Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trucar trojan?


  • This topic is locked This topic is locked
15 replies to this topic

#1 dlentz

dlentz

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 October 2010 - 02:18 PM

This infection frequently hijacks my browser, redirecting to sites that are blocked by my anti-virus software. Also, there are frequent messages that explorer.exe must close. My internet is interrupted frequently.

You will notice that I replaced my hard drive 2 days ago, re-installing the OS and all software. The local disk is now the F drive.

I have had no luck removing this trojan and I would appreciate any help that you could lend. Thank you, and I look forward to hearing from you soon!! :-)


Doug Lentz



DDS (Ver_10-03-17.01) - NTFSx86
Run by Lentz at 13:29:45.48 on Sat 10/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2406 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
svchost.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
F:\Program Files\Pure Networks\Network Magic\nmapp.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
F:\Program Files\Alwil Software\Avast5\avastUI.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
F:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
F:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
F:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Alwil Software\Avast5\AvastSvc.exe
F:\Documents and Settings\Lentz\Desktop\dds.scr
F:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
BHO: {0407ccf6-b9f0-4f1c-b2c5-6771e6dc9cd9} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: 8056bb9f: {37e14f9f-6942-05ce-5adc-83fc74d40e43} -
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - f:\program files\search toolbar\SearchToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - f:\program files\search toolbar\SearchToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "f:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [nmctxth] "f:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "f:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [NeroFilterCheck] f:\windows\system32\NeroCheck.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Acrobat Assistant 8.0] "f:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [avast5] "f:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - f:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - f:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - f:\program files\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.plattformad.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285910187937
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - f:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: f025ebca1018 - f:\windows\system32\cmpbk3232.dll
AppInit_DLLs: f:\windows\system32\cmpbk3232.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - f:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;f:\windows\system32\drivers\aswSP.sys [2010-10-1 165584]
R2 aswFsBlk;aswFsBlk;f:\windows\system32\drivers\aswFsBlk.sys [2010-10-1 17744]
R2 avast! Antivirus;avast! Antivirus;f:\program files\alwil software\avast5\AvastSvc.exe [2010-10-1 40384]
R2 vpnagent;Cisco AnyConnect VPN Agent;f:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
R3 avast! Web Scanner;avast! Web Scanner;f:\program files\alwil software\avast5\AvastSvc.exe [2010-10-1 40384]
S2 gupdate;Google Update Service (gupdate);f:\program files\google\update\GoogleUpdate.exe [2010-10-1 136176]
S3 avast! Mail Scanner;avast! Mail Scanner;f:\program files\alwil software\avast5\AvastSvc.exe [2010-10-1 40384]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]

