2010 - 04:04 PM

I am unable to install the Microsoft Recovery Console because I cannot get onto the internet.

Here is the log from ComboFix:
=========================
ComboFix 10-09-06.02 - Mark Currier 09/06/2010 13:44:42.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.240 [GMT -7:00]
Running from: c:\documents and settings\Mark Currier\Desktop\etavaresCF.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\alevir.exe
c:\windows\brasil.exe
c:\windows\system32\bride.exe
c:\windows\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.

2010-08-28 02:16 . 2010-08-28 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-08-28 02:16 . 2010-08-28 02:19 -------- d-----w- c:\program files\RegCure
2010-08-27 04:12 . 2010-08-27 04:12 -------- d-----w- c:\program files\Alwil Software
2010-08-27 04:10 . 2010-07-27 02:13 3683248 ----a-w- c:\documents and settings\Mark Currier\Application Data\Simply Super Software\Trojan Remover\xvjF0A.exe
2010-08-26 05:39 . 2010-08-28 02:14 -------- d-----w- C:\SysClean
2010-08-25 03:16 . 2010-08-25 03:16 -------- d-----w- c:\documents and settings\Mark Currier\DoctorWeb
2010-08-25 02:53 . 2010-08-25 16:04 -------- d-----w- c:\program files\Smart Virus Remover
2010-08-24 00:55 . 2010-08-24 00:55 99422780 ----a-w- C:\MyReg.reg
2010-08-23 05:36 . 2010-08-23 05:36 -------- d-----w- c:\documents and settings\NetworkService\Application Data\QuickScan
2010-08-23 05:28 . 2010-08-23 05:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-23 04:18 . 2010-08-23 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\bdch
2010-08-22 18:47 . 2010-08-22 18:47 -------- d-----w- C:\_OTL
2010-08-22 18:40 . 2010-09-06 20:44 -------- d-----w- c:\windows\system32\CatRoot2
2010-08-22 03:33 . 2010-08-22 03:33 -------- d-----w- c:\documents and settings\Mark Currier\Local Settings\Application Data\Threat Expert
2010-08-20 07:37 . 2010-08-20 07:37 0 ----a-w- c:\windows\system32\imblacklist.dat
2010-08-20 07:32 . 2010-08-20 07:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\QuickScan
2010-08-20 07:23 . 2010-08-20 07:23 -------- d-----w- c:\program files\BitDefender
2010-08-20 07:06 . 2010-08-20 07:06 -------- d-----w- c:\documents and settings\Mark Currier\Application Data\QuickScan
2010-08-20 07:05 . 2010-09-06 20:21 -------- d-----w- c:\program files\Common Files\BitDefender
2010-08-20 07:05 . 2010-09-06 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-08-20 07:04 . 2010-07-09 22:08 327368 ------w- c:\windows\system32\drivers\bdfsfltr.sys
2010-08-20 05:39 . 2010-08-20 05:39 -------- d--h--w- c:\windows\PIF
2010-08-19 07:35 . 2010-08-19 07:35 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-08-19 07:35 . 2010-08-19 07:35 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-08-18 06:25 . 2004-08-04 07:56 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-08-18 06:25 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-18 06:25 . 2001-08-18 05:36 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-08-18 06:25 . 2001-08-18 05:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-08-18 06:25 . 2001-08-18 05:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-08-18 06:25 . 2001-08-18 05:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-08-18 06:25 . 2001-08-17 19:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-08-18 06:25 . 2004-08-04 05:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-08-18 06:25 . 2004-08-04 06:10 19328 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-18 06:25 . 2004-08-04 05:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-08-18 06:25 . 2004-08-04 07:56 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-08-18 06:23 . 2004-08-04 10:00 86073 ----a-w- c:\windows\system32\dllcache\voicesub.dll
2010-08-18 06:22 . 2001-08-18 05:36 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-08-18 06:21 . 2001-08-17 21:56 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2010-08-18 06:20 . 2001-08-17 21:56 172768 ----a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-08-18 06:19 . 2001-08-18 05:36 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll
2010-08-18 06:18 . 2004-08-04 10:00 26112 ----a-w- c:\windows\system32\dllcache\sm90w.dll
2010-08-18 06:17 . 2001-08-18 05:36 386560 ----a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-08-18 06:16 . 2001-08-17 21:56 210496 ----a-w- c:\windows\system32\dllcache\s3mvirge.dll
2010-08-18 06:15 . 2001-08-17 20:51 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys
2010-08-18 06:11 . 2004-08-04 10:00 70144 ----a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-08-18 06:11 . 2004-08-04 10:00 53760 ----a-w- c:\windows\system32\dllcache\pintlcsd.dll
2010-08-18 06:11 . 2004-08-04 10:00 175104 ----a-w- c:\windows\system32\dllcache\pintlcsa.dll
2010-08-18 06:11 . 2001-08-18 05:36 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll
2010-08-18 06:11 . 2001-08-17 21:07 19840 ----a-w- c:\windows\system32\dllcache\philtune.sys
2010-08-18 06:11 . 2001-08-17 21:04 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys
2010-08-18 06:11 . 2001-08-17 21:04 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys
2010-08-18 06:09 . 2001-08-17 21:05 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2010-08-18 06:08 . 2001-08-17 19:50 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2010-08-18 06:07 . 2004-08-04 06:10 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2010-08-18 06:06 . 2001-08-18 05:36 58880 ----a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-08-18 06:05 . 2001-08-18 05:36 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-08-18 06:04 . 2001-08-17 21:06 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2010-08-18 06:03 . 2001-08-17 20:28 542879 ----a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-08-18 06:02 . 2004-08-04 06:08 15104 ----a-w- c:\windows\system32\dllcache\hidir.sys
2010-08-18 06:01 . 2004-08-04 10:00 7168 ----a-w- c:\windows\system32\dllcache\f3ahvoas.dll
2010-08-18 06:00 . 2001-08-17 19:11 455199 ----a-w- c:\windows\system32\dllcache\el985n51.sys
2010-08-18 05:59 . 2001-08-18 05:36 65622 ----a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-08-18 05:58 . 2001-08-17 21:56 91264 ----a-w- c:\windows\system32\dllcache\cirrus.dll
2010-08-18 05:57 . 2004-08-04 06:10 11776 ----a-w- c:\windows\system32\dllcache\bdasup.sys
2010-08-18 05:56 . 2004-08-04 10:00 19456 ----a-w- c:\windows\system32\dllcache\agt0404.dll
2010-08-18 05:17 . 2010-08-20 05:06 0 ----a-w- c:\windows\system32\aavar.pif
2010-08-18 05:17 . 2010-08-20 05:06 0 ----a-w- c:\windows\marco!.scr
2010-08-18 05:17 . 2010-08-20 05:06 0 ----a-w- c:\windows\instit.bat
