Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirection of Firefox, and possible Trojan horse


  • This topic is locked This topic is locked
22 replies to this topic

#1 doctec50

doctec50

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:46 PM

Posted 10 October 2010 - 09:38 AM

Greetings,

Ahh, here I am again, hat in hand ,eyes downcast, scratching at BeepingComputer`s door.

Sad story short,

Last week downloaded update of COMODO , but failed to notice the need to reset the defense level , my bad. While merrily wandering about the web I get a warning about

a nasty old Trojan Horse knocking at my door. Shut the browser down and run AVG 9.0 and Malwarebytes.

Avg kicks out some tracking cookies, but Malwarebytes generates this log.


Attached File  mbam_log_2010_10_06__15_08_16_.txt   1.31KB   8 downloads

Since that time ,while on FireFox, I get random pages opening and cannot use google search, redirected to some pay site.

Also my boot seems different. After my desk top lodes it resets itself , plus I keep getting a Win32 service error message.( may or may not be related)


As a good little gnome I have attempted to retrieve the info needed for this post, but alas when running the GMER log my machine ether just stops or gets

kicked out to the blue screen of death with a 000021A error code, bastard!

DDS info as follows

Attached File  DDS.txt   10.65KB   2 downloads



Attached File  Attach.txt   13.68KB   4 downloads


Please keep in mind that I am a practicing member of the great common unwashed of computer user and can`t tell a Hot Boot from a rubber boot.

Since the Wizards at BeepingComputer have been so helpful in the past, I hope they can again, as W. Zevon said in Lawyers, Guns, & Money "Dad, Get me outta Here"

the old doctor

To prove my point about not knowing squat about computers it seems I can`t even upload my log files properly. Sorry!!

For some reason can`t copy and paste.

EDIT: Posts merged ~BP

Edited by Budapest, 10 October 2010 - 03:48 PM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:46 PM

Posted 17 October 2010 - 07:23 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 doctec50

doctec50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:46 PM

Posted 17 October 2010 - 08:56 AM

Thanks Casey_boy,
The problems have not changed since my first post, but have noticed a boat load of activity on the COMODO icon.
When I open COMODO it shows over 100 connections open. This does not seem right to me.
Still not able to generate a GMER log. It runs for some time then ether locks up or kicks out a BSOD with varying error codes .

DSS logs as fallows, hopefully


DDS (Ver_10-10-05.01) - NTFSx86
Run by the old doctor at 9:26:19.15 on Sun 10/17/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.297 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\the old doctor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [CARPService] carpserv.exe
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\theold~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs:
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\theold~1\applic~1\mozilla\firefox\profiles\3ztr8a20.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.erh.noaa.gov/er/iln/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}(2)
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-30 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-30 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-30 243024]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-23 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 25240]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-10 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-10 308136]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-3-23 1901056]
S2 SAUSBHW;IntelliFlash Firmware Loader;c:\windows\system32\drivers\saldr.sys --> c:\windows\system32\drivers\saldr.sys [?]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\theold~1\locals~1\temp\asbp2poa.sys --> c:\docume~1\theold~1\locals~1\temp\asbp2poa.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-8-16 431432]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2010-10-09 14:18:47 0 ----a-w- c:\documents and settings\the old doctor\defogger_reenable

==================== Find3M ====================

2010-09-29 09:37:39 285480 ----a-w- c:\windows\system32\guard32.dll
2010-09-29 09:37:38 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-29 09:37:38 239240 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-09-29 09:37:38 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2009-03-14 23:48:19 1258638 -c--a-w- c:\program files\DOSBox0.72-win32-installer.exe

============= FINISH: 9:29:04.40 ===============





UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-05.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/1/2004 8:38:05 AM
System Uptime: 10/17/2010 9:24:15 AM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 56.584 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
Description: Plug and Play Monitor
Device ID: DISPLAY\SNY2700\5&EF3D094&0&10000080&01&00
Manufacturer: (Standard monitor types)
Name: Plug and Play Monitor
PNP Device ID: DISPLAY\SNY2700\5&EF3D094&0&10000080&01&00
Service:

==== System Restore Points ===================

RP564: 7/18/2010 1:16:10 AM - System Checkpoint
RP565: 7/19/2010 7:42:43 PM - System Checkpoint
RP566: 7/20/2010 4:37:28 PM - Avg Update
RP567: 7/21/2010 5:28:54 PM - System Checkpoint
RP568: 7/23/2010 4:02:05 PM - System Checkpoint
RP569: 7/24/2010 11:32:37 PM - System Checkpoint
RP570: 7/26/2010 8:22:26 AM - System Checkpoint
RP571: 7/31/2010 10:50:06 PM - System Checkpoint
RP572: 8/1/2010 11:40:24 PM - System Checkpoint
RP573: 8/3/2010 2:12:18 AM - System Checkpoint
RP574: 8/4/2010 7:10:37 PM - System Checkpoint
RP575: 8/5/2010 8:55:34 PM - System Checkpoint
RP576: 8/6/2010 11:59:32 PM - System Checkpoint
RP577: 8/8/2010 10:03:19 AM - System Checkpoint
RP578: 8/9/2010 6:23:58 PM - System Checkpoint
RP579: 8/11/2010 5:33:12 AM - Software Distribution Service 3.0
RP580: 8/12/2010 5:22:41 AM - Software Distribution Service 3.0
RP581: 8/14/2010 1:25:50 PM - System Checkpoint
RP582: 8/16/2010 3:47:45 PM - Avg Update
RP583: 8/17/2010 7:45:59 PM - System Checkpoint
RP584: 8/21/2010 10:35:43 AM - System Checkpoint
RP585: 8/22/2010 11:56:16 AM - System Checkpoint
RP586: 8/25/2010 5:54:35 AM - System Checkpoint
RP587: 8/28/2010 5:00:31 AM - System Checkpoint
RP588: 8/29/2010 6:24:24 AM - System Checkpoint
RP589: 8/30/2010 4:12:39 PM - System Checkpoint
RP590: 8/31/2010 9:07:33 PM - System Checkpoint
RP591: 9/1/2010 9:17:00 PM - System Checkpoint
RP592: 9/3/2010 8:07:37 PM - System Checkpoint
RP593: 9/4/2010 11:28:37 AM - Installed Masque IGT Slots Texas Tea
RP594: 9/6/2010 9:57:36 AM - System Checkpoint
RP595: 9/8/2010 6:34:32 PM - System Checkpoint
RP596: 9/9/2010 7:31:51 PM - System Checkpoint
RP597: 9/12/2010 11:16:51 AM - System Checkpoint
RP598: 9/13/2010 5:21:48 PM - System Checkpoint
RP599: 9/15/2010 6:54:02 PM - System Checkpoint
RP600: 9/17/2010 8:29:46 PM - System Checkpoint
RP601: 9/19/2010 8:58:57 AM - System Checkpoint
RP602: 9/20/2010 10:30:51 PM - System Checkpoint
RP603: 9/21/2010 10:34:51 PM - System Checkpoint
RP604: 9/22/2010 5:43:29 AM - Software Distribution Service 3.0
RP605: 9/23/2010 3:50:01 PM - Avg Update
RP606: 9/23/2010 3:50:41 PM - Avg Update
RP607: 9/25/2010 1:21:21 AM - System Checkpoint
RP608: 9/26/2010 10:21:27 AM - System Checkpoint
RP609: 9/27/2010 5:45:11 PM - System Checkpoint
RP610: 9/28/2010 9:01:30 PM - System Checkpoint
RP611: 9/29/2010 3:24:34 PM - Software Distribution Service 3.0
RP612: 10/2/2010 1:19:53 AM - System Checkpoint
RP613: 10/3/2010 8:53:31 AM - System Checkpoint
RP614: 10/4/2010 3:43:25 PM - Avg Update
RP615: 10/7/2010 8:03:58 AM - Software Distribution Service 3.0
RP616: 10/7/2010 4:08:13 PM - Software Distribution Service 3.0
RP617: 10/8/2010 9:19:19 AM - Removed Blackbeard's Revenge
RP618: 10/8/2010 9:20:55 AM - Removed Patch
RP619: 10/8/2010 9:21:25 AM - Removed PatchStats
RP620: 10/14/2010 4:27:18 PM - System Checkpoint
RP621: 10/16/2010 10:12:47 AM - OTL Restore Point

