Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sick Laptop (Hiloti)


  • This topic is locked This topic is locked
15 replies to this topic

#1 betc

betc

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 17 January 2011 - 03:02 PM

Scan Results...please advise next step.... and thank you


DDS (Ver_10-12-12.02) - NTFSx86
Run by ceresiab at 10:58:06.32 on Mon 01/17/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1916.927 [GMT -6:00]

AV: AVG Anti-Virus Network Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\UCService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Activ Software\Activdriver\ActivControl2.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Activ Software\Activdriver\activmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\SMART Technologies\SMART Product Drivers\Aware.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\Marker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ceresiab\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\youtube downloader toolbar\SearchSettings.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\smart notebook\NotebookPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\youtube downloader toolbar\SearchSettings.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\1.0\youtubedownloaderToolbarIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\1.0\youtubedownloaderToolbarIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Lnihuyagasutiya] rundll32.exe "c:\windows\prvcows.dll",Startup
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [SearchSettings] "c:\program files\youtube downloader toolbar\SearchSettings.exe"
mRun: [Qnolosifaduju] rundll32.exe "c:\windows\okogiwabafit.dll",Startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\logonhelper.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartb~1.lnk - c:\program files\smart technologies\smart product drivers\SMARTBoardTools.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248116776750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248180332453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-7-21 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-21 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-21 27784]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-2-19 380928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-21 297752]
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\belkin\belkin usb print and storage center\BkBackupScheduler.exe [2011-1-16 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\belkin\belkin usb print and storage center\Bkapcs.exe [2011-1-16 49152]
R2 nidimk;nidimk;c:\windows\system32\drivers\nidimk.dll [2003-4-23 107102]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [2003-4-18 36463]
R2 SMART Display Controller;SMART Display Controller;c:\program files\smart technologies\smart product drivers\UCService.exe [2010-7-15 844688]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2008-12-17 55424]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2009-7-21 4352]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2011-1-16 246936]
S2 gupdate1ca6237eccedfb0;Google Update Service (gupdate1ca6237eccedfb0);c:\program files\google\update\GoogleUpdate.exe [2009-11-10 133104]
S3 ACTIVhidmini;Promethean USB Board Driver;c:\windows\system32\drivers\ACTIVhidmini.sys [2009-7-21 58240]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [2004-1-22 39936]
S3 NiViPxiK;NiViPxiK;c:\windows\system32\drivers\NiViPxiK.sys [2003-6-24 17920]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\smart technologies\smart product drivers\SMARTSNMPAgent.exe [2010-7-15 1662352]

=============== Created Last 30 ================

2011-01-16 17:08:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Affinegy
2011-01-16 17:06:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Belkin
2011-01-16 17:06:03 246936 ----a-w- c:\windows\system32\drivers\sxuptp.sys
2011-01-16 17:05:51 27072 ----a-w- c:\windows\system32\drivers\AFGSp50.sys
2011-01-16 17:05:37 -------- d-----w- c:\program files\Belkin
2011-01-12 02:50:32 0 ----a-w- c:\windows\Mjakera.bin
2011-01-12 02:50:30 -------- d-----w- c:\docume~1\ceresiab\locals~1\applic~1\{A17AF450-42A8-41B5-9709-03CED7478E0B}
2011-01-09 19:33:31 -------- d-----w- c:\docume~1\ceresiab\locals~1\applic~1\SMART Technologies
2011-01-05 12:56:34 110592 ----a-w- c:\windows\system32\tsccvid.dll
2011-01-05 12:54:39 -------- d-----w- c:\windows\SxsCaPendDel
2011-01-05 12:50:13 -------- d-----w- c:\docume~1\ceresiab\locals~1\applic~1\Downloaded Installations

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 10:58:37.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 17 January 2011 - 03:15 PM

Hello,

Your still infected. First we need to get AVG completely uninstalled. It will prevent my tools from working. Then we will nuke the malware. :thumbup2:

Do this...