2010-08-18 05:17 . 2010-08-20 05:06 0 ----a-w- c:\windows\brasil.pif
2010-08-18 04:18 . 2010-08-19 03:50 63488 ----a-w- c:\documents and settings\Mark Currier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-18 04:18 . 2010-08-18 04:18 52224 ----a-w- c:\documents and settings\Mark Currier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-18 04:18 . 2010-08-19 03:50 117760 ----a-w- c:\documents and settings\Mark Currier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-18 04:18 . 2010-08-18 04:18 -------- d-----w- c:\documents and settings\Mark Currier\Application Data\SUPERAntiSpyware.com
2010-08-18 04:18 . 2010-08-18 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-18 04:17 . 2010-08-18 04:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-18 04:08 . 2010-08-18 04:08 12714 ----a-w- c:\windows\system32\flcss.sys
2010-08-18 04:01 . 2010-08-18 04:01 12552 ----a-w- c:\windows\system32\drivers\hddirect.sys
2010-08-17 06:00 . 2005-05-04 17:45 78848 ----a-w- c:\windows\system32\msiexec.exe
2010-08-17 06:00 . 2005-05-04 17:45 78848 ----a-w- c:\windows\system32\dllcache\msiexec.exe
2010-08-17 05:49 . 2005-05-04 17:45 2890240 ----a-w- c:\windows\system32\msi.dll
2010-08-17 05:49 . 2005-05-04 17:45 2890240 ----a-w- c:\windows\system32\dllcache\msi.dll
2010-08-17 05:14 . 2010-08-17 05:14 -------- d-----w- c:\program files\ERUNT
2010-08-17 01:28 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-08-16 02:07 . 2010-08-26 03:20 -------- d-----w- C:\Sym_LoadPointDiag
2010-08-15 17:19 . 2003-03-31 12:00 72192 ----a-w- c:\windows\system32\taskkill.exe
2010-08-15 02:43 . 2010-08-15 02:43 -------- d-----w- c:\documents and settings\Mark Currier\Application Data\Malwarebytes
2010-08-13 21:57 . 2010-08-13 21:57 -------- d-----w- c:\documents and settings\Mark Currier\Application Data\Simply Super Software
2010-08-12 22:55 . 2010-07-27 02:13 3683248 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\glp1.exe
2010-08-12 21:59 . 2010-07-27 02:13 3683248 ------w- c:\documents and settings\Margaret Currier\Application Data\Simply Super Software\Trojan Remover\siaD.exe
2010-08-11 22:06 . 2010-08-17 06:27 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-08-11 22:06 . 2010-08-17 06:27 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-08-11 22:05 . 2004-08-04 03:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-08-11 22:05 . 2004-08-04 03:58 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-08-11 21:50 . 2010-08-11 21:50 -------- d-----w- c:\documents and settings\Margaret Currier\Application Data\Simply Super Software
2010-08-11 21:47 . 2010-08-11 21:47 -------- d-sh--w- c:\documents and settings\Margaret Currier\IECompatCache
2010-08-11 21:46 . 2010-09-06 20:20 -------- d-----w- c:\windows\system32\NtmsData
2010-08-11 21:44 . 2010-08-11 21:44 -------- d-----w- c:\documents and settings\Margaret Currier\Application Data\Malwarebytes
2010-08-11 20:47 . 2010-08-11 20:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-11 20:47 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-11 20:47 . 2010-08-11 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-11 20:47 . 2010-08-11 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-11 20:47 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-11 20:39 . 2010-08-11 20:39 46392 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-11 20:38 . 2010-08-11 20:38 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-08-11 16:54 . 2010-08-27 04:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-11 16:53 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-08-11 16:53 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-08-11 16:53 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-08-11 16:53 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-08-11 16:53 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-08-11 16:53 . 2010-08-12 16:29 -------- d-----w- c:\program files\Trojan Remover
2010-08-11 16:53 . 2010-08-11 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-08-11 16:53 . 2010-08-11 16:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-06 20:19 . 2010-08-20 07:04 525234 ----a-w- c:\documents and settings\All Users\Application Data\bdinstall.bin
2010-09-06 20:03 . 2006-06-22 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-08-22 03:52 . 2006-06-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-08-20 07:04 . 2006-08-01 14:38 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-08-20 07:04 . 2006-08-01 14:38 88 --sha-r- c:\windows\system32\F5E4EDC0A2.sys
2010-08-16 01:19 . 2006-07-04 17:40 46392 ----a-w- c:\documents and settings\Mark Currier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-15 17:01 . 2006-07-19 21:29 46392 ------w- c:\documents and settings\Margaret Currier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-12 23:50 . 2007-12-09 17:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-12 23:48 . 2007-12-09 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-20 21:14 . 2007-09-16 22:41 -------- d-----w- c:\program files\The Weather Channel FW
2010-07-20 20:56 . 2006-06-22 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-07-20 20:56 . 2006-06-22 01:02 -------- d-----w- c:\program files\Common Files\AOL
2010-07-08 17:37 . 2010-07-08 17:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
2010-06-27 14:04 . 2010-06-27 14:04 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb2B.tmp.exe
2009-12-20 01:37 . 2008-11-27 07:16 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-12-27 17:23 . 2006-10-11 01:35 56 --sha-r- c:\windows\system32\A2C0EDE4F5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-11 1167808]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-02 185632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-30 98304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"RRT-Auto"="c:\documents and settings\Mark Currier\Desktop\V\RRT.exe" [2010-07-30 4837376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDDirect.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 KLAntiFL;KLAntiFL;c:\windows\system32\flcss.sys [8/17/2010 9:08 PM 12714]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/20/2010 2:08 PM 135664]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/22/2006 9:33 AM 18864]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/21/2006 6:14 PM 30192]
S3 HDDirect;Hard Disk Direct Control;c:\windows\system32\drivers\hddirect.sys [8/17/2010 9:01 PM 12552]
S4 Updatesrv;BitDefender Desktop Update Service;c:\program files\BitDefender\BitDefender 2011\updatesrv.exe /service --> c:\program files\BitDefender\BitDefender 2011\updatesrv.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 21:08]

