Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whitesmoke Translator Automatically downloaded


  • This topic is locked This topic is locked
13 replies to this topic

#1 luvmyludwig

luvmyludwig

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 28 November 2010 - 06:02 PM

Yesterday something infected my computer while my son was playing a game. The blue bar on my windows xp desktop turned white immediately. Then I noticed links being redirected and google being redirected. Then Whitesmoke Translator automatically downloaded.

I ran malware bytes and it found 4 or 5 trojans. They have been removed.
I ran super antispyware and it found 3 more trojans among other things. They have been removed.
I ran DeFogger.
I ran tdssKiller (before finding that I shouldn't without being directed, I was following another thread). It found 1 item, and it was cured. (I didn't know I needed the log then either, I am pretty new to this.)
I ran DDS (log below)
I ran GMER.(log below)

As of now, the only problems I notice are(1) I can't remove the Whitesmoke Translator problem using add/remove programs
It says "one or more of the Whitesmoke files are locked by the 'WSTrayDictMode.exe' process." when I try to remove it.

(2)I also can not remove AVG Free 9 so I can get the latest version. It says "failed for registry key HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Access is denied. I also can not disable it.

The white bar is back to blue, no more redirects either.


Worth mentioning: I can not back up the computer, also my windows no longer updates, I don't have windows disks, I also can not access the part of the control panel where I manage accounts for windows. (these are problems that have been present for a while, and I am hoping to purchase a new computer soon. I just wanted to make sure my system limits were on here.)

I couldn't enable the firewall either.

Thank you in advance for helping me. I really appreciate any help you can give.

LOGS


DDS (Ver_10-11-27.01) - NTFSx86
Run by Owner at 11:57:08.95 on Sun 11/28/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2031.1220 [GMT -5:00]

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WhiteSmoke Translator\WSTrayDictMode.exe
C:\Program Files\WhiteSmoke Translator\WhiteSmokeDictRegistration.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1C3C4699-B285-475F-BE47-0B26088CE876} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - No File
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {F06E2ABE-3A50-4079-BE25-FC100D9EAA25} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {E19E589B-749F-4641-9ED3-032DEB7A8D92} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunKistEM] "c:\program files\digital media reader\shwiconem.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Vqevoruk] rundll32.exe "c:\windows\ufugaxey.dll",Startup
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
Trusted Zone: gistweb.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125182411468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289687996828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2103525&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sparkpeople.com/myspark/web_search.asp|http://www.squidoo.com/lensmaster/comments
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\8t938ia3.default\extensions\{32be036a-4d7a-44e7-827d-4cb5b3da428f}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\8t938ia3.default\extensions\{32be036a-4d7a-44e7-827d-4cb5b3da428f}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\8t938ia3.default\extensions\{875a8012-d292-45be-a1c6-4d39e358414f}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\8t938ia3.default\extensions\{875a8012-d292-45be-a1c6-4d39e358414f}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\8t938ia3.default\extensions\{d4a0aade-baf5-4f72-b3d8-166ccb4dab29}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\8t938ia3.default\extensions\{d4a0aade-baf5-4f72-b3d8-166ccb4dab29}\components\RadioWMPCore.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\worldwinner.com, inc\worldwinner games\npwwload.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {8C4A0B36-54DF-4B5D-A3C4-38D9A1B6A31F} - c:\documents and settings\owner\local settings\application data\{8C4A0B36-54DF-4B5D-A3C4-38D9A1B6A31F}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Squidoo: {5d67eb1e-2b10-4538-8321-74a5ec8ccf96} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{5d67eb1e-2b10-4538-8321-74a5ec8ccf96}
FF - Extension: tagfoot: sidefoot: tagfootsidefoot@tagfoot.com - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\tagfootsidefoot@tagfoot.com
FF - Extension: SquidUtils Community Toolbar: {32be036a-4d7a-44e7-827d-4cb5b3da428f} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{32be036a-4d7a-44e7-827d-4cb5b3da428f}
FF - Extension: Clipmarks: {e1170235-2845-420c-acc3-42261a29dd46} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{e1170235-2845-420c-acc3-42261a29dd46}
FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Extension: WelcomeToSquidoo Toolbar: {d4a0aade-baf5-4f72-b3d8-166ccb4dab29} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{d4a0aade-baf5-4f72-b3d8-166ccb4dab29}
FF - Extension: FLYLADY 1024: bnftclt668@benefitbar.com - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\bnftclt668@benefitbar.com
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: Zotero: zotero@chnm.gmu.edu - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\zotero@chnm.gmu.edu
FF - Extension: Submit It Community Toolbar: {875a8012-d292-45be-a1c6-4d39e358414f} - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\{875a8012-d292-45be-a1c6-4d39e358414f}
FF - Extension: TextFormatting Toolbar: format.bar@codefisher.org - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\format.bar@codefisher.org
FF - Extension: vShare Plugin: vshare@toolbar - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8t938ia3.default\extensions\vshare@toolbar
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
FF - Extension: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg9\toolbar\firefox\avg@igeared
FF - Extension: XULRunner: {8C4A0B36-54DF-4B5D-A3C4-38D9A1B6A31F} - c:\documents and settings\owner\local settings\application data\{8C4A0B36-54DF-4B5D-A3C4-38D9A1B6A31F}
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\owner\application data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-16 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-16 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-4 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-1-25 149864]
S2 CWMonitor;Symantec Crimeware Protection Driver;\??\c:\program files\common files\symantec shared\coshared\cw\1.5\co_mon.sys --> c:\program files\common files\symantec shared\coshared\cw\1.5\CO_Mon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-31 136176]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\spysweeper.exe --> c:\program files\webroot\spy sweeper\SpySweeper.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

