Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect,


  • This topic is locked This topic is locked
15 replies to this topic

#1 officertemple

officertemple

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 27 November 2010 - 11:50 PM

I use firefox, whenever I do a google search i get redirected. I tried running superantispyware, spyhunter, avg, cleanup 4.0, atf cleaner. Thank you in advance for any help that you give. Here are my logs:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-27 23:44:53
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD1200JB-00GVC0 rev.08.02D08
Running: gmer.exe; Driver: C:\DOCUME~1\ROY&JE~1\LOCALS~1\Temp\awdyrfoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys ZwCreateSection [0xB8614700]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB2DAF6C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB2DAF770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB2DAF810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB2DAF8B0]

Code \??\C:\DOCUME~1\ROY&JE~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text PCIIDEX.SYS!PciIdeXSetBusData + B29 B832945D 4 Bytes [D4, 03, E9, 88]
.text PCIIDEX.SYS!PciIdeXSetBusData + D72 B83296A6 4 Bytes [AC, 1B, F7, 88]
.text PCIIDEX.SYS!PciIdeXDebugPrint + 23 B83296DD 4 Bytes [D4, 03, E9, 88]
.text PCIIDEX.SYS!PciIdeXDebugPrint + 173 B832982D 4 Bytes [AC, 1B, F7, 88]
.text PCIIDEX.SYS!PciIdeXDebugPrint + 1A8 B8329862 4 Bytes [AC, 1B, F7, 88]
PAGE PCIIDEX.SYS!PciIdeXDebugPrint + 7CB B8329E85 4 Bytes [D4, 03, E9, 88]
PAGE PCIIDEX.SYS!PciIdeXDebugPrint + 1065 B832A71F 4 Bytes [D4, 03, E9, 88]
PAGE ...
PAGE PCIIDEX.SYS!PciIdeXInitialize + 288 B832CC64 4 Bytes [D4, 03, E9, 88]
.text atapi.sys!ZwSetSystemPowerState + FFE91DEF B7F0EEC5 4 Bytes [54, 91, B5, 88] {PUSH ESP; XCHG ECX, EAX; MOV CH, 0x88}
.text atapi.sys!ZwSetSystemPowerState + FFE92043 B7F0F119 4 Bytes [54, 91, B5, 88] {PUSH ESP; XCHG ECX, EAX; MOV CH, 0x88}
.text atapi.sys!ZwSetSystemPowerState + FFE924E5 B7F0F5BB 4 Bytes [54, 91, B5, 88] {PUSH ESP; XCHG ECX, EAX; MOV CH, 0x88}
.text atapi.sys!ZwSetSystemPowerState + FFE92696 B7F0F76C 4 Bytes [54, 91, B5, 88] {PUSH ESP; XCHG ECX, EAX; MOV CH, 0x88}
.text atapi.sys!ZwSetSystemPowerState + FFE92765 B7F0F83B 4 Bytes [54, 91, B5, 88] {PUSH ESP; XCHG ECX, EAX; MOV CH, 0x88}
.text ...
.text SCSIPORT.SYS!ScsiPortInitialize + FFFF44D8 B7EF344C 5 Bytes JMP A3EDDA40 \SystemRoot\system32\drivers\klmd.sys
.text SCSIPORT.SYS!ScsiPortInitialize + FFFF473B B7EF36AF 4 Bytes [0C, BD, 27, 89]
.text SCSIPORT.SYS!ScsiPortInitialize + FFFF4AD1 B7EF3A45 4 Bytes [0C, BD, 27, 89]
.text SCSIPORT.SYS!ScsiPortGetUncachedExtension + 852 B7EF4D5A 4 Bytes [6C, 4A, 15, 89]
.text SCSIPORT.SYS!ScsiPortGetUncachedExtension + FB6 B7EF54BE 4 Bytes [74, A4, 90, 88]
.text SCSIPORT.SYS!ScsiPortGetUncachedExtension + FDA B7EF54E2 4 Bytes [0C, BD, 27, 89]
.text SCSIPORT.SYS!ScsiPortGetUncachedExtension + 1710 B7EF5C18 4 Bytes [6C, 4A, 15, 89]
.text SCSIPORT.SYS!ScsiPortGetUncachedExtension + 17F8 B7EF5D00 4 Bytes [6C, 4A, 15, 89]
.text ...
.text SCSIPORT.SYS!ScsiPortCompleteRequest + 10C B7EF8576 4 Bytes [6C, 4A, 15, 89]
.text SCSIPORT.SYS!ScsiPortCompleteRequest + 1A9 B7EF8613 4 Bytes [74, A4, 90, 88]
.text SCSIPORT.SYS!ScsiPortCompleteRequest + 2BA B7EF8724 4 Bytes [14, 41, 14, 89] {ADC AL, 0x41; ADC AL, 0x89}
.text SCSIPORT.SYS!ScsiPortCompleteRequest + 2F6 B7EF8760 4 Bytes [74, A4, 90, 88]
.text SCSIPORT.SYS!ScsiPortCompleteRequest + 3F0 B7EF885A 4 Bytes [74, A4, 90, 88]
.text ...
PAGE SCSIPORT.SYS!ScsiPortInitialize + E91 B7EFFE05 4 Bytes [0C, BD, 27, 89]
PAGE SCSIPORT.SYS!ScsiPortInitialize + FFA B7EFFF6E 4 Bytes [0C, BD, 27, 89]
PAGE SCSIPORT.SYS!ScsiPortInitialize + 20AE B7F01022 4 Bytes [74, A4, 90, 88]
PAGE SCSIPORT.SYS!ScsiPortInitialize + 2125 B7F01099 4 Bytes [0C, BD, 27, 89]
PAGE SCSIPORT.SYS!ScsiPortInitialize + 25CD B7F01541 4 Bytes [0C, BD, 27, 89]
PAGE ...
.text CLASSPNP.SYS!ClassReleaseRemoveLock + 193 B8118553 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassCompleteRequest + D B8118BF0 4 Bytes [54, A9, 0D, 89]
.text CLASSPNP.SYS!ClassCompleteRequest + 3F6 B8118FD9 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassSendSrbSynchronous + EE B811918C 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassDeviceControl + BD B8119591 4 Bytes [54, A9, 0D, 89]
.text CLASSPNP.SYS!ClassReleaseQueue + EA B811A372 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassReleaseChildLock + 66 B811A9C6 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassSendIrpSynchronous + 3A B811AB90 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassGetDriverExtension + 15D B811B131 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassFindModePage + 1D3 B811B775 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassFindModePage + 77F B811BD21 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassFindModePage + 9A6 B811BF48 4 Bytes [DC, F3, EA, 88]
.text CLASSPNP.SYS!ClassFindModePage + ADC B811C07E 4 Bytes [A4, C5, 07, 89]
.text CLASSPNP.SYS!ClassFindModePage + B06 B811C0A8 4 Bytes [1C, F5, A0, 88]
.text ...
.text CLASSPNP.SYS!ClassInternalIoControl + 87 B811CFAF 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassGetVpb + 167 B811D1AB 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassSendStartUnit + C9 B811D421 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassSendSrbAsynchronous + 10D B811D56C 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassWmiFireEvent + 3A9 B811DA16 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassWmiFireEvent + 843 B811DEB0 4 Bytes [1C, F5, A0, 88]
.text CLASSPNP.SYS!ClassIoCompleteAssociated + 18B B811E4E9 4 Bytes [DC, F3, EA, 88]
PAGE CLASSPNP.SYS!ClassDebugPrint + 59B B811EB33 4 Bytes [1C, F5, A0, 88]
PAGE CLASSPNP.SYS!ClassDebugPrint + 7B5 B811ED4D 4 Bytes [1C, F5, A0, 88]
PAGE CLASSPNP.SYS!ClassInvalidateBusRelations + 203 B811F23A 4 Bytes [1C, F5, A0, 88]
PAGE CLASSPNP.SYS!ClassInitialize + 6C0 B811F9F8 4 Bytes [1C, F5, A0, 88]
PAGE CLASSPNP.SYS!ClassClaimDevice + 7A B8120ECF 4 Bytes [1C, F5, A0, 88]
PAGE CLASSPNP.SYS!ClassModeSense + 57D B8121B68 4 Bytes [1C, F5, A0, 88]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB73C0380, 0x551435, 0xE8000020]
? System32\DRIVERS\dvd43llh.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\ROY&JE~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? system32\drivers\klmd.sys The system cannot find the path specified. !
? C:\DOCUME~1\ROY&JE~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre6\bin\jqs.exe[384] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0174B634
.text C:\Program Files\Java\jre6\bin\jqs.exe[384] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0174B1D1
.text C:\Program Files\Java\jre6\bin\jqs.exe[384] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0174B4E6
.text C:\Program Files\Java\jre6\bin\jqs.exe[384] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0174B2B2
.text C:\Program Files\Java\jre6\bin\jqs.exe[384] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0174B385
.text C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe[420] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 016AB634
.text C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe[420] WS2_32.dll!send 71AB4C27 5 Bytes JMP 016AB1D1
.text C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe[420] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 016AB4E6
.text C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe[420] WS2_32.dll!recv 71AB676F 5 Bytes JMP 016AB2B2
.text C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe[420] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 016AB385
.text C:\WINDOWS\system32\winlogon.exe[580] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 00C72946
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[824] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C8B634
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[824] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C8B1D1
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[824] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C8B4E6
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[824] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C8B2B2
.text C:\Program Files\LogMeIn\x86\RaMaint.exe[824] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C8B385
.text C:\WINDOWS\system32\nvsvc32.exe[940] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0148B634
.text C:\WINDOWS\system32\nvsvc32.exe[940] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0148B1D1
.text C:\WINDOWS\system32\nvsvc32.exe[940] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0148B4E6
.text C:\WINDOWS\system32\nvsvc32.exe[940] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0148B2B2
.text C:\WINDOWS\system32\nvsvc32.exe[940] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0148B385
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[1972] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B0B634
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[1972] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B0B1D1
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[1972] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B0B4E6
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[1972] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B0B2B2
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[1972] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B0B385
.text C:\WINDOWS\system32\RUNDLL32.EXE[2076] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F4B634
.text C:\WINDOWS\system32\RUNDLL32.EXE[2076] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F4B1D1
.text C:\WINDOWS\system32\RUNDLL32.EXE[2076] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F4B4E6
.text C:\WINDOWS\system32\RUNDLL32.EXE[2076] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F4B2B2
.text C:\WINDOWS\system32\RUNDLL32.EXE[2076] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F4B385
.text C:\Program Files\Common Files\AOL\1269952926\ee\AOLSoftware.exe[2092] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 023EB634
.text C:\Program Files\Common Files\AOL\1269952926\ee\AOLSoftware.exe[2092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 023EB1D1
.text C:\Program Files\Common Files\AOL\1269952926\ee\AOLSoftware.exe[2092] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 023EB4E6
.text C:\Program Files\Common Files\AOL\1269952926\ee\AOLSoftware.exe[2092] WS2_32.dll!recv 71AB676F 5 Bytes JMP 023EB2B2
.text C:\Program Files\Common Files\AOL\1269952926\ee\AOLSoftware.exe[2092] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 023EB385
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2368] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 013DB634
