Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect Trojan (related to Security Suite)


  • This topic is locked This topic is locked
8 replies to this topic

#1 arndeee

arndeee

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 12 September 2010 - 04:01 PM

Hi there everybody. I've been so impressed with the speed with which you guys have replied to other people; I really hope you can help me with this one. Thanks in advance.

Originally I was infected with Security Suite; I booted into safe mode, ran rkill, then MBAM and AVG and managed to weed out the vast majority of infected files. Now AVG finds nothing and MBAM finds the same couple of infected reg keys (I'll post log if required). The remaining problem is Google redirecting to junk sites (gomeo.co.uk; info.co.uk; other crap), with occasional pop-ups. This seems to have affected IE and Firefox, but not Chrome. I've uninstalled Firefox and associated toolbars and have run AVG Rootkit remover and TDSSKiller, with no luck (the problem persists).

I appreciate this is a common problem and that there are many others looking for help.

Thanks for your time guys.

-Andy

[DDS and GMER logs attached]

...Here's the DDS copy & pasted & the Attach.txt too...

Thanks!

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:06:18.04 on 12/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.588 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BandwidthMeter\BandwidthMeter.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [newsecureapp70700.exe] c:\documents and settings\owner\application data\8bfc02adf7415d833a6bb95cbe17a077\newsecureapp70700.exe
uRun: [{E7A2FD4B-56CA-796C-D5D7-957D8B497479}] "c:\documents and settings\owner\application data\icqu\cego.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [WUG0902AP] CNYHKey.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\bandwi~1.lnk - c:\program files\bandwidthmeter\BandwidthMeter.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\wamasuwu.dll

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-9-11 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-28 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-28 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-28 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-9-12 67584]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 grpd;grpd;c:\windows\system32\drivers\ckloy.sys --> c:\windows\system32\drivers\ckloy.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 136176]
S3 DCamUSB20;Hi-Speed USB DVD Creator;c:\windows\system32\drivers\CsMini20.sys [2010-7-9 46248]
S3 iadusb;Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [2007-12-15 30371]
S3 MapMem;MapMem;\??\d:\mapmem.sys --> d:\mapmem.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-4-21 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-4-21 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-4-21 40832]
S3 ulusba;NEC 616 Command Port Driver;c:\windows\system32\drivers\ulusba.sys [2005-12-23 25856]
S3 ulusbc;NEC 616 CONTROL Driver;c:\windows\system32\drivers\ulusbc.sys [2005-12-23 43264]
S3 ulusbe;NEC 616 ENUMERATION Driver;c:\windows\system32\drivers\ulusbe.sys [2005-12-23 12928]
S3 ulusbm;NEC 616 Modem Driver;c:\windows\system32\drivers\ulusbm.sys [2005-12-23 36352]
S3 ulusbo;NEC 616 OBEX Port Driver;c:\windows\system32\drivers\ulusbo.sys [2005-12-23 33920]

=============== Created Last 30 ================

2010-09-12 16:03:44 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-09-12 15:45:49 0 d-----w- c:\program files\Cobian Backup 10
2010-09-11 09:53:15 0 d-----w- C:\TDSSKiller_Quarantine
2010-09-11 01:32:01 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-11 01:04:33 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-09-10 19:44:32 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-10 19:44:17 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-10 15:43:16 26112 ----a-w- c:\windows\system32\stu2.exe
2010-09-10 15:33:53 1485 ----a-w- c:\windows\lsrslt.ini
2010-09-10 15:31:16 2838 ----a-w- c:\windows\igulowunika.dll
2010-08-19 12:49:38 0 d-----w- c:\docume~1\owner\applic~1\fltk.org
2010-08-18 02:48:16 2838 ----a-w- c:\windows\Ilamalanunevifoh.dat
2010-08-18 02:48:16 0 ----a-w- c:\windows\Dweditaqunuhogaj.bin
2010-08-18 02:47:22 2838 ----a-w- C:\zrpt.xml