=============== Created Last 30 ================

2010-11-28 14:36:05 -------- d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-11-28 14:36:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-28 14:35:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-27 14:59:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-11-27 14:25:55 -------- d-----w- c:\documents and settings\owner\MustBeRandomlyNamed
2010-11-27 12:59:51 -------- d-----w- c:\docume~1\owner\applic~1\whitesmoketoolbar
2010-11-27 01:26:56 -------- d-----w- c:\program files\whitesmoketoolbar
2010-11-27 01:26:34 -------- d-----w- c:\program files\WhiteSmoke Translator
2010-11-27 01:26:08 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-26 23:14:32 0 ----a-w- c:\windows\Imaviqejivuluyet.bin
2010-11-26 23:14:30 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\{8C4A0B36-54DF-4B5D-A3C4-38D9A1B6A31F}
2010-11-26 23:12:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB
2010-11-26 20:57:23 0 ----a-w- c:\windows\system32\lsp5AE.tmp
2010-11-17 04:41:00 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-11-13 23:06:26 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-13 23:06:26 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-11-13 22:47:34 -------- d-----w- c:\windows\system32\NtmsData
2010-11-13 15:37:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 15:36:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 15:36:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 11:42:52 191 ----a-w- c:\docume~1\owner\applic~1\sdfsdfgdsfgh.bat
2010-11-04 23:19:47 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2010-11-03 15:16:26 -------- d-----w- c:\docume~1\owner\applic~1\Spacejock Software
2010-11-03 15:15:41 -------- d-----w- c:\program files\yWriter5
2010-10-31 17:05:12 -------- d-----w- c:\program files\Veetle

==================== Find3M ====================

2010-09-18 16:23:26 974848 ------w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-15 04:05:39 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ------w- c:\windows\system32\win32k.sys

============= FINISH: 11:59:33.81 ===============


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-28 17:11:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3100011A rev.3.02
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxwyrfod.sys