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2368] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013DB1D1
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2368] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013DB4E6
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2368] WS2_32.dll!recv 71AB676F 5 Bytes JMP 013DB2B2
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2368] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013DB385
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2504] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0122B634
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2504] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0122B1D1
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2504] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0122B4E6
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2504] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0122B2B2
.text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[2504] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0122B385
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[3400] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0229B634
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[3400] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0229B1D1
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[3400] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0229B4E6
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[3400] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0229B2B2
.text C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[3400] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0229B385
.text C:\WINDOWS\System32\alg.exe[3476] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C2B634
.text C:\WINDOWS\System32\alg.exe[3476] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C2B1D1
.text C:\WINDOWS\System32\alg.exe[3476] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C2B4E6
.text C:\WINDOWS\System32\alg.exe[3476] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C2B2B2
.text C:\WINDOWS\System32\alg.exe[3476] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C2B385
.text C:\Program Files\AVG\AVG PC Tuneup 2011\boostspeed.exe[3656] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0396B634
.text C:\Program Files\AVG\AVG PC Tuneup 2011\boostspeed.exe[3656] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0396B1D1
.text C:\Program Files\AVG\AVG PC Tuneup 2011\boostspeed.exe[3656] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0396B4E6
.text C:\Program Files\AVG\AVG PC Tuneup 2011\boostspeed.exe[3656] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0396B2B2
.text C:\Program Files\AVG\AVG PC Tuneup 2011\boostspeed.exe[3656] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0396B385
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3824] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E4B634
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3824] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E4B1D1
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3824] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E4B4E6
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3824] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E4B2B2
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3824] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E4B385
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[5756] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FAB634
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[5756] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FAB1D1
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[5756] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FAB4E6
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[5756] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FAB2B2
.text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[5756] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FAB385
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[5804] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 014DB634
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[5804] ws2_32.dll!send 71AB4C27 5 Bytes JMP 014DB1D1
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[5804] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014DB4E6
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[5804] ws2_32.dll!recv 71AB676F 5 Bytes JMP 014DB2B2
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[5804] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 014DB385
.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[6316] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01D6B634
.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[6316] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01D6B1D1
.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[6316] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01D6B4E6
.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[6316] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01D6B2B2
.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[6316] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01D6B385
.text C:\WINDOWS\explorer.exe[6748] USER32.dll!DisplayExitWindowsWarnings 7E459F91 5 Bytes JMP 00FE2758
.text C:\WINDOWS\explorer.exe[6748] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EFB634
.text C:\WINDOWS\explorer.exe[6748] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EFB1D1
.text C:\WINDOWS\explorer.exe[6748] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EFB4E6
.text C:\WINDOWS\explorer.exe[6748] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EFB2B2
.text C:\WINDOWS\explorer.exe[6748] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EFB385
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[7364] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F4B634
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[7364] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F4B1D1
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[7364] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F4B4E6
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[7364] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F4B2B2
.text C:\Program Files\AVG\AVG10\avgwdsvc.exe[7364] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F4B385
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[7544] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0110B634
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[7544] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0110B1D1
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[7544] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0110B4E6
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[7544] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0110B2B2
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[7544] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0110B385
.text C:\Program Files\AVG\AVG10\avgnsx.exe[7804] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0275B634
.text C:\Program Files\AVG\AVG10\avgnsx.exe[7804] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0275B1D1
.text C:\Program Files\AVG\AVG10\avgnsx.exe[7804] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0275B4E6
.text C:\Program Files\AVG\AVG10\avgnsx.exe[7804] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0275B2B2
.text C:\Program Files\AVG\AVG10\avgnsx.exe[7804] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0275B385
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[7948] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01AEB634
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[7948] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01AEB1D1
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[7948] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01AEB4E6
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[7948] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01AEB2B2
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[7948] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01AEB385
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[8208] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C7B634
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[8208] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C7B1D1
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[8208] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C7B4E6
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[8208] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C7B2B2
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[8208] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C7B385
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[9140] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 021AB634
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[9140] WS2_32.dll!send 71AB4C27 5 Bytes JMP 021AB1D1
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[9140] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 021AB4E6
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[9140] WS2_32.dll!recv 71AB676F 5 Bytes JMP 021AB2B2
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[9140] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 021AB385
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[9140] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10405CF5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[9384] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 023FB634
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[9384] WS2_32.dll!send 71AB4C27 5 Bytes JMP 023FB1D1
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[9384] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 023FB4E6
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[9384] WS2_32.dll!recv 71AB676F 5 Bytes JMP 023FB2B2
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[9384] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 023FB385
.text C:\Program Files\Mozilla Firefox\firefox.exe[9968] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[10236] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01E6B634
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[10236] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01E6B1D1
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[10236] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01E6B4E6
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[10236] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01E6B2B2
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[10236] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01E6B385