==================== Find3M ====================

2010-09-11 10:56:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-09-10 17:53:04 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-09-10 15:43:13 31744 ----a-w- c:\windows\system32\userinit.exe
2010-08-18 18:44:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-17 07:04:53 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-17 07:04:49 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2007-06-26 17:31:04 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-29 19:02:08 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2010-02-19 13:42:54 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-23 17:55:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092320080924\index.dat
2010-02-19 13:42:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010012520100201\index.dat
2010-02-19 13:42:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010021920100220\index.dat

============= FINISH: 17:08:44.25 ===============

Merged posts removing redundant attachment. ~ OB

Attached Files


Edited by Orange Blossom, 12 September 2010 - 04:56 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:38 AM

Posted 18 September 2010 - 04:30 AM

Hello arndeee ,



Sorry for the delay. sad.gif If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 arndeee

arndeee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 18 September 2010 - 05:59 AM

Hey Tea - thanks for your help! ^_^

Here's the DDS and HijackThis:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 11:31:16.68 on 18/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.844 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BandwidthMeter\BandwidthMeter.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [newsecureapp70700.exe] c:\documents and settings\owner\application data\8bfc02adf7415d833a6bb95cbe17a077\newsecureapp70700.exe
uRun: [{E7A2FD4B-56CA-796C-D5D7-957D8B497479}] "c:\documents and settings\owner\application data\icqu\cego.exe"
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [WUG0902AP] CNYHKey.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\bandwi~1.lnk - c:\program files\bandwidthmeter\BandwidthMeter.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Notification Packages = scecli c:\windows\system32\wamasuwu.dll

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-9-11 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-28 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-28 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-28 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-9-12 67584]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S0 grpd;grpd;c:\windows\system32\drivers\ckloy.sys --> c:\windows\system32\drivers\ckloy.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 136176]
S3 DCamUSB20;Hi-Speed USB DVD Creator;c:\windows\system32\drivers\CsMini20.sys [2010-7-9 46248]
S3 iadusb;Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [2007-12-15 30371]
S3 MapMem;MapMem;\??\d:\mapmem.sys --> d:\mapmem.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-4-21 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-4-21 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-4-21 40832]
S3 ulusba;NEC 616 Command Port Driver;c:\windows\system32\drivers\ulusba.sys [2005-12-23 25856]
S3 ulusbc;NEC 616 CONTROL Driver;c:\windows\system32\drivers\ulusbc.sys [2005-12-23 43264]
S3 ulusbe;NEC 616 ENUMERATION Driver;c:\windows\system32\drivers\ulusbe.sys [2005-12-23 12928]
S3 ulusbm;NEC 616 Modem Driver;c:\windows\system32\drivers\ulusbm.sys [2005-12-23 36352]
S3 ulusbo;NEC 616 OBEX Port Driver;c:\windows\system32\drivers\ulusbo.sys [2005-12-23 33920]

=============== Created Last 30 ================


==================== Find3M ====================

2010-09-11 10:56:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-09-10 17:53:04 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-09-10 15:43:13 31744 ----a-w- c:\windows\system32\userinit.exe
2010-09-10 13:45:11 2838 ----a-w- c:\windows\Ilamalanunevifoh.dat
2010-08-18 18:44:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 07:04:49 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2007-06-26 17:31:04 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-29 19:02:08 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2010-02-19 13:42:54 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-23 17:55:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092320080924\index.dat
2010-02-19 13:42:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010012520100201\index.dat
2010-02-19 13:42:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010021920100220\index.dat

============= FINISH: 11:32:45.01 ===============


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:56:46, on 18/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BandwidthMeter\BandwidthMeter.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F5D7050v3] C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [WUG0902AP] CNYHKey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [newsecureapp70700.exe] C:\Documents and Settings\Owner\Application Data\8BFC02ADF7415D833A6BB95CBE17A077\newsecureapp70700.exe
O4 - HKCU\..\Run: [{E7A2FD4B-56CA-796C-D5D7-957D8B497479}] "C:\Documents and Settings\Owner\Application Data\Icqu\cego.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Bandwidth Meter.lnk = C:\Program Files\BandwidthMeter\BandwidthMeter.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Cobian Backup 10 Volume Shadow Copy service (cbVSCService) - CobianSoft, Luis Cobian - C:\Program Files\Cobian Backup 10\cbVSCService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 8772 bytes