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 21:08]

2010-08-28 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-09-06 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-08-28 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{4D8730D1-4672-4A27-80DB-F73EE5AC7F38}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{7003342C-2AF9-48DB-B158-8BD66FE54532}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{D2723D4C-CAD4-489D-83B6-7F6380484FE4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-KL AntiFunLove - c:\windows\system32\flcss.exe
SafeBoot-HDDirect
SafeBoot-klmdb.sys
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-06 13:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2512)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\GEARSec.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-06 13:55:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-06 20:55

Pre-Run: 104,913,879,040 bytes free
Post-Run: 104,785,092,608 bytes free

- - End Of File - - F73582D0F99E879BDBFD19B00152FE3D

Thanks. I await your next instructions.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 06 September 2010 - 05:08 PM

Hello, PJack.
We can install the recovery console manually...please use a flash drive to get it onto the sick computer.



Step 1

Please click on the following link to go to Microsoft's website.
http://support.microsoft.com/kb/310994

At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.
  1. Click on the Start button.
  2. Click on the Run option.
  3. type sysdm.cpl and then hit OK
  4. A screen will appear showing information about your Windows installation. Under the System category you should see your Windows version and the installed service pack. Write this down and proceed to download the correct version as above.
Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image.


ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer, please select no to cancel the scan.





Step 2

Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/topic343425.html

Collect::
c:\windows\system32\flcss.exe
c:\windows\system32\aavar.pif
c:\windows\marco!.scr
c:\windows\system32\A2C0EDE4F5.sys
c:\windows\instit.bat
c:\windows\brasil.pif
c:\windows\system32\flcss.sys
Folder::
c:\documents and settings\All Users\Application Data\bdch


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
Since you're not connected, you can cancel out and we can get that file manually.

etavares

Edited by etavares, 06 September 2010 - 05:08 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 PJack

PJack
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 06 September 2010 - 05:55 PM

I did not receive any messages indicating that ComboFix wanted to connect to the internet.
Here is the log:
=====================
ComboFix 10-09-06.02 - Mark Currier 09/06/2010 15:39:48.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.228 [GMT -7:00]
Running from: c:\documents and settings\Mark Currier\Desktop\etavaresCF.exe
Command switches used :: c:\documents and settings\Mark Currier\Desktop\CFScript.txt

file zipped: c:\windows\brasil.pif
file zipped: c:\windows\instit.bat
file zipped: c:\windows\marco!.scr
file zipped: c:\windows\system32\A2C0EDE4F5.sys
file zipped: c:\windows\system32\aavar.pif
file zipped: c:\windows\system32\flcss.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\bdch
c:\documents and settings\All Users\Application Data\bdch\bdch_stats.xml
c:\windows\brasil.pif
c:\windows\instit.bat
c:\windows\marco!.scr
c:\windows\system32\A2C0EDE4F5.sys
c:\windows\system32\aavar.pif
c:\windows\system32\flcss.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KLAntiFL
-------\Service_KLAntiFL


((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.