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device \Driver\klmd25 \Device\KLMD205020 klmd.sys

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \Driver\SiSRaid \Device\Scsi\SiSRaid1 dvd43llh.sys
Device \Driver\SiSRaid \Device\Scsi\SiSRaid1Port2Path0Target0Lun0 dvd43llh.sys
Device \Driver\SiSRaid \Device\Scsi\SiSRaid1Port2Path0Target2Lun0 dvd43llh.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???I?I??? ???????I???????????=?<????????????????????? ???????J???????????B?>????????N????????9???9????????????????????????8??I??????????????system32\DRIVERS\wdcsam.sys???????2??J???????????????<?H?I?I?I?L????{36FC9E60-C465-11CF-8056-444553540000}\0023?????SpyHunter 4 Helper Service?n?=???? ??1???5???F??{8ECC055D-047F-11D1-A537-0000F8753ED1}?el ????\??K???S??????????8}???????????B???G??system32\DRIVERS\imapi.sys?Con???4?4?4?5?5?6?8?8?8?8?8?8s ????N??K???C????D\RO???I??? ???????5?????J?????1??????????d??? ???????????? ???????3?????J?????>?>??????????Z?????????00??? ???????I???????????=?<????????????????????? ???????I?????????????>????????????????????? ???????5???????????3??????????f?&????????? (ICS)??????? ???????3?????J?????@?>??????????n?????????????? ???????I?????/?????4?>????????N???????1}???????????5?????si\??? ???J???????????????d??? ???????I?????????????>?????????????????f??68.87.73.246 68.87.71.230???LocalSystem?ce??{8??? ???????4?????#?????F?>????????X???????????????{71A27CDD-812A-11D0-BEC7-08002BE209
Reg HKLM\SOFTWARE\Classes\CLSID\{D2563600-5B7C-29E2-3622-E00B16E4521A}\qrdevdpomkrl@ ktpcY_jOmTiWE|OHtF}FfspixOUb
Reg HKLM\SOFTWARE\Classes\CLSID\{D2563600-5B7C-29E2-3622-E00B16E4521A}\qrtkShnqy@ eqAUOzpBDSlFlatD[agyy@

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\Temp\avg-a8834e39-b253-4706-a8a8-30287bc8b161.tmp 0 bytes
File C:\WINDOWS\Temp\avg-bc8aac11-66a7-4f6c-a013-533c0644605d.tmp 0 bytes
File C:\WINDOWS\Temp\avg-68867a4c-df8c-4758-9c9f-156873b69a34.tmp 0 bytes

---- EOF - GMER 1.0.15 ----






DDS (Ver_10-11-27.01) - NTFSx86
Run by Roy & Jess at 22:33:51.48 on Sat 11/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.561 [GMT -5:00]