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:38 AM

Posted 18 September 2010 - 07:28 AM

Hello,
\You're welcome. smile.gif

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to arndeee.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 arndeee

arndeee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 18 September 2010 - 09:34 AM



Hey Tea - here's the ComboFix:

-Andy


ComboFix 10-09-17.04 - Owner 18/09/2010 15:12:12.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.884 [GMT 1:00]
Running from: C:\Documents and Settings\Owner\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate
C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd
C:\Documents and Settings\All Users\Documents\Server\admin.txt
C:\Documents and Settings\All Users\Documents\Server\server.dat
C:\Documents and Settings\John\Local Settings\Application Data\{6FA297DF-B284-46A7-857B-CA5E7D8E1BB6}
C:\Documents and Settings\John\Local Settings\Application Data\{6FA297DF-B284-46A7-857B-CA5E7D8E1BB6}\chrome.manifest
C:\Documents and Settings\John\Local Settings\Application Data\{6FA297DF-B284-46A7-857B-CA5E7D8E1BB6}\chrome\content\_cfg.js
C:\Documents and Settings\John\Local Settings\Application Data\{6FA297DF-B284-46A7-857B-CA5E7D8E1BB6}\chrome\content\overlay.xul
C:\Documents and Settings\John\Local Settings\Application Data\{6FA297DF-B284-46A7-857B-CA5E7D8E1BB6}\install.rdf
C:\Documents and Settings\Owner\Application Data\Icqu\cego.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\~DFKa270f40.tmp
C:\Documents and Settings\Owner\Application Data\Microsoft\1eaadjc.dll
C:\Documents and Settings\Owner\Application Data\Microsoft\bass.dll
C:\Documents and Settings\Owner\Application Data\Microsoft\kfgresk.dll
C:\Documents and Settings\Owner\Application Data\Microsoft\mjcriu.dll
C:\Documents and Settings\Owner\Application Data\Microsoft\peaadje.dll
C:\Documents and Settings\Owner\Application Data\Microsoft\qwadjb.dll
C:\Documents and Settings\Owner\Application Data\Microsoft\rsaadjd.dll
C:\Documents and Settings\Owner\Local Settings\Application Data\{53911F35-555F-4052-91D2-CD9CA013FC5D}
C:\Documents and Settings\Owner\Local Settings\Application Data\{53911F35-555F-4052-91D2-CD9CA013FC5D}\chrome.manifest
C:\Documents and Settings\Owner\Local Settings\Application Data\{53911F35-555F-4052-91D2-CD9CA013FC5D}\chrome\content\_cfg.js
C:\Documents and Settings\Owner\Local Settings\Application Data\{53911F35-555F-4052-91D2-CD9CA013FC5D}\chrome\content\overlay.xul
C:\Documents and Settings\Owner\Local Settings\Application Data\{53911F35-555F-4052-91D2-CD9CA013FC5D}\install.rdf
C:\Documents and Settings\Owner\Local Settings\Application Data\Windows Server
C:\Documents and Settings\Owner\Local Settings\Application Data\Windows Server\server.dat
C:\Documents and Settings\Owner\Start Menu\Programs\Antimalware Doctor
C:\Documents and Settings\Owner\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
C:\Program Files\WinPCap
C:\Program Files\WinPCap\rpcapd.exe
C:\WINDOWS\igulowunika.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\edapabus.ini
C:\WINDOWS\system32\esonibaz.ini
C:\WINDOWS\system32\ipipovab.ini
C:\WINDOWS\system32\load.exe
C:\WINDOWS\system32\omiruzum.ini
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\skinboxer43.dll
C:\WINDOWS\system32\uhumipow.ini
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
E:\Autorun.inf
G:\autorun.inf
G:\install.exe

Infected copy of C:\WINDOWS\system32\userinit.exe was found and disinfected
Restored copy from - C:\WINDOWS\ServicePackFiles\i386\userinit.exe

Infected copy of C:\WINDOWS\system32\winlogon.exe was found and disinfected
Restored copy from - C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

Infected copy of C:\WINDOWS\explorer.exe was found and disinfected
Restored copy from - C:\WINDOWS\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_PPTP64
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
.