=============== Created Last 30 ================

2010-10-02 18:24:33 0 ----a-w- f:\documents and settings\lentz\defogger_reenable
2010-10-02 02:02:03 56 ---ha-w- f:\windows\system32\ezsidmv.dat
2010-10-02 01:01:35 0 d-----r- f:\program files\Skype
2010-10-01 22:56:26 107888 ----a-w- f:\windows\system32\CmdLineExt.dll
2010-10-01 22:14:03 189520 ----a-w- f:\windows\system32\drivers\tmcomm.sys
2010-10-01 22:00:35 0 d-----w- f:\windows\pss
2010-10-01 21:16:28 38 ----a-w- f:\windows\system32\20a5eccd
2010-10-01 21:05:54 69 ----a-w- f:\windows\NeroDigital.ini
2010-10-01 20:17:18 1901 ----a-w- f:\windows\GnuHashes.ini
2010-10-01 20:16:51 0 ---ha-w- f:\documents and settings\lentz\pienkacgtb.tmp
2010-10-01 20:10:08 149 --sha-w- f:\windows\system32\544586650
2010-10-01 20:10:07 1185 ----a-w- f:\windows\system32\6262966
2010-10-01 20:09:46 0 d-sh--w- f:\windows\system32\SysWoW32
2010-10-01 20:09:30 203776 --sh--w- f:\windows\system32\unrar.exe
2010-10-01 20:09:30 0 d-----w- f:\windows\system32\1108839597
2010-10-01 20:09:14 0 d-sh--w- f:\docume~1\lentz\applic~1\SysWin
2010-10-01 20:09:11 210944 ----a-w- f:\windows\system32\cmpbk3232.dll
2010-10-01 19:41:48 0 d-----w- f:\windows\system32\scripting
2010-10-01 19:41:47 0 d-----w- f:\windows\system32\en
2010-10-01 19:41:47 0 d-----w- f:\windows\system32\bits
2010-10-01 19:41:47 0 d-----w- f:\windows\l2schemas
2010-10-01 19:39:53 0 d-----w- f:\windows\network diagnostic
2010-10-01 18:59:22 0 d-----w- f:\windows\system32\URTTemp
2010-10-01 18:52:44 22328 ----a-w- f:\windows\system32\drivers\PnkBstrK.sys
2010-10-01 18:52:44 22328 ----a-w- f:\docume~1\lentz\applic~1\PnkBstrK.sys
2010-10-01 18:52:29 669184 ----a-w- f:\windows\system32\pbsvc.exe
2010-10-01 18:52:29 66872 ----a-w- f:\windows\system32\PnkBstrA.exe
2010-10-01 18:52:29 103736 ----a-w- f:\windows\system32\PnkBstrB.exe
2010-10-01 18:52:27 444776 ----a-w- f:\windows\system32\d3dx10_35.dll
2010-10-01 18:52:26 443752 ----a-w- f:\windows\system32\d3dx10_34.dll
2010-10-01 18:52:26 3727720 ----a-w- f:\windows\system32\d3dx9_35.dll
2010-10-01 18:52:26 1358192 ----a-w- f:\windows\system32\D3DCompiler_35.dll
2010-10-01 18:52:26 1124720 ----a-w- f:\windows\system32\D3DCompiler_34.dll
2010-10-01 18:52:25 3497832 ----a-w- f:\windows\system32\d3dx9_34.dll
2010-10-01 18:52:24 81768 ----a-w- f:\windows\system32\xinput1_3.dll
2010-10-01 18:33:51 0 d-----w- f:\program files\common files\Control Panels
2010-10-01 18:32:21 0 d-----w- f:\docume~1\alluse~1\applic~1\ALM
2010-10-01 18:24:33 2463976 ----a-w- f:\windows\system32\NPSWF32.dll
2010-10-01 18:24:33 190696 ----a-w- f:\windows\system32\NPSWF32_FlashUtil.exe
2010-10-01 18:19:55 0 d-----w- f:\program files\Bonjour
2010-10-01 18:16:28 0 d-----w- f:\program files\common files\Macrovision Shared
2010-10-01 17:48:22 49857 ------w- f:\windows\UNNMP.cfg
2010-10-01 17:48:21 2977792 ------w- f:\windows\UNNMP.exe
2010-10-01 17:46:37 155648 ----a-w- f:\windows\system32\NeroCheck.exe
2010-10-01 17:42:49 2973696 ------w- f:\windows\UNNeroVision.exe
2010-10-01 17:42:49 24064 ------w- f:\windows\system32\msxml3a.dll
2010-10-01 17:42:49 154568 ------w- f:\windows\UNNeroVision.cfg
2010-10-01 17:42:10 471040 ------w- f:\windows\system32\ImagXRA7.dll
2010-10-01 17:42:10 364544 ------w- f:\windows\system32\TwnLib4.dll
2010-10-01 17:42:09 476320 ------w- f:\windows\system32\ImagXpr7.dll
2010-10-01 17:42:09 262144 ------w- f:\windows\system32\ImagXR7.dll
2010-10-01 17:42:09 1568768 ------w- f:\windows\system32\ImagX7.dll
2010-10-01 17:42:08 38912 ------w- f:\windows\system32\picn20.dll
2010-10-01 17:42:08 106496 ----a-w- f:\windows\system32\TwnLib20.dll
2010-10-01 17:05:55 0 d-----r- f:\docume~1\lentz\applic~1\Brother
2010-10-01 17:05:03 419 ----a-w- f:\windows\BRWMARK.INI
2010-10-01 17:05:03 27 ----a-w- f:\windows\BRPP2KA.INI
2010-10-01 16:30:30 93 ----a-w- f:\windows\brpcfx.ini
2010-10-01 16:30:30 50 ----a-w- f:\windows\system32\bridf07a.dat
2010-10-01 16:30:30 225 ----a-w- f:\windows\Brpfx04a.ini
2010-10-01 16:30:06 54784 ----a-w- f:\windows\system32\brinsstr.dll
2010-10-01 16:30:02 9 ----a-w- f:\windows\Brfaxrx.ini
2010-10-01 16:30:01 73728 ------w- f:\windows\system32\BRCrypt.dll
2010-10-01 16:30:01 61440 ------w- f:\windows\system32\BrMfNt.dll
2010-10-01 16:30:01 163840 ------w- f:\windows\system32\NSSearch.dll
2010-10-01 16:30:01 131072 ----a-w- f:\windows\brunin03.dll
2010-10-01 16:30:01 106496 ------w- f:\windows\system32\BrMuSNMP.dll
2010-10-01 16:30:01 0 d-----w- f:\program files\Brother
2010-10-01 16:29:50 0 d-----w- f:\docume~1\alluse~1\applic~1\Brother
2010-10-01 16:00:14 0 d-----w- f:\docume~1\lentz\applic~1\Windows Desktop Search
2010-10-01 15:58:42 0 d-----w- f:\windows\system32\GroupPolicy
2010-10-01 15:58:42 0 d-----w- f:\program files\Windows Desktop Search
2010-10-01 15:32:19 38848 ----a-w- f:\windows\avastSS.scr
2010-10-01 15:32:16 0 d-----w- f:\docume~1\alluse~1\applic~1\Alwil Software
2010-10-01 14:53:48 0 d-----w- f:\program files\Pure Networks
2010-10-01 14:53:22 0 d-----w- f:\program files\WebEx
2010-10-01 14:52:37 25392 ----a-w- f:\windows\system32\drivers\pnarp.sys
2010-10-01 14:52:36 26672 ----a-w- f:\windows\system32\drivers\purendis.sys
2010-10-01 14:52:34 0 d-----w- f:\program files\common files\Pure Networks Shared
2010-10-01 14:52:24 0 d-----w- f:\docume~1\alluse~1\applic~1\Pure Networks
2010-10-01 14:41:22 274288 ----a-w- f:\windows\system32\mucltui.dll
2010-10-01 14:41:22 16736 ----a-w- f:\windows\system32\mucltui.dll.mui
2010-10-01 14:26:16 3255 ----a-w- f:\windows\system32\wbem\Outlook_01cb61749b99dce6.mof
2010-10-01 13:34:24 0 d-----w- f:\program files\VideoLAN
2010-10-01 12:45:38 423656 ----a-w- f:\windows\system32\deployJava1.dll
2010-10-01 12:35:25 221184 ----a-w- f:\windows\system32\wmpns.dll
2010-10-01 05:42:29 0 d-----w- f:\program files\Marvell
2010-10-01 05:34:30 0 d-----w- f:\program files\Realtek Sound Manager
2010-10-01 05:34:29 0 d-----w- f:\program files\AvRack
2010-10-01 05:33:27 0 d-----w- f:\program files\NVIDIA Corporation
2010-10-01 05:19:39 0 d-sh--w- f:\documents and settings\all users\DRM
2010-10-01 05:19:24 0 d--h--w- f:\program files\WindowsUpdate
2010-10-01 05:18:35 0 d-----w- f:\program files\common files\MSSoap
2010-10-01 05:17:25 0 d-----w- f:\program files\Online Services
2010-10-01 05:17:20 0 d-----w- f:\program files\Messenger
2010-10-01 05:17:17 0 d-----w- f:\program files\MSN Gaming Zone
2010-10-01 05:16:44 0 d-----w- f:\program files\Windows NT
2010-10-01 04:53:17 0 d-----w- f:\program files\LimeWire
2010-10-01 04:29:13 0 d-----w- f:\program files\Cisco
2010-10-01 04:29:11 0 d-----w- f:\docume~1\alluse~1\applic~1\Cisco
2010-10-01 04:06:24 0 d-----w- f:\program files\Web
2010-10-01 04:06:24 0 d-----w- f:\program files\Resources
2010-10-01 04:03:03 0 d-----w- f:\program files\Search Toolbar
2010-10-01 03:45:24 0 d-----w- f:\temp\ext256
2010-09-30 22:08:22 0 d-----w- f:\program files\common files\ODBC
2010-09-30 22:08:20 0 d-----w- f:\program files\common files\SpeechEngines
2010-09-30 22:07:53 0 d-----r- f:\documents and settings\all users\Documents

==================== Find3M ====================

2010-10-01 05:17:45 21640 ----a-w- f:\windows\system32\emptyregdb.dat
2010-10-01 05:16:57 60416 ----a-w- f:\windows\ALCFDRTM.EXE
2010-08-17 13:17:06 58880 ----a-w- f:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- f:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- f:\windows\system32\xpsp4res.dll

============= FINISH: 13:30:15.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:56 AM

Posted 08 October 2010 - 05:48 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 dlentz

dlentz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 09 October 2010 - 01:09 PM

Casey Boy, thanks for your response.