2010-08-28 02:16 . 2010-08-28 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-08-28 02:16 . 2010-08-28 02:19 -------- d-----w- c:\program files\RegCure
2010-08-27 04:12 . 2010-08-27 04:12 -------- d-----w- c:\program files\Alwil Software
2010-08-27 04:10 . 2010-07-27 02:13 3683248 ----a-w- c:\documents and settings\Mark Currier\Application Data\Simply Super Software\Trojan Remover\xvjF0A.exe
2010-08-26 05:39 . 2010-08-28 02:14 -------- d-----w- C:\SysClean
2010-08-25 03:16 . 2010-08-25 03:16 -------- d-----w- c:\documents and settings\Mark Currier\DoctorWeb
2010-08-25 02:53 . 2010-08-25 16:04 -------- d-----w- c:\program files\Smart Virus Remover
2010-08-24 00:55 . 2010-08-24 00:55 99422780 ----a-w- C:\MyReg.reg
2010-08-23 05:36 . 2010-08-23 05:36 -------- d-----w- c:\documents and settings\NetworkService\Application Data\QuickScan
2010-08-23 05:28 . 2010-08-23 05:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-22 18:47 . 2010-08-22 18:47 -------- d-----w- C:\_OTL
2010-08-22 18:40 . 2010-09-06 22:37 -------- d-----w- c:\windows\system32\CatRoot2
2010-08-22 03:33 . 2010-08-22 03:33 -------- d-----w- c:\documents and settings\Mark Currier\Local Settings\Application Data\Threat Expert
2010-08-20 07:37 . 2010-08-20 07:37 0 ----a-w- c:\windows\system32\imblacklist.dat
2010-08-20 07:32 . 2010-08-20 07:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\QuickScan
2010-08-20 07:23 . 2010-08-20 07:23 -------- d-----w- c:\program files\BitDefender
2010-08-20 07:06 . 2010-08-20 07:06 -------- d-----w- c:\documents and settings\Mark Currier\Application Data\QuickScan
2010-08-20 07:05 . 2010-09-06 20:21 -------- d-----w- c:\program files\Common Files\BitDefender
2010-08-20 07:05 . 2010-09-06 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-08-20 07:04 . 2010-07-09 22:08 327368 ------w- c:\windows\system32\drivers\bdfsfltr.sys
2010-08-20 05:39 . 2010-08-20 05:39 -------- d--h--w- c:\windows\PIF
2010-08-19 07:35 . 2010-08-19 07:35 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-08-19 07:35 . 2010-08-19 07:35 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-08-18 06:25 . 2004-08-04 07:56 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-08-18 06:25 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-18 06:25 . 2001-08-18 05:36 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-08-18 06:25 . 2001-08-18 05:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-08-18 06:25 . 2001-08-18 05:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-08-18 06:25 . 2001-08-18 05:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-08-18 06:25 . 2001-08-17 19:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-08-18 06:25 . 2004-08-04 05:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-08-18 06:25 . 2004-08-04 06:10 19328 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-18 06:25 . 2004-08-04 05:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-08-18 06:25 . 2004-08-04 07:56 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-08-18 06:23 . 2004-08-04 10:00 86073 ----a-w- c:\windows\system32\dllcache\voicesub.dll
2010-08-18 06:22 . 2001-08-18 05:36 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-08-18 06:21 . 2001-08-17 21:56 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2010-08-18 06:20 . 2001-08-17 21:56 172768 ----a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-08-18 06:19 . 2001-08-18 05:36 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll
2010-08-18 06:18 . 2004-08-04 10:00 26112 ----a-w- c:\windows\system32\dllcache\sm90w.dll
2010-08-18 06:17 . 2001-08-18 05:36 386560 ----a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-08-18 06:16 . 2001-08-17 21:56 210496 ----a-w- c:\windows\system32\dllcache\s3mvirge.dll
2010-08-18 06:15 . 2001-08-17 20:51 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys
2010-08-18 06:11 . 2004-08-04 10:00 70144 ----a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-08-18 06:11 . 2004-08-04 10:00 53760 ----a-w- c:\windows\system32\dllcache\pintlcsd.dll
2010-08-18 06:11 . 2004-08-04 10:00 175104 ----a-w- c:\windows\system32\dllcache\pintlcsa.dll
2010-08-18 06:11 . 2001-08-18 05:36 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll
2010-08-18 06:11 . 2001-08-17 21:07 19840 ----a-w- c:\windows\system32\dllcache\philtune.sys
2010-08-18 06:11 . 2001-08-17 21:04 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys
2010-08-18 06:11 . 2001-08-17 21:04 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys
2010-08-18 06:09 . 2001-08-17 21:05 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2010-08-18 06:08 . 2001-08-17 19:50 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2010-08-18 06:07 . 2004-08-04 06:10 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2010-08-18 06:06 . 2001-08-18 05:36 58880 ----a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-08-18 06:05 . 2001-08-18 05:36 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-08-18 06:04 . 2001-08-17 21:06 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2010-08-18 06:03 . 2001-08-17 20:28 542879 ----a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-08-18 06:02 . 2004-08-04 06:08 15104 ----a-w- c:\windows\system32\dllcache\hidir.sys
2010-08-18 06:01 . 2004-08-04 10:00 7168 ----a-w- c:\windows\system32\dllcache\f3ahvoas.dll
2010-08-18 06:00 . 2001-08-17 19:11 455199 ----a-w- c:\windows\system32\dllcache\el985n51.sys
2010-08-18 05:59 . 2001-08-18 05:36 65622 ----a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-08-18 05:58 . 2001-08-17 21:56 91264 ----a-w- c:\windows\system32\dllcache\cirrus.dll
2010-08-18 05:57 . 2004-08-04 06:10 11776 ----a-w- c:\windows\system32\dllcache\bdasup.sys
2010-08-18 05:56 . 2004-08-04 10:00 19456 ----a-w- c:\windows\system32\dllcache\agt0404.dll
2010-08-18 04:18 . 2010-08-19 03:50 63488 ----a-w- c:\documents and settings\Mark Currier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-18 04:18 . 2010-08-18 04:18 52224 ----a-w- c:\documents and settings\Mark Currier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-18 04:18 . 2010-08-19 03:50 117760 ----a-w- c:\documents and settings\Mark Currier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-18 04:18 . 2010-08-18 04:18 -------- d-----w- c:\documents and settings\Mark Currier\Application Data\SUPERAntiSpyware.com