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.5
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Free 9.0
Banctec Service Agreement
COMODO Internet Security
Dell Networking Guide
Dell Solution Center
Dell Support
Destinations
DeviceManagementQFolder
dj_taplugin
Fallout
Fallout2
H&R Block Deluxe + Efile + State 2009
H&R Block Ohio 2009
Help and Support Customization
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 6900 series
HP Imaging Device Functions 6.0
hpf_ProductContext
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Explorer Default Page
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 17
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
JetShell PRO
Kyodai Mahjongg
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Masque IGT Slots Texas Tea
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.6.10)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero - Burning Rom
NetWaiting
QuickTime
Readme
RealPlayer
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 9 Series (KB969878)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Status
TaxCut Ohio 2007
TaxCut Ohio 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
V92 PCI Voice Faxmodem
WebFldrs XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WordPerfect Office 12
X5 User's Guide

==== Event Viewer Messages From Past Week ========

10/13/2010 9:33:05 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/10/2010 10:57:57 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
10/10/2010 10:57:57 AM, error: Service Control Manager [7000] - The IntelliFlash Firmware Loader service failed to start due to the following error: The system cannot find the file specified.
10/10/2010 1:50:08 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
10/10/2010 1:50:01 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
10/10/2010 1:50:01 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL. Reference error message: The operation completed successfully. .
10/10/2010 1:49:48 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
10/10/2010 1:49:48 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
10/10/2010 1:49:48 PM, error: ati2mtag [45062] - CRT invalid display type
10/10/2010 1:28:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX cmdGuard cmdHlp Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
10/10/2010 1:28:23 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
10/10/2010 1:28:23 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/10/2010 1:28:23 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/10/2010 1:28:23 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
10/10/2010 1:27:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/10/2010 1:27:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================


#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:46 PM

Posted 17 October 2010 - 10:32 AM

Hi,

My name is Casey and I will be helping you with your malware problems.

As you may have noticed, I am currently in training which means that all of my responses will first be verified by a malware removal coach. As such, there may be a little delay in my responses to you. On the plus side, there will be two sets of eyes looking over your logs.

Whilst I research the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "track this topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

Regards,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 doctec50

doctec50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:46 PM

Posted 17 October 2010 - 10:45 AM

Greetings Casey_boy,
Thanks for the replay. The fact that you are in training still puts you light years ahead of me.
Will gladly fallow any instructions you may have, up to and including putting a bullet in this damn thing. (hopefully not necessary)

Thanks again,

the old doctor

#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:46 PM

Posted 17 October 2010 - 12:39 PM

Hi old doctor,

No problems smile.gif Could you please tell me if you are experiencing the redirects in Internet Explorer as well, or just Firefox?

Download and run RKill
Before we can do anything we must first end the processes that belong to any rogue programs so that they do not interfere with the cleaning procedure. To do this, download the following file to your desktop.

rkill.com Download Link

Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with the rogue program(s). Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program(s) when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogoue(s). So, please try running Rkill until the malware is no longer running.

If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Download and run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.

Casey

Edited by Casey_boy, 17 October 2010 - 12:40 PM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#7 doctec50

doctec50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:46 PM

Posted 17 October 2010 - 02:34 PM

Greetings Casey_boy,

Have done as requested

ComboFix log

ComboFix 10-10-16.04 - the old doctor 10/17/2010 14:47:21.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.371 [GMT -4:00]
Running from: c:\documents and settings\the old doctor\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
ADS - explorer.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS


((((((((((((((((((((((((( Files Created from 2010-09-17 to 2010-10-17 )))))))))))))))))))))))))))))))
.

2010-10-15 23:33 . 2010-10-15 23:33 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-10-08 13:20 . 2010-10-08 13:20 -------- d-----w- c:\documents and settings\the old doctor\Application Data\InstallShield
2010-10-07 01:39 . 2010-10-07 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-23 18:42 . 2010-09-23 18:42 95672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-09-27 16:32 2102600 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"CARPService"="carpserv.exe" [2003-06-11 4608]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-29 2500552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 21:05 12536 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [1/30/2009 8:49 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [1/30/2009 8:49 PM 243024]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdGuard.sys [3/23/2010 6:40 PM 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [3/3/2010 5:54 PM 25240]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/10/2009 7:00 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/10/2009 6:59 AM 308136]
S2 SAUSBHW;IntelliFlash Firmware Loader;c:\windows\system32\Drivers\saldr.sys --> c:\windows\system32\Drivers\saldr.sys [?]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\THEOLD~1\LOCALS~1\Temp\asbp2poa.sys --> c:\docume~1\THEOLD~1\LOCALS~1\Temp\asbp2poa.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [8/16/2010 3:52 PM 431432]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\the old doctor\Application Data\Mozilla\Firefox\Profiles\3ztr8a20.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.erh.noaa.gov/er/iln/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
HKLM-Run-COMODO Firewall Pro - c:\program files\COMODO\Firewall\cfp.exe