AV: AVG Anti-Virus 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\1269952926\ee\AOLSoftware.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG PC Tuneup 2011\boostspeed.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Roy & Jess\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [cdloader] "c:\documents and settings\roy & jess\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Gadwin PrintScreen Pro] c:\program files\gadwin systems\printscreenpro\PrintScreenPro.exe /nosplash
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [AmIcoSinglun] c:\program files\amicosinglun\AmIcoSinglun.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HostManager] c:\program files\common files\aol\1269952926\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: intuit.com\ttlc
Trusted Zone: kuaiche.com\software
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1287941348326
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\roy&je~1\applic~1\mozilla\firefox\profiles\esbhlixv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-13 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-10-28 47640]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2010-1-27 5248]
S2 PhoneMyPC_Helper;PhoneMyPC_Helper;c:\program files\softwareforme inc\phonemypc\PhoneMyPC_Helper.exe [2010-8-22 30208]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2010-9-21 327000]
S3 DrvAgent32;DrvAgent32;\??\c:\windows\system32\drivers\drvagent32.sys --> c:\windows\system32\drivers\DrvAgent32.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-11-28 01:22:19 -------- d-----w- c:\windows\system32\appmgmt
2010-11-28 01:01:50 -------- d-----w- c:\windows\system32\NtmsData
2010-11-27 19:28:04 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-11-27 15:16:13 -------- d-----w- c:\docume~1\roy&je~1\applic~1\AVG
2010-11-27 05:24:48 -------- d--h--w- C:\$AVG
2010-11-27 05:06:12 -------- d-----w- c:\docume~1\roy&je~1\applic~1\AVG10
2010-11-27 05:05:19 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-11-27 05:04:06 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-27 05:04:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-11-27 05:03:43 -------- d-----w- c:\program files\AVG
2010-11-27 04:59:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-11-26 18:01:20 -------- d-----w- c:\docume~1\roy&je~1\applic~1\butel
2010-11-26 17:52:09 -------- d-----w- c:\windows\Downloaded Installations
2010-11-19 01:14:27 -------- d-----w- C:\ComboFix
2010-11-11 01:21:59 -------- d-----w- c:\docume~1\roy&je~1\applic~1\PokerCreations
2010-11-11 00:04:14 -------- d-----w- c:\docume~1\roy&je~1\applic~1\WWE Poker
2010-11-11 00:04:13 -------- d-----w- c:\program files\WWE Poker
2010-11-10 03:20:58 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys

==================== Find3M ====================

2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-10-05 21:43:33 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-10-05 21:43:33 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-10-05 21:43:32 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-10-05 21:43:31 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 22:34:43.94 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 officertemple

officertemple
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 28 November 2010 - 06:03 PM

Do I need to attach anything else yet?

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 28 November 2010 - 08:04 PM.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 04 December 2010 - 09:48 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 officertemple

officertemple
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 06 December 2010 - 09:50 PM

I'm here

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 07 December 2010 - 05:01 PM

Hi, please run TDSSKiller and MBRCheck so that we can check for rootkits

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


And

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#6 officertemple

officertemple
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 07 December 2010 - 07:43 PM

2010/12/07 19:37:38.0546 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01
2010/12/07 19:37:38.0546 ================================================================================
2010/12/07 19:37:38.0546 SystemInfo:
2010/12/07 19:37:38.0546
2010/12/07 19:37:38.0546 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/07 19:37:38.0546 Product type: Workstation
2010/12/07 19:37:38.0546 ComputerName: ROYANDJESS
2010/12/07 19:37:38.0546 UserName: Roy & Jess
2010/12/07 19:37:38.0546 Windows directory: C:\WINDOWS
2010/12/07 19:37:38.0546 System windows directory: C:\WINDOWS
2010/12/07 19:37:38.0562 Processor architecture: Intel x86
2010/12/07 19:37:38.0562 Number of processors: 1
2010/12/07 19:37:38.0562 Page size: 0x1000
2010/12/07 19:37:38.0562 Boot type: Normal boot
2010/12/07 19:37:38.0562 ================================================================================
2010/12/07 19:37:39.0171 Initialize success
2010/12/07 19:38:00.0171 Deinitialize success






MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000023d

Kernel Drivers (total 136):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB80B8000 ohci1394.sys
0xB80C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80D8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80E8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB80F8000 SiSRaid.sys
0xB7EF3000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB8108000 disk.sys
0xB8118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7ED3000 fltmgr.sys
0xB8128000 PxHelp20.sys
0xB7EBC000 KSecDD.sys
0xB7E2F000 Ntfs.sys
0xB7E02000 NDIS.sys
0xB7DE8000 Mup.sys
0xB8138000 gagp30kx.sys
0xB8338000 avgrkx86.sys
0xB8148000 AVGIDSEH.Sys
0xB6D8C000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6D78000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB83F0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB6D64000 \SystemRoot\system32\DRIVERS\parport.sys
0xB8308000 \SystemRoot\system32\DRIVERS\serial.sys
0xB8564000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8318000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB83F8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB6C1E000 \SystemRoot\system32\drivers\cmuda.sys
0xB6BFA000 \SystemRoot\system32\drivers\portcls.sys
0xB77EA000 \SystemRoot\system32\drivers\drmk.sys
0xB6BB7000 \SystemRoot\system32\drivers\ks.sys
0xB8400000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB6B93000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8408000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8410000 \SystemRoot\system32\DRIVERS\sisnic.sys
0xB77DA000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB77CA000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB77BA000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8418000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB77AA000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB779A000 \SystemRoot\system32\DRIVERS\processr.sys
0xB8767000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0xB8768000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB778A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB8570000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB6B7C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB777A000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB776A000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8420000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB6B6B000 \SystemRoot\system32\DRIVERS\psched.sys
0xB775A000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8430000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8438000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8440000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xB8178000 \SystemRoot\System32\Drivers\pcouffin.sys
0xB6B3B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8188000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8448000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB85C8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6AB5000 \SystemRoot\system32\DRIVERS\update.sys
0xB858C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8198000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB81B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85D4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB8458000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xB85E8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB87CB000 \SystemRoot\System32\Drivers\Null.SYS
0xB85EA000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8468000 \SystemRoot\System32\drivers\vga.sys
0xB85EC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85EE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8470000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8478000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB8540000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB48BA000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB4861000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB4819000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xB47F1000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB47CF000 \SystemRoot\System32\drivers\afd.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB47AD000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xB8480000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB4782000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB46EA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB81F8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB46C4000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB8208000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB8218000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB4688000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xB6B27000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB8228000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB8490000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB6B23000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB8498000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xB8278000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB45F8000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB862E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB467C000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8398000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB87FB000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB4143000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB425B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB3FD6000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB85D8000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB40C3000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xB3ECD000 \SystemRoot\System32\Drivers\HTTP.sys
0xB3DFD000 \SystemRoot\system32\DRIVERS\srv.sys
0xB85F4000 \??\C:\Program Files\LogMeIn\x86\RaInfo.sys
0xB435F000 \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
0xB3FB6000 \SystemRoot\system32\drivers\sysaudio.sys
0xB3A7A000 \SystemRoot\system32\drivers\wdmaud.sys
0xB3F56000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xB3872000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xB8378000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB375F000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xB85E2000 \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys
0xB219B000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 62):
0 System Idle Process
4 System
500 C:\WINDOWS\system32\smss.exe
540 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
720 csrss.exe
756 C:\WINDOWS\system32\winlogon.exe
800 C:\WINDOWS\system32\services.exe
812 C:\WINDOWS\system32\lsass.exe
972 C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
988 C:\WINDOWS\system32\nvsvc32.exe
1020 C:\WINDOWS\system32\svchost.exe
1080 svchost.exe
1148 C:\WINDOWS\system32\svchost.exe
1320 svchost.exe
1380 svchost.exe
1496 C:\WINDOWS\system32\spoolsv.exe
1616 svchost.exe
1648 C:\Program Files\AVG\AVG10\avgwdsvc.exe
1704 C:\WINDOWS\system32\svchost.exe
1744 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
1812 C:\Program Files\Java\jre6\bin\jqs.exe
1836 C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
1900 C:\Program Files\LogMeIn\x86\ramaint.exe
1976 C:\Program Files\LogMeIn\x86\LogMeIn.exe
232 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
360 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
424 C:\Program Files\AVG\AVG10\avgam.exe
440 C:\Program Files\AVG\AVG10\avgnsx.exe
716 C:\Program Files\AVG\AVG10\avgemcx.exe
2164 C:\Program Files\SoftwareForMe Inc\PhoneMyPC\PhoneMyPC_Helper.exe
2200 C:\Program Files\SoftwareForMe Inc\PhoneMyPC\PhoneMyPC.exe
2204 C:\WINDOWS\system32\IoctlSvc.exe
2220 C:\WINDOWS\system32\HPZipm12.exe
2348 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2560 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
2632 wmpnetwk.exe
2788 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3280 alg.exe
132 C:\Program Files\AVG\AVG10\avgcsrvx.exe
816 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
1136 C:\Program Files\AVG\AVG10\avgcsrvx.exe
1328 C:\WINDOWS\explorer.exe
2908 C:\WINDOWS\system32\wscntfy.exe
3948 C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
2548 C:\WINDOWS\system32\rundll32.exe
3272 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
3904 C:\WINDOWS\system32\rundll32.exe
3340 C:\Program Files\Common Files\aol\1269952926\ee\aolsoftware.exe
3844 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3048 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
488 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
3980 C:\Program Files\AVG\AVG10\avgtray.exe
2580 C:\Program Files\Freecorder\FLVSrvc.exe
3832 C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe
3332 C:\Program Files\Windows Media Player\wmpnscfg.exe
2576 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
3748 C:\WINDOWS\system32\ctfmon.exe
4180 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
4196 C:\Program Files\Mozilla Firefox\firefox.exe
5056 C:\Program Files\Common Files\Java\Java Update\jucheck.exe
5336 C:\Program Files\Mozilla Firefox\plugin-container.exe
2988 C:\Documents and Settings\Roy & Jess\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive2 at offset 0x0000006b`5eb38200 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200JB-00GVC0, Rev: 08.02D08
PhysicalDrive1 Model Number: HDT722525DLAT80, Rev: V44OA96A
PhysicalDrive2 Model Number: SAMSUNGHD103SJ, Rev: 1AJ100E4