2010-08-18 04:18 . 2010-08-18 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-18 04:17 . 2010-08-18 04:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-18 04:01 . 2010-08-18 04:01 12552 ----a-w- c:\windows\system32\drivers\hddirect.sys
2010-08-17 06:00 . 2005-05-04 17:45 78848 ----a-w- c:\windows\system32\msiexec.exe
2010-08-17 06:00 . 2005-05-04 17:45 78848 ----a-w- c:\windows\system32\dllcache\msiexec.exe
2010-08-17 05:49 . 2005-05-04 17:45 2890240 ----a-w- c:\windows\system32\msi.dll
2010-08-17 05:49 . 2005-05-04 17:45 2890240 ----a-w- c:\windows\system32\dllcache\msi.dll
2010-08-17 05:14 . 2010-08-17 05:14 -------- d-----w- c:\program files\ERUNT
2010-08-17 01:28 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-08-16 02:07 . 2010-08-26 03:20 -------- d-----w- C:\Sym_LoadPointDiag
2010-08-15 17:19 . 2003-03-31 12:00 72192 ----a-w- c:\windows\system32\taskkill.exe
2010-08-15 02:43 . 2010-08-15 02:43 -------- d-----w- c:\documents and settings\Mark Currier\Application Data\Malwarebytes
2010-08-13 21:57 . 2010-08-13 21:57 -------- d-----w- c:\documents and settings\Mark Currier\Application Data\Simply Super Software
2010-08-12 22:55 . 2010-07-27 02:13 3683248 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\glp1.exe
2010-08-12 21:59 . 2010-07-27 02:13 3683248 ------w- c:\documents and settings\Margaret Currier\Application Data\Simply Super Software\Trojan Remover\siaD.exe
2010-08-11 22:06 . 2010-08-17 06:27 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-08-11 22:06 . 2010-08-17 06:27 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-08-11 22:05 . 2004-08-04 03:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-08-11 22:05 . 2004-08-04 03:58 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-08-11 21:50 . 2010-08-11 21:50 -------- d-----w- c:\documents and settings\Margaret Currier\Application Data\Simply Super Software
2010-08-11 21:47 . 2010-08-11 21:47 -------- d-sh--w- c:\documents and settings\Margaret Currier\IECompatCache
2010-08-11 21:46 . 2010-09-06 20:20 -------- d-----w- c:\windows\system32\NtmsData
2010-08-11 21:44 . 2010-08-11 21:44 -------- d-----w- c:\documents and settings\Margaret Currier\Application Data\Malwarebytes
2010-08-11 20:47 . 2010-08-11 20:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-11 20:47 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-11 20:47 . 2010-08-11 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-11 20:47 . 2010-08-11 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-11 20:47 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-11 20:39 . 2010-08-11 20:39 46392 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-11 20:38 . 2010-08-11 20:38 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-08-11 16:54 . 2010-08-27 04:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-11 16:53 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-08-11 16:53 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-08-11 16:53 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-08-11 16:53 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-08-11 16:53 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-08-11 16:53 . 2010-08-12 16:29 -------- d-----w- c:\program files\Trojan Remover
2010-08-11 16:53 . 2010-08-11 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-08-11 16:53 . 2010-08-11 16:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-06 20:19 . 2010-08-20 07:04 525234 ----a-w- c:\documents and settings\All Users\Application Data\bdinstall.bin
2010-09-06 20:03 . 2006-06-22 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-08-22 03:52 . 2006-06-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-08-20 07:04 . 2006-08-01 14:38 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-08-20 07:04 . 2006-08-01 14:38 88 --sha-r- c:\windows\system32\F5E4EDC0A2.sys
2010-08-16 01:19 . 2006-07-04 17:40 46392 ----a-w- c:\documents and settings\Mark Currier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-15 17:01 . 2006-07-19 21:29 46392 ------w- c:\documents and settings\Margaret Currier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-12 23:50 . 2007-12-09 17:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-12 23:48 . 2007-12-09 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-20 21:14 . 2007-09-16 22:41 -------- d-----w- c:\program files\The Weather Channel FW
2010-07-20 20:56 . 2006-06-22 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-07-20 20:56 . 2006-06-22 01:02 -------- d-----w- c:\program files\Common Files\AOL
2010-07-08 17:37 . 2010-07-08 17:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
2010-06-27 14:04 . 2010-06-27 14:04 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb2B.tmp.exe
2009-12-20 01:37 . 2008-11-27 07:16 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-06_20.51.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-06 22:46 . 2010-09-06 22:46 16384 c:\windows\Temp\Perflib_Perfdata_678.dat
- 2010-09-06 20:51 . 2010-09-06 20:51 16384 c:\windows\Temp\Perflib_Perfdata_678.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-08-11 1167808]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-02 185632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-30 98304]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"RRT-Auto"="c:\documents and settings\Mark Currier\Desktop\V\RRT.exe" [2010-07-30 4837376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDDirect.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/20/2010 2:08 PM 135664]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/22/2006 9:33 AM 18864]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/21/2006 6:14 PM 30192]
S3 HDDirect;Hard Disk Direct Control;c:\windows\system32\drivers\hddirect.sys [8/17/2010 9:01 PM 12552]
S4 Updatesrv;BitDefender Desktop Update Service;c:\program files\BitDefender\BitDefender 2011\updatesrv.exe /service --> c:\program files\BitDefender\BitDefender 2011\updatesrv.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 21:08]