2010-09-18 10:35:13 . 2010-09-18 10:35:13 -------- d-----w- C:\Program Files\Trend Micro
2010-09-15 12:55:07 . 2010-09-15 12:55:07 -------- d-----w- C:\temp\2A000000319C8EC00002DCD4E2D88EC0
2010-09-15 12:49:23 . 2010-09-15 12:49:34 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\Philips-Songbird
2010-09-15 12:49:23 . 2010-09-15 12:49:23 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Philips-Songbird
2010-09-15 12:48:09 . 2010-09-15 14:09:27 -------- d-----w- C:\Program Files\Philips
2010-09-12 15:46:43 . 2010-09-12 15:46:43 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\Safe mirror
2010-09-12 15:45:49 . 2010-09-12 15:46:30 -------- d-----w- C:\Program Files\Cobian Backup 10
2010-09-11 11:40:57 . 2010-09-11 19:40:24 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-09-11 09:53:15 . 2010-09-11 09:53:15 -------- d-----w- C:\TDSSKiller_Quarantine
2010-09-11 01:32:01 . 2010-05-21 13:14:28 221568 ------w- C:\WINDOWS\system32\MpSigStub.exe
2010-09-11 01:04:33 . 2007-01-18 12:00:28 3968 ----a-w- C:\WINDOWS\system32\drivers\AvgArCln.sys
2010-09-10 19:44:32 . 2010-09-10 19:44:32 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-10 19:44:17 . 2010-09-10 19:44:50 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-09-10 15:43:16 . 2008-04-14 00:12:38 26112 ----a-w- C:\WINDOWS\system32\stu2.exe
2010-09-10 13:30:00 . 2010-09-10 17:12:54 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\xonihxtoh
2010-08-31 17:49:56 . 2010-08-31 17:49:56 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 10:55:26 . 2010-09-18 10:55:26 388096 ----a-r- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-18 10:10:58 . 2010-02-03 04:15:54 0 ----a-w- C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-09-11 19:47:13 . 2005-10-20 20:26:22 -------- d-----w- C:\Program Files\Google
2010-09-11 19:29:25 . 2007-06-30 06:03:08 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2010-09-11 18:41:17 . 2007-10-25 02:37:59 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Icqu
2010-09-11 15:10:34 . 2009-05-24 16:12:20 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-09-11 15:03:56 . 2008-04-16 17:29:27 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Nowae
2010-09-11 15:03:44 . 2010-01-30 05:01:08 1324 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2010-09-11 10:56:54 . 2004-08-04 12:00:00 138496 ----a-w- C:\WINDOWS\system32\drivers\afd.sys
2010-09-10 17:53:04 . 2004-08-04 12:00:00 162816 ----a-w- C:\WINDOWS\system32\drivers\netbt.sys
2010-09-10 17:12:54 . 2006-04-11 14:06:00 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Uppe
2010-09-10 15:43:24 . 2003-06-22 22:45:28 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Myul
2010-09-10 13:45:11 . 2010-08-18 02:48:16 2838 ----a-w- C:\WINDOWS\Ilamalanunevifoh.dat
2010-09-10 13:34:15 . 2007-06-09 06:41:22 -------- d-----w- C:\Documents and Settings\Owner\Application Data\BitTorrent
2010-09-10 02:10:26 . 2010-08-18 02:48:16 0 ----a-w- C:\WINDOWS\Dweditaqunuhogaj.bin
2010-09-08 22:09:17 . 2009-08-02 16:21:28 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Spotify
2010-08-26 03:03:20 . 2010-08-26 03:03:20 503808 ----a-w- C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-66681caf-n\msvcp71.dll
2010-08-26 03:03:20 . 2010-08-26 03:03:20 499712 ----a-w- C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-66681caf-n\jmc.dll
2010-08-26 03:03:20 . 2010-08-26 03:03:20 348160 ----a-w- C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-66681caf-n\msvcr71.dll
2010-08-26 03:03:14 . 2010-08-26 03:03:14 61440 ----a-w- C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1fe08e9d-n\decora-sse.dll
2010-08-26 03:03:14 . 2010-08-26 03:03:14 12800 ----a-w- C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1fe08e9d-n\decora-d3d.dll
2010-08-25 23:45:51 . 2010-02-01 16:30:27 37904 ----a-w- C:\Documents and Settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-25 04:01:38 . 2005-12-08 21:07:10 -------- d-----w- C:\Program Files\Lx_cats