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive2 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 07 December 2010 - 07:50 PM

That looks fine.

Please run Combofix and see what it can find

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 officertemple

officertemple
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 07 December 2010 - 08:23 PM

ComboFix 10-12-06.04 - Roy & Jess 12/07/2010 20:17:40.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1099 [GMT -5:00]
Running from: c:\documents and settings\Roy & Jess\Desktop\comfix.exe
.

((((((((((((((((((((((((( Files Created from 2010-11-08 to 2010-12-08 )))))))))))))))))))))))))))))))
.

2010-12-04 00:20 . 2010-12-08 01:15 -------- d-----w- c:\documents and settings\Roy & Jess\Application Data\PriceGong
2010-12-04 00:19 . 2010-12-04 00:19 -------- d-----w- c:\program files\Conduit
2010-12-04 00:19 . 2010-12-04 00:19 -------- d-----w- c:\documents and settings\Roy & Jess\Local Settings\Application Data\Conduit
2010-12-04 00:19 . 2010-12-04 00:20 -------- d-----w- c:\documents and settings\Roy & Jess\Local Settings\Application Data\Freecorder
2010-12-04 00:19 . 2010-12-04 00:19 -------- d-----w- c:\documents and settings\Roy & Jess\Local Settings\Application Data\temp
2010-12-04 00:18 . 2010-12-08 00:50 -------- d-----w- c:\documents and settings\Roy & Jess\Local Settings\Application Data\FLVService
2010-12-04 00:17 . 2010-12-04 00:20 -------- d-----w- c:\program files\Freecorder
2010-12-04 00:17 . 2010-12-04 00:17 -------- d-----w- c:\windows\Freecorder
2010-11-28 22:46 . 2010-11-28 22:46 110080 ----a-r- c:\documents and settings\Roy & Jess\Application Data\Microsoft\Installer\{4E97AE47-1293-4669-BBF3-4BDE52501A1A}\IconF7A21AF7.exe
2010-11-28 22:46 . 2010-11-28 22:46 110080 ----a-r- c:\documents and settings\Roy & Jess\Application Data\Microsoft\Installer\{4E97AE47-1293-4669-BBF3-4BDE52501A1A}\IconD7F16134.exe
2010-11-28 22:46 . 2010-11-28 22:46 -------- d-----w- C:\sh4ldr
2010-11-28 22:46 . 2010-11-28 22:46 -------- d-----w- c:\windows\D005F851ED234778B233A3E32CFD6017.TMP
2010-11-28 22:45 . 2010-11-28 22:46 -------- d-----w- c:\windows\4E97AE4712934669BBF34BDE52501A1A.TMP
2010-11-28 01:09 . 2010-11-28 01:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2010-11-28 01:01 . 2010-11-28 01:03 -------- d-----w- c:\windows\system32\NtmsData
2010-11-27 15:16 . 2010-11-27 16:19 -------- d-----w- c:\documents and settings\Roy & Jess\Application Data\AVG
2010-11-27 05:05 . 2010-11-27 05:05 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-27 05:03 . 2010-12-08 01:13 -------- d-----w- c:\program files\AVG
2010-11-27 04:59 . 2010-11-27 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-26 18:01 . 2010-11-26 18:01 -------- d-----w- c:\documents and settings\Roy & Jess\Application Data\butel
2010-11-26 17:52 . 2010-11-26 17:52 -------- d-----w- c:\program files\DIFX
2010-11-26 17:52 . 2010-11-26 17:52 -------- dc----w- c:\windows\system32\DRVSTORE
2010-11-26 17:52 . 2010-11-26 17:52 -------- d-----w- c:\windows\Downloaded Installations
2010-11-19 01:14 . 2010-11-19 01:22 -------- d-----w- C:\ComboFix
2010-11-11 01:21 . 2010-11-11 01:21 -------- d-----w- c:\documents and settings\Roy & Jess\Application Data\PokerCreations
2010-11-11 00:04 . 2010-11-11 00:04 -------- d-----w- c:\documents and settings\Roy & Jess\Application Data\WWE Poker
2010-11-11 00:04 . 2010-11-11 00:04 -------- d-----w- c:\program files\WWE Poker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 21:43 . 2009-10-28 12:26 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-10-05 21:43 . 2009-10-28 12:26 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-10-05 21:43 . 2009-10-28 12:26 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-10-05 21:43 . 2009-10-28 12:26 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-09-18 16:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-10-26_01.50.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 05:02 . 2009-07-12 05:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-12-08 00:59 . 2010-12-08 00:59 16384 c:\windows\Temp\Perflib_Perfdata_5f8.dat
- 2004-08-04 12:00 . 2010-10-24 18:08 67516 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-28 22:38 67516 c:\windows\system32\perfc009.dat
+ 2010-11-26 17:52 . 2009-10-22 15:08 52552 c:\windows\system32\DRVSTORE\ftdiport_2AEF0DA7ACBB32405FF593226F4454A4D684E65B\i386\ftserui2.dll
+ 2010-11-26 17:52 . 2009-10-22 15:09 72520 c:\windows\system32\DRVSTORE\ftdiport_2AEF0DA7ACBB32405FF593226F4454A4D684E65B\i386\ftser2k.sys
+ 2010-11-26 17:52 . 2009-10-22 15:11 54088 c:\windows\system32\DRVSTORE\ftdiport_2AEF0DA7ACBB32405FF593226F4454A4D684E65B\i386\ftcserco.dll
+ 2010-11-26 17:52 . 2009-10-22 15:11 57800 c:\windows\system32\DRVSTORE\ftdibus_153CD6A841FF919A2C6EABB2274572BD90AC0FDB\i386\ftdibus.sys