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 21:08]

2010-08-28 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-09-06 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-08-28 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{4D8730D1-4672-4A27-80DB-F73EE5AC7F38}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{7003342C-2AF9-48DB-B158-8BD66FE54532}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{D2723D4C-CAD4-489D-83B6-7F6380484FE4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-06 15:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3848)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\System32\GEARSec.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-06 15:50:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-06 22:50
ComboFix2.txt 2010-09-06 20:55

Pre-Run: 104,776,019,968 bytes free
Post-Run: 104,764,588,032 bytes free

- - End Of File - - DE6B83703F8BF47197BFB7FA4D467242

Thanks. I await your next instructions.

I have attached a file that I think may be the one you spoke of earlier.

Edited by PJack, 06 September 2010 - 06:01 PM.


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 06 September 2010 - 06:06 PM

Hello, PJack.

OK, let's tempt fate and plug it into the internet. Thanks for the zip file, i'll pass that along.



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 21 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.



Step 2

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 3

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

Please download TFC by OldTimer and save it to your desktop.
alternate download link

  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista or Windows 7, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.




Step 4

Please go to the Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Note: Kaspersky online scan may take time to complete, please be patient.



Step 5

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 6

Please post a fresh DDS log after all the above.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 PJack

PJack
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 06 September 2010 - 08:38 PM

Hi. I am still unable to get on the internet.
I had run a java removal tool in the past (before posting) so I think all versions had been removed. There is one entry in the Add/Remove Programs with Java in the title. When I try to remove, I get a message saying 'fatal error during installation'. I thought maybe that entry was just a leftover registry entry, so I tried to install jre-6u21-windows-i586.exe. After double-clicking on the file, it says it is installing, but I don't get a 'successfully completed installation' message or anything like that. I do not see Java listed in Add/Remove Programs after rebooting.

I successfully uninstalled all Adobe Reader programs and installed the latest version of the reader. I ran TFC to delete temp files and rebooted.
Since I could not get on the internet, I could not perform the online scan.

I was able to install Malwarebytes and ran the manual update. Here are the logs for Malwarebytes and DDS:

MalWareBytes:
============
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4526

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/6/2010 6:10:28 PM
mbam-log-2010-09-06 (18-10-28).txt

Scan type: Quick scan
Objects scanned: 152116
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS log:
=============

DDS (Ver_10-03-17.01) - NTFSx86
Run by Mark Currier at 18:27:51.51 on Mon 09/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.203 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Mark Currier\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\mark currier\desktop\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-6 38224]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-20 135664]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2006-7-22 18864]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-6-21 30192]
S3 HDDirect;Hard Disk Direct Control;c:\windows\system32\drivers\hddirect.sys [2010-8-17 12552]
S4 Updatesrv;BitDefender Desktop Update Service;c:\program files\bitdefender\bitdefender 2011\updatesrv.exe /service --> c:\program files\bitdefender\bitdefender 2011\updatesrv.exe [?]