2010-08-19 14:37:50 . 2010-03-29 13:01:32 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Ytkyod
2010-08-19 12:49:38 . 2010-08-19 12:49:38 -------- d-----w- C:\Documents and Settings\Owner\Application Data\fltk.org
2010-08-18 22:02:49 . 2010-02-09 02:54:00 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Ohriu
2010-08-18 18:44:37 . 2010-04-27 23:53:13 216400 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys
2010-08-18 13:27:46 . 2010-02-02 13:52:53 -------- d-----w- C:\Documents and Settings\All Users\Application Data\avg9
2010-08-17 13:17:06 . 2004-08-04 12:00:00 58880 ----a-w- C:\WINDOWS\system32\spoolsv.exe
2010-08-12 18:06:51 . 2005-11-07 23:02:44 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Apple Computer
2010-08-11 22:02:15 . 2010-08-11 22:02:15 503808 ----a-w- C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-229df620-n\msvcp71.dll
2010-08-11 22:02:15 . 2010-08-11 22:02:15 499712 ----a-w- C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-229df620-n\jmc.dll
2010-08-11 22:02:15 . 2010-08-11 22:02:15 348160 ----a-w- C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-229df620-n\msvcr71.dll
2010-08-11 22:02:07 . 2010-08-11 22:02:07 61440 ----a-w- C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-16e60ec7-n\decora-sse.dll
2010-08-11 22:02:07 . 2010-08-11 22:02:07 12800 ----a-w- C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-16e60ec7-n\decora-d3d.dll
2010-08-04 14:39:21 . 2010-08-04 14:39:21 -------- d-----w- C:\Program Files\iZotope
2010-08-04 14:39:21 . 2010-08-04 14:39:21 -------- d-----w- C:\Program Files\Common Files\iZotope
2010-07-31 19:46:52 . 2010-07-25 17:13:35 -------- d-----w- C:\Program Files\McAfee Security Scan
2010-07-26 14:54:21 . 2003-01-01 08:33:18 -------- d--h--w- C:\Program Files\InstallShield Installation Information
2010-07-25 17:13:49 . 2010-07-25 17:13:49 -------- d-----w- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
2010-07-22 15:49:15 . 2004-08-04 12:00:00 590848 ----a-w- C:\WINDOWS\system32\rpcrt4.dll
2010-07-22 05:57:20 . 2009-09-15 00:52:14 5120 ----a-w- C:\WINDOWS\system32\xpsp4res.dll
2010-07-17 07:04:53 . 2010-04-27 23:53:21 243024 ----a-w- C:\WINDOWS\system32\drivers\avgtdix.sys
2010-07-17 07:04:49 . 2010-07-17 07:04:49 12536 ----a-w- C:\WINDOWS\system32\avgrsstx.dll
2010-07-10 09:16:46 . 2005-10-16 16:57:36 37904 ----a-w- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31:35 . 2004-08-04 12:00:00 149504 ----a-w- C:\WINDOWS\system32\schannel.dll
2010-06-29 08:12:11 . 2010-06-29 08:12:11 72504 ----a-w- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-24 12:22:03 . 2004-08-04 12:00:00 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2010-06-23 13:44:04 . 2004-08-04 12:00:00 1851904 ----a-w- C:\WINDOWS\system32\win32k.sys
2010-06-21 15:27:11 . 2004-08-04 12:00:00 354304 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
2009-04-15 20:24:54 . 2009-04-15 20:24:54 1044480 ----a-w- C:\Program Files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24:54 . 2009-04-15 20:24:54 200704 ----a-w- C:\Program Files\mozilla firefox\plugins\ssldivx.dll
2007-06-26 17:31:04 . 2006-05-31 18:27:57 848 --sha-w- C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 04:39:22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 19:43:02 7630848]
"F5D7050v3"="C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 21:37:22 1654784]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 11:47:32 73728]
"nwiz"="nwiz.exe" [2006-08-11 19:43:00 1519616]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 19:43:04 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 09:09:44 77824]
"C-Media Mixer"="Mixer.exe" [2002-07-12 16:33:12 1581056]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06:38 88363]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 11:43:18 248040]
"AVG9_TRAY"="C:\PROGRA~1\AVG\AVG9\avgtray.exe" [2010-07-17 07:04:56 2065760]