I have since run a scan with Malwarebytes, which has alleviated some of the symptoms. However, my computer freezes frequently and requires hard reboots.

Attached are new scan logs for DDS, GMER and my Malwarebytes log, (thought the malwarebytes log would be helpful).

Thank you for taking a look!

Doug




DDS (Ver_10-03-17.01) - NTFSx86
Run by Lentz at 22:17:19.29 on Fri 10/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2442 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\Program Files\Alwil Software\Avast5\AvastSvc.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\SearchIndexer.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Alwil Software\Avast5\avastUI.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
F:\Documents and Settings\Lentz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: 8056bb9f: {37e14f9f-6942-05ce-5adc-83fc74d40e43} -
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [Google Update] "f:\documents and settings\lentz\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [avast5] "f:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "f:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [nmctxth] "f:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "f:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [NeroFilterCheck] f:\windows\system32\NeroCheck.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Acrobat Assistant 8.0] "f:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - f:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - f:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - f:\program files\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.plattformad.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285910187937
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - f:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - f:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;f:\windows\system32\drivers\aswSP.sys [2010-10-1 165584]
R2 aswFsBlk;aswFsBlk;f:\windows\system32\drivers\aswFsBlk.sys [2010-10-1 17744]
R2 avast! Antivirus;avast! Antivirus;f:\program files\alwil software\avast5\AvastSvc.exe [2010-10-1 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;f:\program files\alwil software\avast5\AvastSvc.exe [2010-10-1 40384]
R3 avast! Web Scanner;avast! Web Scanner;f:\program files\alwil software\avast5\AvastSvc.exe [2010-10-1 40384]
S2 gupdate;Google Update Service (gupdate);f:\program files\google\update\GoogleUpdate.exe [2010-10-1 136176]
S2 vpnagent;Cisco AnyConnect VPN Agent;f:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]