---- System - GMER 1.0.15 ----

SSDT 8A7A2420 ZwAllocateVirtualMemory
SSDT 8A7CE1C8 ZwCreateKey
SSDT 8A79E3D8 ZwCreateProcess
SSDT 8A7FC0D0 ZwCreateProcessEx
SSDT 8A78FB80 ZwCreateThread
SSDT 8A7CE150 ZwDeleteKey
SSDT 8A7B21E8 ZwDeleteValueKey
SSDT 8A7A2498 ZwQueueApcThread
SSDT 8A7A2330 ZwReadVirtualMemory
SSDT 8A7C6830 ZwRenameKey
SSDT 8A7A2588 ZwSetContextThread
SSDT 8A78FF80 ZwSetInformationKey
SSDT 8A78F230 ZwSetInformationProcess
SSDT 8A78E168 ZwSetInformationThread
SSDT 8A7FBFA8 ZwSetValueKey
SSDT 8A78FBF8 ZwSuspendProcess
SSDT 8A7A2510 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB7D78620]
SSDT 8A78E1E0 ZwTerminateThread
SSDT 8A7A23A8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 150 804E27BC 4 Bytes CALL 2AD8A2E2
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xBA530300]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 8A6B8818
Device \Driver\Tcpip \Device\Ip 8A3A2A88

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp 8A6B8818
Device \Driver\Tcpip \Device\Tcp 8A3A2A88

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Udp 8A6B8818
Device \Driver\Tcpip \Device\Udp 8A3A2A88

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp 8A6B8818
Device \Driver\Tcpip \Device\RawIp 8A3A2A88

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\IPMULTICAST 8A6B8818
Device \Driver\Tcpip \Device\IPMULTICAST 8A3A2A88
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

Edited by luvmyludwig, 28 November 2010 - 06:04 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:31 PM

Posted 30 November 2010 - 03:12 PM

Hello luvmyludwig ,

Posted Image

Let's deal with the bigger infection first, then we'll get rid of WhiteSmoke. :thumbup2:


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to luvmyludwig.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 luvmyludwig

luvmyludwig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 30 November 2010 - 06:09 PM

Thanks so much for helping me :)

Ok, I still can not remove avg free, so I can't run combofix.
I am getting the error: "Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Access is denied.
"


Thanks in advance :)

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:31 PM

Posted 30 November 2010 - 06:17 PM

You're most welcome :)


Grrr.....all right. See if it will run without uninstalling it. If not, then run ComboFix in Safe Mode. I know it's a pain, but we have to run this to get at the bad stuff.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 luvmyludwig

luvmyludwig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 30 November 2010 - 06:25 PM

it won't run, but I'll run it in safe. I'll post as soon as I can.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:31 PM

Posted 30 November 2010 - 06:31 PM

I'll be here when you're ready. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 luvmyludwig

luvmyludwig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 30 November 2010 - 06:51 PM

tried to go in safe mode and got THE BLUE SCREEN Ahhhhhhhhh!

I am able to go in normal mode only.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:31 PM

Posted 30 November 2010 - 06:56 PM

Did you try AVG's uninstaller on their page? Try renaming ComboFix.exe to ludwig.exe and see if it will run that way. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 luvmyludwig

luvmyludwig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 30 November 2010 - 07:46 PM

After I replied last time I googled like a mad woman and got the AVG removed. I was able to run ComboFix as is, log below. Whoo hoo!

ComboFix 10-11-30.02 - Owner 11/30/2010 19:22:49.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2031.1507 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\.#
c:\documents and settings\Owner\Application Data\install
c:\documents and settings\Owner\err.log
c:\documents and settings\Owner\Local Settings\Application Data\{8C4A0B36-54DF-4B5D-A3C4-38D9A1B6A31F}
c:\documents and settings\Owner\Local Settings\Application Data\{8C4A0B36-54DF-4B5D-A3C4-38D9A1B6A31F}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{8C4A0B36-54DF-4B5D-A3C4-38D9A1B6A31F}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{8C4A0B36-54DF-4B5D-A3C4-38D9A1B6A31F}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{8C4A0B36-54DF-4B5D-A3C4-38D9A1B6A31F}\install.rdf
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\cookies.sqlite
c:\program files\Internet Explorer\msimg32.dll
c:\program files\whitesmoketoolbar\whITesmoketoolbarx.dll
c:\windows\system32\err.log
c:\windows\system32\Thumbs.db
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\ufugaxey.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
.
((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))
.