"WUG0902AP"="CNYHKey.exe" [2009-08-14 10:10:44 5575168]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2010-03-21 11:24:38 202256]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Bandwidth Meter.lnk - C:\Program Files\BandwidthMeter\BandwidthMeter.exe [2009-10-13 285184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 07:04:49 12536 ----a-w- C:\WINDOWS\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HallsLogon_All.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HallsLogon_All.exe
backup=C:\WINDOWS\pss\HallsLogon_All.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=C:\WINDOWS\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 17:58:30 856064 ----a-w- C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-09-06 14:35:53 342848 ----a-w- C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-07-12 16:33:12 1581056 ----a-w- C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12:16 15360 ----a-w- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33:44 141624 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-01-18 17:07:54 196608 ----a-w- C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-11 19:43:02 7630848 ----a-w- C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-11 19:43:04 86016 ----a-w- C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-11 19:43:00 1519616 ----a-w- C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16:10 421888 ----a-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-03-25 03:28:02 144784 ----a-w- C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-05-18 13:18:34 68856 ----a-w- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-21 11:24:38 202256 ----a-w- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 15:45:08 313472 ----a-r- C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"lxcf_device"=3 (0x3)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"C-DillaCdaC11BA"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AVGEMS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe Version Cue CS2"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcfPSWX.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Spotify\\spotify.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\drivers\avgldx86.sys [28/04/2010 00:53:13 216400]
R1 AvgTdiX;AVG Free Network Redirector;C:\WINDOWS\system32\drivers\avgtdix.sys [28/04/2010 00:53:21 243024]
R2 avg9emc;AVG Free E-mail Scanner;C:\Program Files\AVG\AVG9\avgemc.exe [28/04/2010 00:52:45 921952]
R2 avg9wd;AVG Free WatchDog;C:\Program Files\AVG\AVG9\avgwdsvc.exe [17/07/2010 08:04:45 308136]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;C:\Program Files\Cobian Backup 10\cbVSCService.exe [12/09/2010 16:46:27 67584]
S0 grpd;grpd;C:\WINDOWS\system32\drivers\ckloy.sys --> C:\WINDOWS\system32\drivers\ckloy.sys [?]
S1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS --> C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS --> C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [20/03/2010 16:34:35 136176]
S3 DCamUSB20;Hi-Speed USB DVD Creator;C:\WINDOWS\system32\drivers\CsMini20.sys [09/07/2010 21:58:28 46248]
S3 iadusb;Voyager 205 ADSL Router;C:\WINDOWS\system32\drivers\glauiad.sys [15/12/2007 19:29:34 30371]
S3 MapMem;MapMem;\??\D:\mapmem.sys --> D:\mapmem.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49:20 227232]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\drivers\motccgp.sys [21/04/2009 15:03:36 17920]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\drivers\motccgpfl.sys [21/04/2009 15:03:36 7680]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\drivers\motodrv.sys [21/04/2009 15:03:26 40832]
S3 ulusba;NEC 616 Command Port Driver;C:\WINDOWS\system32\drivers\ulusba.sys [23/12/2005 18:26:44 25856]
S3 ulusbc;NEC 616 CONTROL Driver;C:\WINDOWS\system32\drivers\ulusbc.sys [23/12/2005 18:21:58 43264]
S3 ulusbe;NEC 616 ENUMERATION Driver;C:\WINDOWS\system32\drivers\ulusbe.sys [23/12/2005 18:21:58 12928]
S3 ulusbm;NEC 616 Modem Driver;C:\WINDOWS\system32\drivers\ulusbm.sys [23/12/2005 18:22:27 36352]
S3 ulusbo;NEC 616 OBEX Port Driver;C:\WINDOWS\system32\drivers\ulusbo.sys [23/12/2005 18:26:24 33920]