=============== Created Last 30 ================

2010-10-07 03:33:16 5632 ----a-w- f:\windows\system32\ptpusb.dll
2010-10-07 03:33:16 15104 -c--a-w- f:\windows\system32\dllcache\usbscan.sys
2010-10-07 03:33:16 15104 ----a-w- f:\windows\system32\drivers\usbscan.sys
2010-10-07 03:33:15 159232 ----a-w- f:\windows\system32\ptpusd.dll
2010-10-03 21:37:17 0 d-----w- f:\docume~1\lentz\applic~1\Malwarebytes
2010-10-03 21:37:11 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-10-03 21:37:10 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-10-03 21:37:10 0 d-----w- f:\program files\Malwarebytes' Anti-Malware
2010-10-03 21:37:10 0 d-----w- f:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-02 18:24:33 0 ----a-w- f:\documents and settings\lentz\defogger_reenable
2010-10-02 02:02:03 56 ---ha-w- f:\windows\system32\ezsidmv.dat
2010-10-02 01:01:35 0 d-----r- f:\program files\Skype
2010-10-01 22:56:26 107888 ----a-w- f:\windows\system32\CmdLineExt.dll
2010-10-01 22:14:03 189520 ----a-w- f:\windows\system32\drivers\tmcomm.sys
2010-10-01 22:00:35 0 d-----w- f:\windows\pss
2010-10-01 21:16:28 38 ----a-w- f:\windows\system32\20a5eccd
2010-10-01 21:05:54 69 ----a-w- f:\windows\NeroDigital.ini
2010-10-01 20:16:51 0 ---ha-w- f:\documents and settings\lentz\pienkacgtb.tmp
2010-10-01 20:10:08 149 --sha-w- f:\windows\system32\544586650
2010-10-01 20:10:07 1185 ----a-w- f:\windows\system32\6262966
2010-10-01 20:09:30 203776 --sh--w- f:\windows\system32\unrar.exe
2010-10-01 20:09:30 0 d-----w- f:\windows\system32\1108839597
2010-10-01 19:41:48 0 d-----w- f:\windows\system32\scripting
2010-10-01 19:41:47 0 d-----w- f:\windows\system32\en
2010-10-01 19:41:47 0 d-----w- f:\windows\system32\bits
2010-10-01 19:41:47 0 d-----w- f:\windows\l2schemas
2010-10-01 19:39:53 0 d-----w- f:\windows\network diagnostic
2010-10-01 18:59:22 0 d-----w- f:\windows\system32\URTTemp
2010-10-01 18:52:44 22328 ----a-w- f:\windows\system32\drivers\PnkBstrK.sys
2010-10-01 18:52:44 22328 ----a-w- f:\docume~1\lentz\applic~1\PnkBstrK.sys
2010-10-01 18:52:29 669184 ----a-w- f:\windows\system32\pbsvc.exe
2010-10-01 18:52:29 66872 ----a-w- f:\windows\system32\PnkBstrA.exe
2010-10-01 18:52:29 103736 ----a-w- f:\windows\system32\PnkBstrB.exe
2010-10-01 18:52:27 444776 ----a-w- f:\windows\system32\d3dx10_35.dll
2010-10-01 18:52:26 443752 ----a-w- f:\windows\system32\d3dx10_34.dll
2010-10-01 18:52:26 3727720 ----a-w- f:\windows\system32\d3dx9_35.dll
2010-10-01 18:52:26 1358192 ----a-w- f:\windows\system32\D3DCompiler_35.dll
2010-10-01 18:52:26 1124720 ----a-w- f:\windows\system32\D3DCompiler_34.dll
2010-10-01 18:52:25 3497832 ----a-w- f:\windows\system32\d3dx9_34.dll
2010-10-01 18:52:24 81768 ----a-w- f:\windows\system32\xinput1_3.dll
2010-10-01 18:33:51 0 d-----w- f:\program files\common files\Control Panels
2010-10-01 18:32:21 0 d-----w- f:\docume~1\alluse~1\applic~1\ALM
2010-10-01 18:24:33 2463976 ----a-w- f:\windows\system32\NPSWF32.dll
2010-10-01 18:24:33 190696 ----a-w- f:\windows\system32\NPSWF32_FlashUtil.exe
2010-10-01 18:19:55 0 d-----w- f:\program files\Bonjour
2010-10-01 18:16:28 0 d-----w- f:\program files\common files\Macrovision Shared
2010-10-01 17:48:22 49857 ------w- f:\windows\UNNMP.cfg
2010-10-01 17:48:21 2977792 ------w- f:\windows\UNNMP.exe
2010-10-01 17:46:37 155648 ----a-w- f:\windows\system32\NeroCheck.exe
2010-10-01 17:42:49 2973696 ------w- f:\windows\UNNeroVision.exe
2010-10-01 17:42:49 24064 ------w- f:\windows\system32\msxml3a.dll
2010-10-01 17:42:49 154568 ------w- f:\windows\UNNeroVision.cfg
2010-10-01 17:42:10 471040 ------w- f:\windows\system32\ImagXRA7.dll
2010-10-01 17:42:10 364544 ------w- f:\windows\system32\TwnLib4.dll
2010-10-01 17:42:09 476320 ------w- f:\windows\system32\ImagXpr7.dll
2010-10-01 17:42:09 262144 ------w- f:\windows\system32\ImagXR7.dll
2010-10-01 17:42:09 1568768 ------w- f:\windows\system32\ImagX7.dll
2010-10-01 17:42:08 38912 ------w- f:\windows\system32\picn20.dll
2010-10-01 17:42:08 106496 ----a-w- f:\windows\system32\TwnLib20.dll
2010-10-01 17:05:55 0 d-----r- f:\docume~1\lentz\applic~1\Brother
2010-10-01 17:05:03 419 ----a-w- f:\windows\BRWMARK.INI
2010-10-01 17:05:03 27 ----a-w- f:\windows\BRPP2KA.INI
2010-10-01 16:30:30 93 ----a-w- f:\windows\brpcfx.ini
2010-10-01 16:30:30 50 ----a-w- f:\windows\system32\bridf07a.dat
2010-10-01 16:30:30 225 ----a-w- f:\windows\Brpfx04a.ini
2010-10-01 16:30:06 54784 ----a-w- f:\windows\system32\brinsstr.dll
2010-10-01 16:30:02 9 ----a-w- f:\windows\Brfaxrx.ini
2010-10-01 16:30:01 73728 ------w- f:\windows\system32\BRCrypt.dll
2010-10-01 16:30:01 61440 ------w- f:\windows\system32\BrMfNt.dll
2010-10-01 16:30:01 163840 ------w- f:\windows\system32\NSSearch.dll
2010-10-01 16:30:01 131072 ----a-w- f:\windows\brunin03.dll
2010-10-01 16:30:01 106496 ------w- f:\windows\system32\BrMuSNMP.dll
2010-10-01 16:30:01 0 d-----w- f:\program files\Brother
2010-10-01 16:29:50 0 d-----w- f:\docume~1\alluse~1\applic~1\Brother
2010-10-01 16:00:14 0 d-----w- f:\docume~1\lentz\applic~1\Windows Desktop Search
2010-10-01 15:58:42 0 d-----w- f:\windows\system32\GroupPolicy
2010-10-01 15:58:42 0 d-----w- f:\program files\Windows Desktop Search
2010-10-01 15:32:19 38848 ----a-w- f:\windows\avastSS.scr
2010-10-01 15:32:16 0 d-----w- f:\docume~1\alluse~1\applic~1\Alwil Software
2010-10-01 14:53:48 0 d-----w- f:\program files\Pure Networks
2010-10-01 14:53:22 0 d-----w- f:\program files\WebEx
2010-10-01 14:52:37 25392 ----a-w- f:\windows\system32\drivers\pnarp.sys
2010-10-01 14:52:36 26672 ----a-w- f:\windows\system32\drivers\purendis.sys
2010-10-01 14:52:34 0 d-----w- f:\program files\common files\Pure Networks Shared
2010-10-01 14:52:24 0 d-----w- f:\docume~1\alluse~1\applic~1\Pure Networks
2010-10-01 14:41:22 274288 ----a-w- f:\windows\system32\mucltui.dll
2010-10-01 14:41:22 16736 ----a-w- f:\windows\system32\mucltui.dll.mui
2010-10-01 14:26:16 3255 ----a-w- f:\windows\system32\wbem\Outlook_01cb61749b99dce6.mof
2010-10-01 13:34:24 0 d-----w- f:\program files\VideoLAN
2010-10-01 12:45:38 423656 ----a-w- f:\windows\system32\deployJava1.dll
2010-10-01 12:35:25 221184 ----a-w- f:\windows\system32\wmpns.dll
2010-10-01 05:42:29 0 d-----w- f:\program files\Marvell
2010-10-01 05:34:30 0 d-----w- f:\program files\Realtek Sound Manager
2010-10-01 05:34:29 0 d-----w- f:\program files\AvRack
2010-10-01 05:33:27 0 d-----w- f:\program files\NVIDIA Corporation
2010-10-01 05:19:39 0 d-sh--w- f:\documents and settings\all users\DRM
2010-10-01 05:19:24 0 d--h--w- f:\program files\WindowsUpdate
2010-10-01 05:18:35 0 d-----w- f:\program files\common files\MSSoap
2010-10-01 05:17:25 0 d-----w- f:\program files\Online Services
2010-10-01 05:17:20 0 d-----w- f:\program files\Messenger
2010-10-01 05:17:17 0 d-----w- f:\program files\MSN Gaming Zone
2010-10-01 05:16:44 0 d-----w- f:\program files\Windows NT
2010-10-01 04:53:17 0 d-----w- f:\program files\LimeWire
2010-10-01 04:29:13 0 d-----w- f:\program files\Cisco
2010-10-01 04:29:11 0 d-----w- f:\docume~1\alluse~1\applic~1\Cisco
2010-10-01 04:06:24 0 d-----w- f:\program files\Web
2010-10-01 04:06:24 0 d-----w- f:\program files\Resources
2010-10-01 04:03:03 0 d-----w- f:\program files\Search Toolbar
2010-10-01 03:45:24 0 d-----w- f:\temp\ext256
2010-09-30 22:08:22 0 d-----w- f:\program files\common files\ODBC
2010-09-30 22:08:20 0 d-----w- f:\program files\common files\SpeechEngines
2010-09-30 22:07:53 0 d-----r- f:\documents and settings\all users\Documents