- 2010-07-13 23:52 . 2010-04-29 19:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-07-13 23:52 . 2010-04-29 20:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-07-13 23:52 . 2010-04-29 20:39 20952 c:\windows\system32\drivers\mbam.sys
- 2010-07-13 23:52 . 2010-04-29 19:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-11-28 22:46 . 2010-11-28 22:46 27499 c:\windows\D005F851ED234778B233A3E32CFD6017.TMP\WiseCustomCall.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2004-08-04 12:00 . 2010-11-28 22:38 432686 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-10-24 18:08 432686 c:\windows\system32\perfh009.dat
+ 2010-11-27 05:03 . 2010-11-27 05:03 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_Plugin.exe
+ 2010-11-05 01:51 . 2010-11-05 01:51 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
+ 2010-11-05 01:51 . 2010-11-05 01:51 311248 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.dll
+ 2010-11-26 17:52 . 2009-10-22 15:16 197952 c:\windows\system32\DRVSTORE\ftdibus_153CD6A841FF919A2C6EABB2274572BD90AC0FDB\i386\FTLang.Dll
+ 2010-11-26 17:52 . 2009-10-22 15:17 206144 c:\windows\system32\DRVSTORE\ftdibus_153CD6A841FF919A2C6EABB2274572BD90AC0FDB\i386\ftd2xx.dll
+ 2010-11-26 17:52 . 2009-10-22 15:17 120136 c:\windows\system32\DRVSTORE\ftdibus_153CD6A841FF919A2C6EABB2274572BD90AC0FDB\i386\ftbusui.dll
+ 2004-08-04 12:00 . 2008-04-14 00:11 640000 c:\windows\system32\dllcache\dbghelp.dll
+ 2010-11-27 05:03 . 2010-11-27 05:03 219648 c:\windows\Installer\71fead16.msi
+ 2010-12-04 00:17 . 2010-12-04 00:17 473600 c:\windows\Freecorder\uninstall.exe
- 2010-10-24 18:28 . 2010-10-24 18:28 133564 c:\windows\D005F851ED234778B233A3E32CFD6017.TMP\WiseCustomCalla20.exe
+ 2010-11-28 22:46 . 2010-11-28 22:46 133564 c:\windows\D005F851ED234778B233A3E32CFD6017.TMP\WiseCustomCalla20.exe
+ 2010-11-28 22:46 . 2010-11-28 22:46 130283 c:\windows\D005F851ED234778B233A3E32CFD6017.TMP\WiseCustomCalla2.dll
+ 2010-11-28 22:46 . 2010-11-28 22:46 130254 c:\windows\D005F851ED234778B233A3E32CFD6017.TMP\WiseCustomCalla19.dll
+ 2010-11-28 22:46 . 2010-11-28 22:46 130283 c:\windows\D005F851ED234778B233A3E32CFD6017.TMP\WiseCustomCalla18.dll
+ 2010-11-28 22:46 . 2010-11-28 22:46 133000 c:\windows\D005F851ED234778B233A3E32CFD6017.TMP\WiseCustomCalla17.exe
+ 2010-11-28 22:46 . 2010-11-28 22:46 130808 c:\windows\D005F851ED234778B233A3E32CFD6017.TMP\WiseCustomCalla16.dll
+ 2010-11-28 22:46 . 2010-11-28 22:46 133000 c:\windows\D005F851ED234778B233A3E32CFD6017.TMP\WiseCustomCalla.dll
+ 2010-11-28 22:45 . 2010-11-28 22:45 133564 c:\windows\4E97AE4712934669BBF34BDE52501A1A.TMP\WiseCustomCalla20.exe
+ 2009-07-12 05:02 . 2009-07-12 05:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2010-01-27 01:07 . 2010-11-27 05:03 5971408 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2010-11-28 22:46 . 2010-11-28 22:46 2468864 c:\windows\Installer\ce7a6.msi
+ 2010-11-27 05:05 . 2010-11-27 05:05 3065856 c:\windows\Installer\71fead1e.msi
+ 2010-11-27 05:03 . 2010-11-27 05:03 1548288 c:\windows\Installer\71fead1a.msi
+ 2010-11-11 00:08 . 2010-11-11 00:08 2317312 c:\windows\Installer\1e8ae2f9.msi
+ 2010-11-26 17:52 . 2010-11-26 17:52 35244544 c:\windows\Downloaded Installations\{FD0E76A4-C221-41B5-B5B9-57C66F309BEC}\Software for Scanners.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2010-10-18 17:26 3908192 ----a-w- c:\program files\Freecorder\tbFree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 17:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Roy & Jess\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"Gadwin PrintScreen Pro"="c:\program files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe" [2009-02-28 516096]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-04-29 1652736]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-26 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun"="c:\program files\AmIcoSingLun\AmIcoSinglun.exe" [2009-10-21 237568]
"Cmaudio"="cmicnfg.cpl" [BU]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-10 2221352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-31 13666920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-31 110696]
"HostManager"="c:\program files\Common Files\AOL\1269952926\ee\AOLSoftware.exe" [2010-02-10 41800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2010-11-05 4098904]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-10-05 21:43 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1269952926\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Roy & Jess\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7375:TCP"= 7375:TCP:Services
"7376:TCP"= 7376:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3193:TCP"= 3193:TCP:Services
"4886:TCP"= 4886:TCP:Services
"1615:TCP"= 1615:TCP:Services
"1730:TCP"= 1730:TCP:Services