--- Other Services/Drivers In Memory ---

*Deregistered* - DiskFilter
*Deregistered* - VolumeFilter
.
Contents of the 'Scheduled Tasks' folder

2010-09-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34:12 . 2008-07-30 12:34:12]

2010-09-18 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-03-20 15:34:35 . 2010-03-20 15:34:02]

2010-09-18 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-03-20 15:34:35 . 2010-03-20 15:34:02]

2010-09-17 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1401476835-2064584203-1526776667-1003Core.job
- C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-12 16:34:00 . 2010-06-15 04:39:22]

2010-09-18 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1401476835-2064584203-1526776667-1003UA.job
- C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-12 16:34:00 . 2010-06-15 04:39:22]

2010-09-18 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1401476835-2064584203-1526776667-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09:42 . 2010-02-24 22:09:42]

2010-09-17 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1401476835-2064584203-1526776667-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09:42 . 2010-02-24 22:09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-4oD - C:\Program Files\Kontiki\KHost.exe
MSConfigStartUp-AlarmWiz - C:\Program Files\AlarmWiz\alarmwiz.exe
MSConfigStartUp-AVG7_CC - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-AVG8_TRAY - C:\PROGRA~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-kdx - C:\Program Files\Kontiki\KHost.exe
MSConfigStartUp-Qfudan - C:\WINDOWS\lonvud.dll
MSConfigStartUp-SpyHunter - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
AddRemove-Korg Legacy Collection v1.0.0.2 - C:\PROGRA~1\KORG\KORGLE~1\UNWISE.EXE
AddRemove-Steinberg Cubase SX v2.01 - C:\PROGRA~1\STEINB~1\CUBASE~1\UNWISE.EXE
AddRemove-{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} - C:\Program Files\SUPERAntiSpyware\Uninstall.exe



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:38 AM

Posted 18 September 2010 - 03:20 PM

Hello,

How is it running now please? That should have taken care of a lot of it, but still some to do........

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Those old versions also take up a ton of space! Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure MBAM is updated and have a run with it. Post the report in your reply also. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 arndeee

arndeee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 20 September 2010 - 05:32 PM

Hey Tea - sorry it took a while to get back.

It seems to be fixed! The Google direct is no more!

I got rid of the old versions of Java and installed the update.
Here's the MBAM log (it did, however, find 1 infection, which
it supposedly got rid of):

Thanks a lot,
-Andy


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/09/2010 23:20:07
mbam-log-2010-09-20 (23-20-07).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 376029
Time elapsed: 3 hour(s), 33 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir (Malware.Packer.Gen) -> No action taken.


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:38 AM

Posted 23 September 2010 - 01:03 PM

Hi Andy,

Well I'm guilty too it seems, so no need to be sorry at all. Glad it's better. smile.gif The file MBAM found is actually all right. Qoobox is created by ComboFix, and some of the bad files are renamed and stored there.

Since it's been a few days I'd like to have another run with ComboFix, but we'll have to update it. So delete the old one first, and don't forget to delete Qoobox as well. Reboot your computer, then download a fresh copy and have a run with it, please. Post the report in your reply and we'll then get rid of any remaining files/folders that need to go. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:38 AM

Posted 29 September 2010 - 02:13 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users