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\l3codeca.acm

- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(1916)
c:\windows\system32\guard32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\carpserv.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-10-17 15:12:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-17 19:12

Pre-Run: 60,532,207,616 bytes free
Post-Run: 60,924,538,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 5FBE43D1EBD4EB4A974F67468E5CC084




Have run Rkill, but after a very short time I get this log.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as the old doctor on 10/17/2010 at 15:23:31.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\the old doctor\Desktop\rkill.com


Rkill completed on 10/17/2010 at 15:23:39.




Is this the log we need, or has something stopped the process?


As to your question about redirects on I E , can`t say since I can`t remember the last time it was used. Just do not like it.


Thanks, the old doctor

#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:46 PM

Posted 17 October 2010 - 04:59 PM

Hi,

QUOTE
Is this the log we need, or has something stopped the process?


No that's fine. It showed that there were no malware processes running on your PC.

Run a CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it (ignoring the word QUOTE):

QUOTE
Driver::
asbp2poa

Collect::
c:\docume~1\THEOLD~1\LOCALS~1\Temp\asbp2poa.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Re-run GMER
Run RKill again and then please now see if you can run GMER. If so, post me the log.

Please now also tell me how your PC is running.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 doctec50

doctec50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:46 PM

Posted 17 October 2010 - 08:32 PM

Greetings Casey,

Log as requested.

ComboFix 10-10-16.04 - the old doctor 10/17/2010 20:09:59.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.345 [GMT -4:00]
Running from: c:\documents and settings\the old doctor\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\the old doctor\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASBP2POA
-------\Service_asbp2poa


((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
.

2010-10-15 23:33 . 2010-10-15 23:33 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-10-08 13:20 . 2010-10-08 13:20 -------- d-----w- c:\documents and settings\the old doctor\Application Data\InstallShield
2010-10-07 01:39 . 2010-10-07 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-23 18:42 . 2010-09-23 18:42 95672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-09-27 16:32 2102600 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"CARPService"="carpserv.exe" [2003-06-11 4608]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-29 2500552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 21:05 12536 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [1/30/2009 8:49 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [1/30/2009 8:49 PM 243024]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdGuard.sys [3/23/2010 6:40 PM 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [3/3/2010 5:54 PM 25240]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/10/2009 7:00 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/10/2009 6:59 AM 308136]
S2 SAUSBHW;IntelliFlash Firmware Loader;c:\windows\system32\Drivers\saldr.sys --> c:\windows\system32\Drivers\saldr.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [8/16/2010 3:52 PM 431432]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\the old doctor\Application Data\Mozilla\Firefox\Profiles\3ztr8a20.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.erh.noaa.gov/er/iln/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\l3codeca.acm

- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3124)
c:\windows\system32\guard32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\carpserv.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-10-17 20:31:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-18 00:31
ComboFix2.txt 2010-10-17 19:13

Pre-Run: 60,927,770,624 bytes free
Post-Run: 60,915,961,856 bytes free

- - End Of File - - A6CAB0AC73E52895B1DEEBBB62B5ED53


Rkill gives same log as posted earlier.

Will run GMER after I close this, did not want to risk losing ComboFix, txt if gmer locked up my computer.
Will edit this post with GMER log if I can get one.

As to performance, redirection problem seems to have stopped. Also no longer have 80+ open connections showing when I open COMODO.
Boot up seems sluggish, and desktop still resets itself about 5 sec. after it lodes . Shutdown takes for-friggen-ever, but these may be an entirely
different problem.

Thanks again, your doing great , and I would be happy to tell your trainer just that.
If you can get a dumb ass like me through this, your on your way, man.

the old doctor

OH, yea where the hell did this " Restored copy from - Kitty had a snack tongue.gif " come from ?? (from first ComboFix log )
I don`t know squat about all the info in these logs, but this looked odd even to me.

One last unrelated question: On the far left of the Virus , Trojan, etc.etc. main topic page there is a little blue icon that tells about the status of that post.
I noticed that the one for my post is different then the others, in that, the bottom right corner is whited out in the shape of a backwards L.
Does this mean anything ?? Just curious.