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/13/2010 5:57 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 PhoneMyPC_Helper;PhoneMyPC_Helper;c:\program files\SoftwareForMe Inc\PhoneMyPC\PhoneMyPC_Helper.exe [8/22/2010 9:30 PM 30208]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [1/27/2010 5:10 PM 5248]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [11/5/2010 5:53 PM 327000]
S3 DrvAgent32;DrvAgent32;\??\c:\windows\system32\Drivers\DrvAgent32.sys --> c:\windows\system32\Drivers\DrvAgent32.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: kuaiche.com\software
FF - ProfilePath - c:\documents and settings\Roy & Jess\Application Data\Mozilla\Firefox\Profiles\esbhlixv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-07 20:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1275210071-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{285349E2-C1FF-F69C-1365-7A68A108EE34}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jabnggpkgjckkkmhfpcp"=hex:62,61,6e,68,00,00
"jabnggpkgjckkkmhfpoo"=hex:62,61,67,6b,00,00
"iabobhfjkbmkfolijk"=hex:6b,61,6f,68,62,6b,68,6b,69,61,6f,6f,63,64,6c,6e,6a,63,
6f,6e,62,62,00,00
"haloeiehbncinlkd"=hex:6b,61,6f,68,62,6b,68,6b,69,61,6f,6f,63,64,6c,6e,6b,63,
65,61,69,68,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(944)
c:\windows\system32\WININET.dll
c:\documents and settings\Roy & Jess\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-12-07 20:23:11
ComboFix-quarantined-files.txt 2010-12-08 01:23
ComboFix2.txt 2010-11-19 01:22
ComboFix3.txt 2010-10-26 01:52
ComboFix4.txt 2010-07-14 00:17
ComboFix5.txt 2010-12-08 01:16

Pre-Run: 98,249,809,920 bytes free
Post-Run: 98,249,863,168 bytes free

- - End Of File - - 39BADA87F4AAFC0A9EDF09EA489FCCD7

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 07 December 2010 - 08:44 PM

We need to replace what looks like a patched driver. This is probably the cause of the redirects but at the moment it's difficult to tell.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

FCopy::
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

RegLock::
[HKEY_USERS\S-1-5-21-515967899-1275210071-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 officertemple

officertemple
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 07 December 2010 - 08:52 PM

ComboFix 10-12-06.04 - Roy & Jess 12/07/2010 20:48:03.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1065 [GMT -5:00]
Running from: c:\documents and settings\Roy & Jess\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Roy & Jess\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2010-11-08 to 2010-12-08 )))))))))))))))))))))))))))))))
.

2010-12-04 00:20 . 2010-12-08 01:15 -------- d-----w- c:\documents and settings\Roy & Jess\Application Data\PriceGong
2010-12-04 00:19 . 2010-12-04 00:19 -------- d-----w- c:\program files\Conduit
2010-12-04 00:19 . 2010-12-04 00:19 -------- d-----w- c:\documents and settings\Roy & Jess\Local Settings\Application Data\Conduit
2010-12-04 00:19 . 2010-12-04 00:20 -------- d-----w- c:\documents and settings\Roy & Jess\Local Settings\Application Data\Freecorder
2010-12-04 00:19 . 2010-12-04 00:19 -------- d-----w- c:\documents and settings\Roy & Jess\Local Settings\Application Data\temp
2010-12-04 00:18 . 2010-12-08 01:43 -------- d-----w- c:\documents and settings\Roy & Jess\Local Settings\Application Data\FLVService
2010-12-04 00:17 . 2010-12-04 00:20 -------- d-----w- c:\program files\Freecorder
2010-12-04 00:17 . 2010-12-04 00:17 -------- d-----w- c:\windows\Freecorder
2010-11-28 22:46 . 2010-11-28 22:46 110080 ----a-r- c:\documents and settings\Roy & Jess\Application Data\Microsoft\Installer\{4E97AE47-1293-4669-BBF3-4BDE52501A1A}\IconF7A21AF7.exe
2010-11-28 22:46 . 2010-11-28 22:46 110080 ----a-r- c:\documents and settings\Roy & Jess\Application Data\Microsoft\Installer\{4E97AE47-1293-4669-BBF3-4BDE52501A1A}\IconD7F16134.exe
2010-11-28 22:46 . 2010-11-28 22:46 -------- d-----w- C:\sh4ldr
2010-11-28 22:46 . 2010-11-28 22:46 -------- d-----w- c:\windows\D005F851ED234778B233A3E32CFD6017.TMP
2010-11-28 22:45 . 2010-11-28 22:46 -------- d-----w- c:\windows\4E97AE4712934669BBF34BDE52501A1A.TMP
2010-11-28 01:09 . 2010-11-28 01:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2010-11-28 01:01 . 2010-11-28 01:03 -------- d-----w- c:\windows\system32\NtmsData
2010-11-27 15:16 . 2010-11-27 16:19 -------- d-----w- c:\documents and settings\Roy & Jess\Application Data\AVG
2010-11-27 05:05 . 2010-11-27 05:05 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-27 05:03 . 2010-12-08 01:13 -------- d-----w- c:\program files\AVG
2010-11-27 04:59 . 2010-11-27 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-26 18:01 . 2010-11-26 18:01 -------- d-----w- c:\documents and settings\Roy & Jess\Application Data\butel
2010-11-26 17:52 . 2010-11-26 17:52 -------- d-----w- c:\program files\DIFX
2010-11-26 17:52 . 2010-11-26 17:52 -------- dc----w- c:\windows\system32\DRVSTORE
2010-11-26 17:52 . 2010-11-26 17:52 -------- d-----w- c:\windows\Downloaded Installations
2010-11-19 01:14 . 2010-11-19 01:22 -------- d-----w- C:\ComboFix
2010-11-11 01:21 . 2010-11-11 01:21 -------- d-----w- c:\documents and settings\Roy & Jess\Application Data\PokerCreations
2010-11-11 00:04 . 2010-11-11 00:04 -------- d-----w- c:\documents and settings\Roy & Jess\Application Data\WWE Poker
2010-11-11 00:04 . 2010-11-11 00:04 -------- d-----w- c:\program files\WWE Poker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 21:43 . 2009-10-28 12:26 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-10-05 21:43 . 2009-10-28 12:26 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-10-05 21:43 . 2009-10-28 12:26 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-10-05 21:43 . 2009-10-28 12:26 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-09-18 16:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((( SnapShot_2010-12-08_01.21.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2008-06-20 11:59 361600 c:\windows\system32\dllcache\tcpip.sys
- 2008-06-20 11:51 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2010-10-18 17:26 3908192 ----a-w- c:\program files\Freecorder\tbFree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 17:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Roy & Jess\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"Gadwin PrintScreen Pro"="c:\program files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe" [2009-02-28 516096]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-04-29 1652736]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-26 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun"="c:\program files\AmIcoSingLun\AmIcoSinglun.exe" [2009-10-21 237568]
"Cmaudio"="cmicnfg.cpl" [BU]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-10 2221352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-31 13666920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-31 110696]
"HostManager"="c:\program files\Common Files\AOL\1269952926\ee\AOLSoftware.exe" [2010-02-10 41800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2010-11-05 4098904]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-10-05 21:43 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1269952926\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Roy & Jess\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7375:TCP"= 7375:TCP:Services
"7376:TCP"= 7376:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3193:TCP"= 3193:TCP:Services
"4886:TCP"= 4886:TCP:Services
"1615:TCP"= 1615:TCP:Services
"1730:TCP"= 1730:TCP:Services