==================== Find3M ====================

2010-10-01 05:17:45 21640 ----a-w- f:\windows\system32\emptyregdb.dat
2010-10-01 05:16:57 60416 ----a-w- f:\windows\ALCFDRTM.EXE
2010-08-17 13:17:06 58880 ----a-w- f:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- f:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- f:\windows\system32\xpsp4res.dll

============= FINISH: 22:17:38.46 ===============

Attached Files



#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:56 PM

Posted 09 October 2010 - 11:51 PM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


=====================================================


Did you install NVIDIA ForceWare Network Access Manager? Did you know that it's a firewall and it's known to create issues. Please check the links below:

http://forums.nvidia.com/index.php?showtopic=21455
http://www.techsupportalert.com/freeware-f...ss-manager.html


====================================================


1. Please go to Control Panel > Add Remove Program > and Uninstall the following programs:
  1. NVIDIA ForceWare Network Access Manager
  2. Search Toolbar



2. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 dlentz

dlentz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 10 October 2010 - 12:54 AM

I have removed the software that you asked me to, search toolbar and the Network Tools. This is probably something that was installed along with the N Vidia drivers, but I cannot be sure.

The Combofix log file is below.


Thanks for you help!

Doug






ComboFix 10-10-09.04 - Lentz 10/10/2010 0:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2515 [GMT -5:00]
Running from: f:\documents and settings\Lentz\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf
f:\documents and settings\Administrator\Application Data\02000000d870f3721018C.manifest
f:\documents and settings\Administrator\Application Data\02000000d870f3721018O.manifest
f:\documents and settings\Administrator\Application Data\02000000d870f3721018P.manifest
f:\documents and settings\Administrator\Application Data\02000000d870f3721018S.manifest
f:\documents and settings\Lentz\Application Data\02000000d870f3721018C.manifest
f:\documents and settings\Lentz\Application Data\02000000d870f3721018O.manifest
f:\documents and settings\Lentz\Application Data\02000000d870f3721018P.manifest
f:\documents and settings\Lentz\Application Data\02000000d870f3721018S.manifest
f:\windows\system32\1108839597
f:\windows\system32\unrar.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-01 04:33 . 2010-10-01 04:33 -------- d-----r- F:\MSOCache
2010-10-01 03:45 . 2010-10-01 03:45 -------- d-----w- F:\temp
2010-09-30 22:08 . 2010-10-10 05:39 -------- d-----r- F:\Program Files
2010-09-30 22:01 . 2010-10-01 21:59 -------- d-----w- F:\Documents and Settings

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="f:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-10-01 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="f:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "f:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=f:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=f:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=f:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 04:24 620152 ----a-w- f:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 14:06 88363 ----a-w- f:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- f:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- f:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
2009-07-08 07:53 472112 ----a-w- f:\program files\Pure Networks\Network Magic\nmapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2009-07-07 19:48 647216 ----a-w- f:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-02-20 06:19 7405568 ----a-w- f:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-02-20 06:19 86016 ----a-w- f:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-02-20 06:19 1519616 ----a-w- f:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-04-15 03:01 77824 ----a-w- f:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- f:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vpnagent"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"nSvcLog"=2 (0x2)
"nmservice"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gupdate"=2 (0x2)
"ForcewareWebInterface"=2 (0x2)
"ForceWare Intelligent Application Manager (IAM)"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"f:\\WINDOWS\\system32\\PnkBstrA.exe"=
"f:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"f:\\Documents and Settings\\Lentz\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;aswSP;f:\windows\system32\drivers\aswSP.sys [10/1/2010 10:32 AM 165584]
R2 aswFsBlk;aswFsBlk;f:\windows\system32\drivers\aswFsBlk.sys [10/1/2010 10:32 AM 17744]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S4 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [10/1/2010 10:32 AM 136176]
S4 vpnagent;Cisco AnyConnect VPN Agent;f:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 5:32 PM 497856]
.
Contents of the 'Scheduled Tasks' folder

2010-10-09 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-10-01 15:32]

2010-10-10 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-10-01 15:32]

2010-10-10 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-484061587-839522115-1003Core.job
- f:\documents and settings\Lentz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-05 15:32]

2010-10-10 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-484061587-839522115-1003UA.job
- f:\documents and settings\Lentz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-05 15:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Append to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.plattformad.com/CACHE/stc/1/binaries/vpnweb.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{37E14F9F-6942-05CE-5ADC-83FC74D40E43} - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(816)
f:\windows\system32\nvappfilter.dll
.
Completion time: 2010-10-10 00:49:38
ComboFix-quarantined-files.txt 2010-10-10 05:49

Pre-Run: 972,121,866,240 bytes free
Post-Run: 972,494,704,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F08D8182728DDB319DA39B0D4A30F3ED


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:56 PM

Posted 10 October 2010 - 01:12 AM

We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/topic351158.html

Collect::
f:\documents and settings\lentz\pienkacgtb.tmp
f:\windows\system32\544586650
f:\windows\system32\6262966

Folder::
f:\program files\Search Toolbar

DirLook::
f:\program files\Web
f:\program files\Resources

DDS::
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by sempai, 10 October 2010 - 01:12 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 dlentz

dlentz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 10 October 2010 - 10:39 AM

Here is the Combo log:





ComboFix 10-10-09.06 - Lentz 10/10/2010 9:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2482 [GMT -5:00]
Running from: f:\documents and settings\Lentz\Desktop\ComboFix.exe
Command switches used :: f:\documents and settings\Lentz\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: f:\documents and settings\lentz\pienkacgtb.tmp
file zipped: f:\windows\system32\544586650
file zipped: f:\windows\system32\6262966
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\documents and settings\lentz\pienkacgtb.tmp
f:\windows\system32\544586650
f:\windows\system32\6262966