EDIT, EDIT

Still can not run GMER!! It locked my computer down so hard it stopped my friggen clock !! No joke blink.gif

Edited by doctec50, 17 October 2010 - 10:13 PM.


#10 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:46 PM

Posted 19 October 2010 - 01:40 PM

As to performance, redirection problem seems to have stopped. Also no longer have 80+ open connections showing when I open COMODO.


OK, that's great. I think that one of the baddies we've gotten rid of was responsible for those.

Boot up seems sluggish, and desktop still resets itself about 5 sec. after it lodes . Shutdown takes for-friggen-ever, but these may be an entirely
different problem.


This, along with you being unable to run GMER, leads me to believe that you still have an infection on-board.

Thanks again, your doing great , and I would be happy to tell your trainer just that.
If you can get a dumb ass like me through this, your on your way, man.


Thank you :)

OH, yea where the hell did this " Restored copy from - Kitty had a snack tongue.gif " come from ?? (from first ComboFix log )
I don`t know squat about all the info in these logs, but this looked odd even to me.


Nope, that's fine :) It means Combofix was able to remove one of the baddies on your PC.

One last unrelated question: On the far left of the Virus , Trojan, etc.etc. main topic page there is a little blue icon that tells about the status of that post.
I noticed that the one for my post is different then the others, in that, the bottom right corner is whited out in the shape of a backwards L.
Does this mean anything ?? Just curious.


I asked, because you even made me curious! It means that it was a topic that you'd replied in, so you'd only see it on your topic and no-one else's because you haven't replied to their topics. The forum software has just been upgraded though, so I think the icons have changed now anyway!


***************************

OK, so because GMER won't run, let's try another option.

Scan With RKUnHooker
  • Please download Rootkit Unhooker
  • Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.

N.B. You may get the following warning:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Please just ignore it

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#11 doctec50

doctec50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:46 PM

Posted 21 October 2010 - 04:38 AM

Greetings Casey,

Double Wow for the new look.
Having trouble posting log,said it`s to long.Will try to zip it, and post that.

Well crap , that did not work. You will need to advise me on how to get this log to you.

the old(computer illiterate) doctor

Edited by doctec50, 21 October 2010 - 04:43 AM.


#12 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:46 PM

Posted 21 October 2010 - 05:19 AM

Hi,

Double Wow for the new look.


Glad you like it :thumbsup:

Try just attaching the txt file. Click "Choose File", find the report and click open, then click "Attach This File"

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#13 doctec50

doctec50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:46 PM

Posted 21 October 2010 - 05:06 PM

Greetings Casey,
Will try this again, a little short on time this morning.

Well tried to attach said file and got this: Error This file was too big to upload

Will try to zip it and attach that.

That seemed to work, at least some thing is attached.

OK, work your magic, and let`s be rid of this crap.

the old doctor

Attached Files



#14 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:46 PM

Posted 22 October 2010 - 08:14 AM

Wow :blink: That was a big log! We need to do some further investigation!