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/13/2010 5:57 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 PhoneMyPC_Helper;PhoneMyPC_Helper;c:\program files\SoftwareForMe Inc\PhoneMyPC\PhoneMyPC_Helper.exe [8/22/2010 9:30 PM 30208]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [1/27/2010 5:10 PM 5248]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [11/5/2010 5:53 PM 327000]
S3 DrvAgent32;DrvAgent32;\??\c:\windows\system32\Drivers\DrvAgent32.sys --> c:\windows\system32\Drivers\DrvAgent32.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: kuaiche.com\software
FF - ProfilePath - c:\documents and settings\Roy & Jess\Application Data\Mozilla\Firefox\Profiles\esbhlixv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-07 20:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1275210071-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{285349E2-C1FF-F69C-1365-7A68A108EE34}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jabnggpkgjckkkmhfpcp"=hex:62,61,6e,68,00,00
"jabnggpkgjckkkmhfpoo"=hex:62,61,67,6b,00,00
"iabobhfjkbmkfolijk"=hex:6b,61,6f,68,62,6b,68,6b,69,61,6f,6f,63,64,6c,6e,6a,63,
6f,6e,62,62,00,00
"haloeiehbncinlkd"=hex:6b,61,6f,68,62,6b,68,6b,69,61,6f,6f,63,64,6c,6e,6b,63,
65,61,69,68,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3280)
c:\windows\system32\WININET.dll
c:\documents and settings\Roy & Jess\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-07 20:52:21
ComboFix-quarantined-files.txt 2010-12-08 01:52
ComboFix2.txt 2010-12-08 01:23
ComboFix3.txt 2010-11-19 01:22
ComboFix4.txt 2010-10-26 01:52
ComboFix5.txt 2010-12-08 01:47

Pre-Run: 98,247,524,352 bytes free
Post-Run: 98,233,798,656 bytes free

- - End Of File - - CFB2F3B6D793B6ECED9034F76E2551D6

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 08 December 2010 - 06:03 PM

That's been replaced now.

Please clear your cookies/temp files/cache with ATF

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NB: If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

This could also be Clear Recent History or similar

Then close Firefox and then reopen it.



Please now run ESET's online scanner

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#12 officertemple

officertemple
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 08 December 2010 - 11:30 PM

C:\Documents and Settings\Roy & Jess\Application Data\AVG\Rescue\PC Tuneup 2011\101127102536644.rsc multiple threats deleted - quarantined
C:\Documents and Settings\Roy & Jess\My Documents\Jess oldlaptop\LimeWire\Saved\psp videos.mpe a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\aaaKQXbc.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\aaaKQXbc.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\CeMSYccf.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\CeMSYccf.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\hdtrevqj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\HNVFNqru.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\HNVFNqru.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ibyotvuy.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\jhgydapu.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\jlnmp.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\jlnmp.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\jpmordfi.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\nwdufjjg.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\sbagqvpm.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\synmpxgc.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ttlvgeij.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\uxeyrvcj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wnahgygo.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvvwa.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvvwa.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
E:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
E:\Documents and Settings\Owner\Desktop\Jess Music\9-1-09\psp videos.mpe a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
E:\Documents and Settings\Owner\Desktop\Virus Fixer\Shortcuts\WrestlingEncoreSetup-dm.exe a variant of Win32/Adware.Trymedia application cleaned by deleting - quarantined
E:\VundoFix Backups\jmusjhpc.ini.bad Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
E:\VundoFix Backups\wvvwa.ini.bad Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
E:\VundoFix Backups\wvvwa.ini2.bad Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
E:\VundoFix Backups\yikyyqsj.ini.bad Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
F:\Roy\Desktop\Country\earthquake wwe.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
F:\Roy\Desktop\Incomplete\T-5847022-wrestling gillberg.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
F:\Roy\Desktop\Jess Music\9-1-09\psp videos.mpe a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
F:\Roy\Desktop\Virus Fixer\Shortcuts\WrestlingEncoreSetup-dm.exe a variant of Win32/Adware.Trymedia application cleaned by deleting - quarantined
F:\Virus Fixer\Shortcuts\WrestlingEncoreSetup-dm.exe a variant of Win32/Adware.Trymedia application cleaned by deleting - quarantined

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 09 December 2010 - 07:36 PM

How's the PC now?
Posted Image
m0le is a proud member of UNITE

#14 officertemple

officertemple
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 09 December 2010 - 07:50 PM

Everything seems fine so far, Thank you

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:31 AM

Posted 09 December 2010 - 08:14 PM

Good news, that means...

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it officertemple, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users