.
((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-01 04:33 . 2010-10-01 04:33 -------- d-----r- F:\MSOCache
2010-10-01 03:45 . 2010-10-01 03:45 -------- d-----w- F:\temp
2010-09-30 22:08 . 2010-10-10 05:39 -------- d-----r- F:\Program Files
2010-09-30 22:01 . 2010-10-01 21:59 -------- d-----w- F:\Documents and Settings

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of f:\program files\Resources ----

2004-06-30 00:04 . 2004-06-30 00:04 5690 ----a-w- f:\program files\Resources\Themes\Royale.Theme
2004-06-17 07:32 . 2004-06-17 07:32 1347728 ----a-w- f:\program files\Resources\Themes\Royale\Royale.msstyles
2004-06-17 07:32 . 2004-06-17 07:32 372736 ----a-w- f:\program files\Resources\Themes\Royale\Shell\NormalColor\ShellStyle.dll

---- Directory of f:\program files\Web ----

2004-06-29 23:31 . 2004-06-29 23:31 387105 ----a-w- f:\program files\Web\Wallpaper\New Bliss.jpg


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="f:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-10-01 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="f:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "f:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=f:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=f:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=f:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=f:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 04:24 620152 ----a-w- f:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 14:06 88363 ----a-w- f:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- f:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- f:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
2009-07-08 07:53 472112 ----a-w- f:\program files\Pure Networks\Network Magic\nmapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2009-07-07 19:48 647216 ----a-w- f:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-02-20 06:19 7405568 ----a-w- f:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-02-20 06:19 86016 ----a-w- f:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-02-20 06:19 1519616 ----a-w- f:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-04-15 03:01 77824 ----a-w- f:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- f:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vpnagent"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"nSvcLog"=2 (0x2)
"nmservice"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gupdate"=2 (0x2)
"ForcewareWebInterface"=2 (0x2)
"ForceWare Intelligent Application Manager (IAM)"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"f:\\WINDOWS\\system32\\PnkBstrA.exe"=
"f:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"f:\\Documents and Settings\\Lentz\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;aswSP;f:\windows\system32\drivers\aswSP.sys [10/1/2010 10:32 AM 165584]
R2 aswFsBlk;aswFsBlk;f:\windows\system32\drivers\aswFsBlk.sys [10/1/2010 10:32 AM 17744]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S4 gupdate;Google Update Service (gupdate);f:\program files\Google\Update\GoogleUpdate.exe [10/1/2010 10:32 AM 136176]
S4 vpnagent;Cisco AnyConnect VPN Agent;f:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 5:32 PM 497856]
.
Contents of the 'Scheduled Tasks' folder

2010-10-10 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-10-01 15:32]

2010-10-10 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- f:\program files\Google\Update\GoogleUpdate.exe [2010-10-01 15:32]

2010-10-10 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-484061587-839522115-1003Core.job
- f:\documents and settings\Lentz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-05 15:32]

2010-10-10 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-484061587-839522115-1003UA.job
- f:\documents and settings\Lentz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-05 15:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Append to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.plattformad.com/CACHE/stc/1/binaries/vpnweb.cab
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(816)
f:\windows\system32\nvappfilter.dll
.
Completion time: 2010-10-10 09:33:00
ComboFix-quarantined-files.txt 2010-10-10 14:33
ComboFix2.txt 2010-10-10 05:49

Pre-Run: 972,409,704,448 bytes free
Post-Run: 972,393,787,392 bytes free

- - End Of File - - 0C3D11FE33E43EF49F953FB08D58B6FE
Upload was successful


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:56 PM

Posted 11 October 2010 - 07:54 AM

Hi,

How's the computer running now?


Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 dlentz

dlentz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 11 October 2010 - 09:32 AM

It has been running well; hope that you were able to eradicate the problem!

MBAM log:



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4793

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/11/2010 9:28:23 AM
mbam-log-2010-10-11 (09-28-23).txt

Scan type: Full scan (E:\|F:\|)
Objects scanned: 400013
Time elapsed: 1 hour(s), 0 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:56 PM

Posted 11 October 2010 - 10:10 AM

Let's make sure that there's no more remnants.


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 dlentz

dlentz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 11 October 2010 - 11:32 AM

The ESET scan found nothing, so there was not a text file to send to you.

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:56 PM

Posted 11 October 2010 - 11:49 AM

That's great! Please run another DDS scan and post the new report for my final review. thumbup2.gif



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 dlentz

dlentz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 11 October 2010 - 12:16 PM

Here it is; what do you think?



DDS (Ver_10-03-17.01) - NTFSx86
Run by Lentz at 12:08:55.76 on Mon 10/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2415 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\Program Files\Alwil Software\Avast5\AvastSvc.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\SearchIndexer.exe
F:\Program Files\Google\Update\GoogleUpdate.exe
F:\Program Files\Alwil Software\Avast5\avastUI.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Pure Networks\Network Magic\nmapp.exe
F:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
F:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnui.exe
F:\WINDOWS\system32\mstsc.exe
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files\VideoLAN\VLC\vlc.exe
F:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
F:\WINDOWS\system32\SearchProtocolHost.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\SearchProtocolHost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Documents and Settings\Lentz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [AdobeUpdater] "f:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [avast5] "f:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: f:\docume~1\lentz\startm~1\programs\startup\limewi~1.lnk - f:\program files\limewire\LimeWire.exe
IE: Append to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.plattformad.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285910187937
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {EEF97DFD-A477-4851-A42D-D3A2C76C0C7B} = 10.75.33.6,10.75.33.7
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - f:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - f:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;f:\windows\system32\drivers\aswSP.sys [2010-10-1 165584]
R2 aswFsBlk;aswFsBlk;f:\windows\system32\drivers\aswFsBlk.sys [2010-10-1 17744]
R2 avast! Antivirus;avast! Antivirus;f:\program files\alwil software\avast5\AvastSvc.exe [2010-10-1 40384]
R2 vpnagent;Cisco AnyConnect VPN Agent;f:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
S3 avast! Mail Scanner;avast! Mail Scanner;f:\program files\alwil software\avast5\AvastSvc.exe [2010-10-1 40384]
S3 avast! Web Scanner;avast! Web Scanner;f:\program files\alwil software\avast5\AvastSvc.exe [2010-10-1 40384]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S4 gupdate;Google Update Service (gupdate);f:\program files\google\update\GoogleUpdate.exe [2010-10-1 136176]