2010-11-28 14:36 . 2010-11-28 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-11-28 14:36 . 2010-11-28 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-28 14:35 . 2010-11-28 14:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-27 14:59 . 2010-11-27 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-27 14:25 . 2010-11-27 14:25 -------- d-----w- c:\documents and settings\Owner\MustBeRandomlyNamed
2010-11-27 14:14 . 2010-11-27 14:14 -------- d-----w- c:\program files\7-Zip
2010-11-27 12:59 . 2010-11-27 12:59 -------- d-----w- c:\documents and settings\Owner\Application Data\whitesmoketoolbar
2010-11-27 01:32 . 2010-11-27 01:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WhiteSmokeTranslator
2010-11-27 01:27 . 2010-11-27 01:27 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-11-27 01:27 . 2010-11-27 01:27 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-11-27 01:27 . 2010-11-27 01:27 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
2010-11-27 01:26 . 2010-12-01 00:27 -------- d-----w- c:\program files\whitesmoketoolbar
2010-11-27 01:26 . 2010-11-27 01:26 -------- d-----w- c:\program files\WhiteSmoke Translator
2010-11-27 01:26 . 2010-11-27 01:26 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-26 23:14 . 2010-11-30 22:48 0 ----a-w- c:\windows\Imaviqejivuluyet.bin
2010-11-26 23:12 . 2010-11-28 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2010-11-26 21:05 . 2010-11-26 21:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-11-26 20:57 . 2010-11-26 20:57 0 ----a-w- c:\windows\system32\lsp5AE.tmp
2010-11-17 04:41 . 2010-11-17 04:41 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-11-13 23:06 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-13 22:47 . 2010-11-13 22:47 -------- d-----w- c:\windows\system32\NtmsData
2010-11-13 15:37 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 15:36 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 15:36 . 2010-11-13 15:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 11:42 . 2010-11-13 11:42 191 ----a-w- c:\documents and settings\Owner\Application Data\sdfsdfgdsfgh.bat
2010-11-04 23:19 . 2010-11-04 23:19 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2010-11-03 15:16 . 2010-11-03 15:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Spacejock Software
2010-11-03 15:15 . 2010-11-03 15:15 -------- d-----w- c:\program files\yWriter5
2010-11-01 20:20 . 2010-11-01 20:20 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2005-03-23 16:52 974848 ------w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2005-03-23 16:52 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2005-03-23 16:52 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2005-03-23 16:52 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-15 04:05 . 2010-05-05 22:51 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2010-09-10 05:58 . 2005-03-23 16:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2005-03-23 16:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2005-03-23 16:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-05 68856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-26 51048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-02 149280]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [2010-11-26 671744]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IBP 9\\IBP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S2 CWMonitor;Symantec Crimeware Protection Driver;\??\c:\program files\Common Files\Symantec Shared\coShared\CW\1.5\CO_Mon.sys --> c:\program files\Common Files\Symantec Shared\coShared\CW\1.5\CO_Mon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2010 12:06 PM 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-05 19:19]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 17:05]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 17:05]

2005-08-27 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-23 00:12]