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    /md5start
    ADPU160M.SYS
    sffp_mmc.sys
    hsfdpsp2.sys
    ndisip.sys
    sffp_sd.sys
    slip.sys
    irenum.sys
    wadv08nt.sys
    ati1mdxx.sys
    ACPIEC.SYS
    wadv05nt.sys
    bdasup.sys
    CPQDAP01.SYS
    wadv07nt.sys
    wadv09nt.sys
    sffdisk.sys
    wadv11nt.sys
    pcmcia.sys
    AMSINT.SYS
    NIKEDRV.SYS
    RIO8DRV.SYS
    RIODRV.SYS
    WS2IFSL.SYS
    tdpipe.sys
    ati1pdxx.sys
    wsiintxx.sys
    wadv02nt.sys
    FSVGA.SYS
    usbvideo.sys
    tunmp.sys
    wadv01nt.sys
    NWLNKFLT.SYS
    mtlmnt5.sys
    mutohpen.sys
    AHA154X.SYS
    usb8023.sys
    usb8023x.sys
    slnt7554.sys
    mtlstrm.sys
    slwdmsup.sys
    recagent.sys
    atinmdxx.sys
    atinttxx.sys
    CBIDF2K.SYS
    rdpwd.sys
    diskdump.sys
    wacompen.sys
    asyncmac.sys
    atinpdxx.sys
    fastfat.sys
    hdaudbus.sys
    SMCLIB.SYS
    DAC960NT.SYS
    ASC3550.SYS
    CPQARRAY.SYS
    tape.sys
    HSF_AMOS.sys
    mpe.sys
    streamip.sys
    dmio.sys
    usbintel.sys
    INI910U.SYS
    i81xnt5.sys
    SYMC810.SYS
    s3gnbm.sys
    bthenum.sys
    ccdecode.sys
    MRAID35X.SYS
    DAC2W2K.SYS
    intmtlfax.sys
    i2omp.sys
    bthusb.sys
    wpdusb.sys
    nv4_mini.sys
    SPARROW.SYS
    tdi.sys
    hidir.sys
    wstcodec.sys
    wvchntxx.sys
    watv02nt.sys
    rdpdr.sys
    DPTI2O.SYS
    rmcast.sys
    iqvw32.sys
    flpydisk.sys
    secdrv.sys
    ipinip.sys
    mbam.sys
    ati1ttxx.sys
    TSBVCAP.SYS
    tdtcp.sys
    hsfbs2s2.sys
    watv06nt.sys
    ASC3350P.SYS
    tcpip6.sys
    ABP480N5.SYS
    wch7xxnt.sys
    pciidex.sys
    sonydcam.sys
    watv10nt.sys
    hidbth.sys
    usbcamd.sys
    usbcamd2.sys
    HPN.SYS
    CINEMST2.SYS
    ati1snxx.sys
    usbstor.sys
    ASC.SYS
    bthport.sys
    PERC2.SYS
    SYM_HI.SYS
    atinsnxx.sys
    watv01nt.sys
    ati1xbxx.sys
    rndismp.sys
    rndismpx.sys
    ati1raxx.sys
    SYM_U3.SYS
    ATMEPVC.SYS
    atinxbxx.sys
    NWLNKFWD.SYS
    SYMC8XX.SYS
    ati2mtaa.sys
    IPFLTDRV.SYS
    QL10WNT.SYS
    watv04nt.sys
    RAWWAN.SYS
    ati1xsxx.sys
    ATMUNI.SYS
    ati1tuxx.sys
    bthprint.sys
    ip6fw.sys
    crusoe.sys
    ULTRA.SYS
    amdk6.sys
    amdk7.sys
    bthmodem.sys
    mbamswissarmy.sys
    nmnt.sys
    QL1080.SYS
    QL1240.SYS
    slntamr.sys
    sisagp.sys
    viaagp.sys
    alim1541.sys
    amdagp.sys
    uagp35.sys
    HSF_SOAR.sys
    agpcpq.sys
    mtxparhm.sys
    QL12160.SYS
    gagp30kx.sys
    QL1280.SYS
    stream.sys
    classpnp.sys
    mspqm.sys
    TOSIDE.SYS
    msdv.sys
    TOSDVD.SYS
    ALIIDE.SYS
    mspclock.sys
    viaide.sys
    HSF_MSFT.sys
    intelide.sys
    mstee.sys
    PERC2HIB.SYS
    AIC78U2.SYS
    atmlane.sys
    NWLNKSPX.SYS
    ati1btxx.sys
    AIC78XX.SYS
    HSF_SAMP.sys
    ntfs.sys
    atinbtxx.sys
    VDMINDVD.SYS
    DMLOAD.SYS
    ROOTMDM.SYS
    smbali.sys
    rfcomm.sys
    atmarpc.sys
    arp1394.sys
    nic1394.sys
    NWLNKNB.SYS
    atinxsxx.sys
    ati1rvxx.sys
    mf.sys
    udfs.sys
    CMDIDE.SYS
    EL90XBC5.SYS
    HSF_BSC2.sys
    ialmnt5.sys
    hsfcxts2.sys
    bridge.sys
    atintuxx.sys
    HSF_SPKP.sys
    mskssrv.sys
    CD20XRNT.SYS
    MCD.SYS
    sdbus.sys
    dmboot.sys
    nabtsfec.sys
    asctrm.sys
    nwlnkipx.sys
    slnthal.sys
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#15 doctec50

doctec50
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:46 PM

Posted 22 October 2010 - 05:11 PM

Greetings Casey,

As usual I don`t seem to be able to fulfill your requests.
Can not find extra.txt any where but do have the other. It also seems huge, may not upload. we`ll see.


By the by all those WARNINGS on the last report freaked me out a bit, maybe I should just shoot this thing <_<

Yea, will need to zip the damn thing. Stand by:

Attached Files

  • Attached File  OTL.zip   38.69KB   1 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users