=============== Created Last 30 ================

2010-09-07 00:51:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-07 00:50:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-07 00:50:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-06 22:36:36 0 d-sha-r- C:\cmdcons
2010-09-06 20:17:47 256512 ----a-w- c:\windows\PEV.exe
2010-09-06 20:17:29 0 ----a-w- c:\documents and settings\mark currier\?????
2010-08-28 03:01:14 0 ----a-w- c:\documents and settings\mark currier\defogger_reenable
2010-08-28 02:45:58 625466368 ----a-w- C:\Backup.bkf
2010-08-28 02:16:54 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-08-27 03:33:34 68608 ----a-w- c:\windows\system32\dllcache\plugin.ocx
2010-08-26 05:39:11 0 d-----w- C:\SysClean
2010-08-25 03:16:53 0 d-----w- c:\documents and settings\mark currier\DoctorWeb
2010-08-25 02:53:53 0 d-----w- c:\program files\Smart Virus Remover
2010-08-24 01:24:22 98816 ----a-w- c:\windows\sed.exe
2010-08-24 01:24:22 77312 ----a-w- c:\windows\mbr.exe
2010-08-24 01:24:22 161792 ----a-w- c:\windows\swreg.exe
2010-08-24 00:55:07 99422780 ----a-w- C:\MyReg.reg
2010-08-23 05:28:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-22 18:47:52 0 d-----w- C:\_OTL
2010-08-22 18:40:33 0 d-----w- c:\windows\system32\CatRoot2
2010-08-20 07:37:34 0 ----a-w- c:\windows\system32\imblacklist.dat
2010-08-20 07:29:17 415 ----a-w- c:\windows\system32\user_gensett.xml
2010-08-20 07:23:08 0 d-----w- c:\program files\BitDefender
2010-08-20 07:06:12 0 d-----w- c:\docume~1\markcu~1\applic~1\QuickScan
2010-08-20 07:05:29 0 d-----w- c:\program files\common files\BitDefender
2010-08-20 07:05:29 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-08-20 07:04:40 327368 ------w- c:\windows\system32\drivers\bdfsfltr.sys
2010-08-20 07:04:37 525234 ----a-w- c:\docume~1\alluse~1\applic~1\bdinstall.bin
2010-08-20 05:39:21 0 d--h--w- c:\windows\PIF
2010-08-18 06:25:34 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-08-18 06:25:30 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-18 06:25:27 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-08-18 06:25:23 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-08-18 06:25:19 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-08-18 06:25:14 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-08-18 06:25:13 28288 ----a-w- c:\windows\system32\dllcache\xjis.nls
2010-08-18 06:25:10 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-08-18 06:25:09 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-08-18 06:25:07 19328 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-18 06:25:06 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-08-18 06:25:05 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-08-18 06:23:56 86073 ----a-w- c:\windows\system32\dllcache\voicesub.dll
2010-08-18 06:22:58 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-08-18 06:21:57 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2010-08-18 06:20:58 172768 ----a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-08-18 06:19:59 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll
2010-08-18 06:18:58 28160 ----a-w- c:\windows\system32\dllcache\sm91w.dll
2010-08-18 06:17:59 386560 ----a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-08-18 06:16:58 210496 ----a-w- c:\windows\system32\dllcache\s3mvirge.dll
2010-08-18 06:15:55 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys
2010-08-18 06:11:13 70144 ----a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-08-18 06:11:13 53760 ----a-w- c:\windows\system32\dllcache\pintlcsd.dll
2010-08-18 06:11:13 482304 ----a-w- c:\windows\system32\dllcache\pintlgnt.ime
2010-08-18 06:11:12 175104 ----a-w- c:\windows\system32\dllcache\pintlcsa.dll
2010-08-18 06:11:09 79360 ----a-w- c:\windows\system32\dllcache\phon.ime
2010-08-18 06:11:09 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll
2010-08-18 06:11:06 19840 ----a-w- c:\windows\system32\dllcache\philtune.sys
2010-08-18 06:11:03 92416 ----a-w- c:\windows\system32\dllcache\phildec.sys
2010-08-18 06:11:00 173696 ----a-w- c:\windows\system32\dllcache\philcam2.sys
2010-08-18 06:09:59 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2010-08-18 06:08:58 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2010-08-18 06:07:59 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2010-08-18 06:06:58 58880 ----a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-08-18 06:05:58 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-08-18 06:04:59 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2010-08-18 06:03:59 542879 ----a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-08-18 06:02:59 15104 ----a-w- c:\windows\system32\dllcache\hidir.sys
2010-08-18 06:01:59 7168 ----a-w- c:\windows\system32\dllcache\f3ahvoas.dll
2010-08-18 06:00:59 455199 ----a-w- c:\windows\system32\dllcache\el985n51.sys
2010-08-18 05:59:58 65622 ----a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-08-18 05:58:59 91264 ----a-w- c:\windows\system32\dllcache\cirrus.dll
2010-08-18 05:57:59 18432 ----a-w- c:\windows\system32\dllcache\bdaplgin.ax
2010-08-18 05:56:59 19456 ----a-w- c:\windows\system32\dllcache\agt0404.dll
2010-08-18 04:18:29 0 d-----w- c:\docume~1\markcu~1\applic~1\SUPERAntiSpyware.com
2010-08-18 04:18:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-18 04:01:21 12552 ----a-w- c:\windows\system32\drivers\hddirect.sys
2010-08-17 06:00:54 78848 ----a-w- c:\windows\system32\msiexec.exe
2010-08-17 06:00:54 78848 ----a-w- c:\windows\system32\dllcache\msiexec.exe
2010-08-17 05:49:32 2890240 ----a-w- c:\windows\system32\msi.dll
2010-08-17 05:49:32 2890240 ----a-w- c:\windows\system32\dllcache\msi.dll
2010-08-16 02:07:37 0 d-----w- C:\Sym_LoadPointDiag
2010-08-15 17:19:08 72192 ----a-w- c:\windows\system32\taskkill.exe
2010-08-15 05:43:09 7302 ----a-w- c:\windows\system32\rrt_vf.wav
2010-08-15 05:43:09 7148 ----a-w- c:\windows\system32\rrt_tv.wav
2010-08-15 05:43:09 6282 ----a-w- c:\windows\system32\rrt_tn.wav
2010-08-15 05:43:09 16244 ----a-w- c:\windows\system32\rrt_is.wav
2010-08-15 02:43:40 0 d-----w- c:\docume~1\markcu~1\applic~1\Malwarebytes
2010-08-13 21:57:05 0 d-----w- c:\docume~1\markcu~1\applic~1\Simply Super Software
2010-08-12 20:26:23 0 d-----w- c:\windows\pss
2010-08-11 22:06:05 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-08-11 22:06:05 14848 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-08-11 22:05:55 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-08-11 22:05:55 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-08-11 21:46:38 0 d-----w- c:\windows\system32\NtmsData
2010-08-11 20:47:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-11 16:53:43 0 d-----w- c:\program files\Trojan Remover
2010-08-11 16:53:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