2010-12-01 c:\windows\Tasks\User_Feed_Synchronization-{002B2A0E-694E-46E7-A0F8-8779E4FBAB52}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: gistweb.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2103525&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.sparkpeople.com/myspark/web_search.asp|http://www.squidoo.com/lensmaster/comments
FF - prefs.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{32be036a-4d7a-44e7-827d-4cb5b3da428f}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{32be036a-4d7a-44e7-827d-4cb5b3da428f}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{875a8012-d292-45be-a1c6-4d39e358414f}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{875a8012-d292-45be-a1c6-4d39e358414f}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{d4a0aade-baf5-4f72-b3d8-166ccb4dab29}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{d4a0aade-baf5-4f72-b3d8-166ccb4dab29}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\WorldWinner.com, Inc\WorldWinner Games\npwwload.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Squidoo: {5d67eb1e-2b10-4538-8321-74a5ec8ccf96} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{5d67eb1e-2b10-4538-8321-74a5ec8ccf96}
FF - Extension: tagfoot: sidefoot: tagfootsidefoot@tagfoot.com - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\tagfootsidefoot@tagfoot.com
FF - Extension: SquidUtils Community Toolbar: {32be036a-4d7a-44e7-827d-4cb5b3da428f} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{32be036a-4d7a-44e7-827d-4cb5b3da428f}
FF - Extension: Clipmarks: {e1170235-2845-420c-acc3-42261a29dd46} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{e1170235-2845-420c-acc3-42261a29dd46}
FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Extension: WelcomeToSquidoo Toolbar: {d4a0aade-baf5-4f72-b3d8-166ccb4dab29} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{d4a0aade-baf5-4f72-b3d8-166ccb4dab29}
FF - Extension: FLYLADY 1024: bnftclt668@benefitbar.com - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\bnftclt668@benefitbar.com
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: Zotero: zotero@chnm.gmu.edu - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\zotero@chnm.gmu.edu
FF - Extension: Submit It Community Toolbar: {875a8012-d292-45be-a1c6-4d39e358414f} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\{875a8012-d292-45be-a1c6-4d39e358414f}
FF - Extension: TextFormatting Toolbar: format.bar@codefisher.org - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\format.bar@codefisher.org
FF - Extension: vShare Plugin: vshare@toolbar - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8t938ia3.default\extensions\vshare@toolbar
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Owner\Application Data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Vqevoruk - c:\windows\ufugaxey.dll
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil9e.exe
Notify-avgrsstarter - avgrsstx.dll
AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_0531C63A913CC9D1.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-30 19:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,2f,b2,8d,d8,75,69,43,b1,56,57,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,2f,b2,8d,d8,75,69,43,b1,56,57,\

[HKEY_LOCAL_MACHINE\System\ControlSet003\Hardware Profiles\0001\System\CurrentControlSet\Enum\*
*\DirectSound\Device Presence]
"VxD"=dword:00000001
"WDM"=dword:00000001

[HKEY_LOCAL_MACHINE\System\ControlSet003\Hardware Profiles\0001\System\CurrentControlSet\Enum\*
*\DirectSound\Mixer Defaults]
"Acceleration"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-11-30 19:42:17
ComboFix-quarantined-files.txt 2010-12-01 00:41

Pre-Run: 54,948,474,880 bytes free
Post-Run: 56,438,996,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 38FD60A07D2BB50FE976BDC411B07309

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:31 PM

Posted 30 November 2010 - 07:53 PM

YAY!!! :clapping:

Now see if you can update MBAM and have a scan with it. It'll take out WhiteSmoke if it will run. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 luvmyludwig

luvmyludwig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 30 November 2010 - 08:43 PM

Did a MBAM Quick Scan and it found over 800 problems :o All removed successfully
I was then able to remove the whitesmoke translator via add/remove programs.

I will do a full scan with MBAM...Last time I gave up after 6 hours....

IS there anything else I should do?

Also, what do you recommend for virus protection that is free, I have superantispyware and malwarebytes right now (since I removed the AVG free).

Thank you so much for helping me, and please let me know if there's anything else I should do. :)

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:31 PM

Posted 30 November 2010 - 08:50 PM

Hi there,

You're most welcome. :)

Yes, I knew there would a ton of those taken out with MBAM. :thumbup2:

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

I use Avira on my own system. It's one of the very best, and it's free. http://www.free-av.com/

Let me know how it's running and do let me know what MBAM finds. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 luvmyludwig

luvmyludwig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 01 December 2010 - 05:26 AM

combofix uninstalled. Did a full MBAM Scan and found nothing the quick scan didn't pick up. Computer running like a champ. :busy: :clapping:

Thank you so much. :)

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:31 PM

Posted 04 December 2010 - 10:02 PM

You're most welcome. :)

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users