=============== Created Last 30 ================

2010-10-11 15:17:55 0 d-----w- f:\program files\ESET
2010-10-10 05:44:40 0 d-sha-r- F:\cmdcons
2010-10-10 05:43:33 98816 ----a-w- f:\windows\sed.exe
2010-10-10 05:43:33 77312 ----a-w- f:\windows\MBR.exe
2010-10-10 05:43:33 256512 ----a-w- f:\windows\PEV.exe
2010-10-10 05:43:33 161792 ----a-w- f:\windows\SWREG.exe
2010-10-09 12:40:27 0 d--h--w- f:\windows\PIF
2010-10-07 03:33:16 5632 ----a-w- f:\windows\system32\ptpusb.dll
2010-10-07 03:33:16 15104 -c--a-w- f:\windows\system32\dllcache\usbscan.sys
2010-10-07 03:33:16 15104 ----a-w- f:\windows\system32\drivers\usbscan.sys
2010-10-07 03:33:15 159232 ----a-w- f:\windows\system32\ptpusd.dll
2010-10-03 21:37:17 0 d-----w- f:\docume~1\lentz\applic~1\Malwarebytes
2010-10-03 21:37:11 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-10-03 21:37:10 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-10-03 21:37:10 0 d-----w- f:\program files\Malwarebytes' Anti-Malware
2010-10-03 21:37:10 0 d-----w- f:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-02 18:24:33 0 ----a-w- f:\documents and settings\lentz\defogger_reenable
2010-10-02 02:02:03 56 ---ha-w- f:\windows\system32\ezsidmv.dat
2010-10-02 01:01:35 0 d-----r- f:\program files\Skype
2010-10-01 22:56:26 107888 ----a-w- f:\windows\system32\CmdLineExt.dll
2010-10-01 22:14:03 189520 ----a-w- f:\windows\system32\drivers\tmcomm.sys
2010-10-01 22:00:35 0 d-----w- f:\windows\pss
2010-10-01 21:16:28 38 ----a-w- f:\windows\system32\20a5eccd
2010-10-01 21:05:54 69 ----a-w- f:\windows\NeroDigital.ini
2010-10-01 19:41:48 0 d-----w- f:\windows\system32\scripting
2010-10-01 19:41:47 0 d-----w- f:\windows\system32\en
2010-10-01 19:41:47 0 d-----w- f:\windows\system32\bits
2010-10-01 19:41:47 0 d-----w- f:\windows\l2schemas
2010-10-01 19:39:53 0 d-----w- f:\windows\network diagnostic
2010-10-01 18:59:22 0 d-----w- f:\windows\system32\URTTemp
2010-10-01 18:52:44 22328 ----a-w- f:\windows\system32\drivers\PnkBstrK.sys
2010-10-01 18:52:44 22328 ----a-w- f:\docume~1\lentz\applic~1\PnkBstrK.sys
2010-10-01 18:52:29 669184 ----a-w- f:\windows\system32\pbsvc.exe
2010-10-01 18:52:29 66872 ----a-w- f:\windows\system32\PnkBstrA.exe
2010-10-01 18:52:29 103736 ----a-w- f:\windows\system32\PnkBstrB.exe
2010-10-01 18:52:27 444776 ----a-w- f:\windows\system32\d3dx10_35.dll
2010-10-01 18:52:26 443752 ----a-w- f:\windows\system32\d3dx10_34.dll
2010-10-01 18:52:26 3727720 ----a-w- f:\windows\system32\d3dx9_35.dll
2010-10-01 18:52:26 1358192 ----a-w- f:\windows\system32\D3DCompiler_35.dll
2010-10-01 18:52:26 1124720 ----a-w- f:\windows\system32\D3DCompiler_34.dll
2010-10-01 18:52:25 3497832 ----a-w- f:\windows\system32\d3dx9_34.dll
2010-10-01 18:52:24 81768 ----a-w- f:\windows\system32\xinput1_3.dll
2010-10-01 18:33:51 0 d-----w- f:\program files\common files\Control Panels
2010-10-01 18:32:21 0 d-----w- f:\docume~1\alluse~1\applic~1\ALM
2010-10-01 18:24:33 2463976 ----a-w- f:\windows\system32\NPSWF32.dll
2010-10-01 18:24:33 190696 ----a-w- f:\windows\system32\NPSWF32_FlashUtil.exe
2010-10-01 18:19:55 0 d-----w- f:\program files\Bonjour
2010-10-01 18:16:28 0 d-----w- f:\program files\common files\Macrovision Shared
2010-10-01 17:48:22 49857 ------w- f:\windows\UNNMP.cfg
2010-10-01 17:48:21 2977792 ------w- f:\windows\UNNMP.exe
2010-10-01 17:46:37 155648 ----a-w- f:\windows\system32\NeroCheck.exe
2010-10-01 17:42:49 2973696 ------w- f:\windows\UNNeroVision.exe
2010-10-01 17:42:49 24064 ------w- f:\windows\system32\msxml3a.dll
2010-10-01 17:42:49 154568 ------w- f:\windows\UNNeroVision.cfg
2010-10-01 17:42:10 471040 ------w- f:\windows\system32\ImagXRA7.dll
2010-10-01 17:42:10 364544 ------w- f:\windows\system32\TwnLib4.dll
2010-10-01 17:42:09 476320 ------w- f:\windows\system32\ImagXpr7.dll
2010-10-01 17:42:09 262144 ------w- f:\windows\system32\ImagXR7.dll
2010-10-01 17:42:09 1568768 ------w- f:\windows\system32\ImagX7.dll
2010-10-01 17:42:08 38912 ------w- f:\windows\system32\picn20.dll
2010-10-01 17:42:08 106496 ----a-w- f:\windows\system32\TwnLib20.dll
2010-10-01 17:05:55 0 d-----r- f:\docume~1\lentz\applic~1\Brother
2010-10-01 17:05:03 419 ----a-w- f:\windows\BRWMARK.INI
2010-10-01 17:05:03 27 ----a-w- f:\windows\BRPP2KA.INI
2010-10-01 16:30:30 93 ----a-w- f:\windows\brpcfx.ini
2010-10-01 16:30:30 50 ----a-w- f:\windows\system32\bridf07a.dat
2010-10-01 16:30:30 225 ----a-w- f:\windows\Brpfx04a.ini
2010-10-01 16:30:06 54784 ----a-w- f:\windows\system32\brinsstr.dll
2010-10-01 16:30:02 9 ----a-w- f:\windows\Brfaxrx.ini
2010-10-01 16:30:01 73728 ------w- f:\windows\system32\BRCrypt.dll
2010-10-01 16:30:01 61440 ------w- f:\windows\system32\BrMfNt.dll
2010-10-01 16:30:01 163840 ------w- f:\windows\system32\NSSearch.dll
2010-10-01 16:30:01 131072 ----a-w- f:\windows\brunin03.dll
2010-10-01 16:30:01 106496 ------w- f:\windows\system32\BrMuSNMP.dll
2010-10-01 16:30:01 0 d-----w- f:\program files\Brother
2010-10-01 16:29:50 0 d-----w- f:\docume~1\alluse~1\applic~1\Brother
2010-10-01 16:00:14 0 d-----w- f:\docume~1\lentz\applic~1\Windows Desktop Search
2010-10-01 15:58:42 0 d-----w- f:\windows\system32\GroupPolicy
2010-10-01 15:58:42 0 d-----w- f:\program files\Windows Desktop Search
2010-10-01 15:32:19 38848 ----a-w- f:\windows\avastSS.scr
2010-10-01 15:32:16 0 d-----w- f:\docume~1\alluse~1\applic~1\Alwil Software
2010-10-01 14:53:48 0 d-----w- f:\program files\Pure Networks
2010-10-01 14:53:22 0 d-----w- f:\program files\WebEx
2010-10-01 14:52:37 25392 ----a-w- f:\windows\system32\drivers\pnarp.sys
2010-10-01 14:52:36 26672 ----a-w- f:\windows\system32\drivers\purendis.sys
2010-10-01 14:52:34 0 d-----w- f:\program files\common files\Pure Networks Shared
2010-10-01 14:52:24 0 d-----w- f:\docume~1\alluse~1\applic~1\Pure Networks
2010-10-01 14:41:22 274288 ----a-w- f:\windows\system32\mucltui.dll
2010-10-01 14:41:22 16736 ----a-w- f:\windows\system32\mucltui.dll.mui
2010-10-01 14:26:16 3255 ----a-w- f:\windows\system32\wbem\Outlook_01cb61749b99dce6.mof
2010-10-01 13:34:24 0 d-----w- f:\program files\VideoLAN
2010-10-01 12:45:38 423656 ----a-w- f:\windows\system32\deployJava1.dll
2010-10-01 12:35:25 221184 ----a-w- f:\windows\system32\wmpns.dll
2010-10-01 05:42:29 0 d-----w- f:\program files\Marvell
2010-10-01 05:34:30 0 d-----w- f:\program files\Realtek Sound Manager
2010-10-01 05:34:29 0 d-----w- f:\program files\AvRack
2010-10-01 05:19:39 0 d-sh--w- f:\documents and settings\all users\DRM
2010-10-01 05:19:24 0 d--h--w- f:\program files\WindowsUpdate
2010-10-01 05:18:35 0 d-----w- f:\program files\common files\MSSoap
2010-10-01 05:17:25 0 d-----w- f:\program files\Online Services
2010-10-01 05:17:20 0 d-----w- f:\program files\Messenger
2010-10-01 05:17:17 0 d-----w- f:\program files\MSN Gaming Zone
2010-10-01 05:16:44 0 d-----w- f:\program files\Windows NT
2010-10-01 04:53:17 0 d-----w- f:\program files\LimeWire
2010-10-01 04:29:13 0 d-----w- f:\program files\Cisco
2010-10-01 04:29:11 0 d-----w- f:\docume~1\alluse~1\applic~1\Cisco
2010-10-01 04:06:24 0 d-----w- f:\program files\Web
2010-10-01 04:06:24 0 d-----w- f:\program files\Resources
2010-10-01 03:45:24 0 d-----w- f:\temp\ext256
2010-09-30 22:08:22 0 d-----w- f:\program files\common files\ODBC
2010-09-30 22:08:20 0 d-----w- f:\program files\common files\SpeechEngines
2010-09-30 22:07:53 0 d-----r- f:\documents and settings\all users\Documents