==================== Find3M ====================

2010-08-20 07:04:48 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-07-08 17:37:14 101544 ----a-w- c:\program files\common files\LinkInstaller.exe

============= FINISH: 18:28:20.93 ===============


Thanks for all your help so far. I await your next instructions.

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 08 September 2010 - 04:51 PM

Sorry for the delay. Let's work on the internet connection first; then we can deal with Java.

Some questions:
  1. Can you connect to the internet from another computer hooked to your network? (I assume that's how you are replying, but you could be using a cell phone connection or going offsite).
  2. Are you using a router? Try plugging your computer directly into the cable/DSL modem and reboot the sick computer. Can you access the internet then?
  3. Click Start --> Control Panel --> Network and Internet Connections --> Internet Settings. You should see at least one icon there saying "Local Internet Connection". Is it "enabled", "disabled", "not connected" or "internet cable unplugged"?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 PJack

PJack
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 08 September 2010 - 10:57 PM

Hi. Thanks for the reply.
1. Yes. I can connect with another computer from my network.
2. No I'm not using a router. The Cat5 is coming right from the modem to the back of the PC. I just switch the Cat5 cable between the 2 PCs for testing. When I do ipconfig /all I can see that the PC gets an IP address. But when I try any URL in the address bar, I get a "the address is not valid" message and the URL in the address bar shows as http;/// (3 slashes)

I can ping the sick PC by IP and another address on the network by IP, but I cannot ping yahoo.com

3. The Local Network Connection shows as 'Connected, Firewalled' when I have the Cat5 plugged into the sick machine. If I turn off the Firewall (only for a second!) and try to get to yahoo or google, I get the 'Internet Explorer cannot display the webpage' error.

In the past, I was able to get onto the internet briefly by using the 'netsh winsock reset catalog' command, rebooting and logging on as the same user. That command doesn't work anymore.

Also, during the netsh command, I get a message that says that I am missing help file napmontr.dll and dot3cfg.dll. I get this message now and back when the netsh command used to work for me.

I'm wondering if I need to go to Add/Remove Programs, then Add/Remove Windows Components and remove and then reinstall the 'Networking Services'. It currently shows as checkmarked, but with the shaded checkbox. This is how it appears on the working PC as well.

I have checked my Services and they look okay as follows:
Computer Browser Started, Automatic
DHCP Client Started, Automatic
DNS Client Started, Automatic
Network Connections Started, Automatic
Network Location Awareness Started, Automatic
Remote Procedure Call Started, Automatic
Server Started, Automatic
TCP/IP Netbios Helper Started, Automatic
Workstation Started, Automatic


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 09 September 2010 - 06:09 PM

OK, first things first. You may have already tried this, but let's reset IE8. Launch Internet Explorer. Press Alt-T to load the tools menu and select Internet Options. Click the Advanced Tab and select Reset. I'll leave it up to you if you check the box to clear all users settings or not...then press OK. Note if it reset everything OK, or if you got an "X" for anything. Once it's done, close and re-launch IE. Any luck there?

Also, what's your DNS server you're using? I can give instructions if you're not sure where to look.

Edited by etavares, 09 September 2010 - 06:10 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 PJack

PJack
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 09 September 2010 - 09:30 PM

Hi. I have done Reset on IE in the past. I just did it again, though and I chose to not delete the personal settings. The reset completed successfully and I get the 'cannot display the page' error in IE after relaunching and trying to get to Google.
I have attached 2 pics to show my DNS settings. Hope that's what you're looking for.

Also, I checked to make sure that it was not using a proxy in IE. That's what it was doing before I got rid of (most) of the virus.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users