==================== Find3M ====================

2010-10-01 05:17:45 21640 ----a-w- f:\windows\system32\emptyregdb.dat
2010-10-01 05:16:57 60416 ----a-w- f:\windows\ALCFDRTM.EXE
2010-08-17 13:17:06 58880 ----a-w- f:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- f:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- f:\windows\system32\xpsp4res.dll

============= FINISH: 12:09:18.39 ===============

Attached Files



#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:56 PM

Posted 12 October 2010 - 04:39 AM

Hi,

That's a clean log. You're good to go.


=====================================================


Uninstall:
1. ComboFix
  • Click Start > Run > copy/paste the following bolded text into the Run box and click OK:
    ComboFix /Uninstall

2. ESET online scanner
  • Go to Control Panel > Add Remove Programs > locate and remove ESET Online Scanner.



Delete:
1. DDS
2. Gmer



Others:
  1. Please run defogger and click Enable button to enable your CD Emulation drivers. Reboot if ask.
  2. You can now delete defogger.



Clean-up with OTC:
  • Download OTC and save it to your desktop -> HERE
  • Double click the icon to start the program (Run as Administrator for Vista).
  • Click the clean-up button.
  • Select yes when "Being Cleanup Process" prompted.
  • Restart the computer when ask.



=====================================================



Your Log is Clean, please change all your offline and online passwords.

Take the time to read below to secure your machine and take the necessary steps to keep it Clean smile.gif


How to prevent malware

How to increase PC speed


Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.



Thanks,
Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 dlentz

dlentz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 12 October 2010 - 08:12 AM

Semp,

Thank you very much for everything; it is nice to have my computer back, running at normal speeds and with normal reliability.

You're awesome!!


Doug Lentz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users