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

AVG

Additional instructions can be found here if needed.

==========

Next....

Download and run AppRemover.
http://www.appremover.com/

==========

After that....

Please download ComboFix from one of these locations:

Link 1
Link 2

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Finally....

Please download and install Microsoft Security Essentials instead of AVG
http://www.microsoft.com/security_essentials/

Don't run a scan yet please!

How is your computer running now?

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 betc

betc
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 17 January 2011 - 05:06 PM

Machine rebooted, seems to be running fine, still have those pop ups with the 'rundll' - ran combo fix...log below... have not donwloaded any 'protection' yet, feel a little vulnerable.

ComboFix 11-01-16.04 - ceresiab 01/17/2011 15:30:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1916.1454 [GMT -6:00]
Running from: c:\documents and settings\ceresiab\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ceresiab\LOCALS~1\Temp\1.tmp\F_IN_BOX.dll
c:\documents and settings\ceresiab\Local Settings\Application Data\{A17AF450-42A8-41B5-9709-03CED7478E0B}
c:\documents and settings\ceresiab\Local Settings\Application Data\{A17AF450-42A8-41B5-9709-03CED7478E0B}\chrome.manifest
c:\documents and settings\ceresiab\Local Settings\Application Data\{A17AF450-42A8-41B5-9709-03CED7478E0B}\chrome\content\_cfg.js
c:\documents and settings\ceresiab\Local Settings\Application Data\{A17AF450-42A8-41B5-9709-03CED7478E0B}\chrome\content\overlay.xul
c:\documents and settings\ceresiab\Local Settings\Application Data\{A17AF450-42A8-41B5-9709-03CED7478E0B}\install.rdf
c:\documents and settings\ceresiab\Local Settings\Temp\1.tmp\F_IN_BOX.dll
c:\program files\YouTube Downloader Toolbar\IE\1.0\yoUTubedownloadertoolbarie.dll
c:\program files\YouTube Downloader Toolbar\SeARchsettings.dll
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\twunk_32.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))
.

2011-01-16 17:08 . 2011-01-16 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Affinegy
2011-01-16 17:06 . 2011-01-16 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2011-01-16 17:06 . 2009-06-22 22:50 246936 ----a-w- c:\windows\system32\drivers\sxuptp.sys
2011-01-16 17:05 . 2010-06-24 00:12 27072 ----a-w- c:\windows\system32\drivers\AFGSp50.sys
2011-01-16 17:05 . 2011-01-16 17:06 -------- d-----w- c:\program files\Belkin
2011-01-12 02:50 . 2011-01-16 17:08 0 ----a-w- c:\windows\Mjakera.bin
2011-01-09 19:33 . 2011-01-09 19:33 -------- d-----w- c:\documents and settings\ceresiab\Local Settings\Application Data\SMART Technologies
2011-01-05 12:56 . 2003-02-15 01:14 110592 ----a-w- c:\windows\system32\tsccvid.dll
2011-01-05 12:54 . 2011-01-07 17:18 -------- d-----w- c:\windows\SxsCaPendDel
2011-01-05 12:50 . 2011-01-05 12:58 -------- d-----w- c:\documents and settings\ceresiab\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-07-20 18:20 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-04-14 10:42 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2008-04-14 10:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2008-04-14 10:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-03 12:25 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 05:27 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-14 10:39 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-04-14 06:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-20 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-03 170520]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16860672]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2009-03-05 585728]
"ActivControl"="c:\program files\Activ Software\Activdriver\ActivControl2.exe" [2009-01-20 1074688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-03 141848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-03 150040]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-01 155648]
"SearchSettings"="c:\program files\YouTube Downloader Toolbar\SearchSettings.exe" [2010-02-20 974848]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-12-3 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
logonhelper.bat [2010-4-28 36]
SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe [2010-7-15 12375952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4143790956-3411844817-695408471-1198\Scripts\Logon\0\0]
"Script"=flush.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4143790956-3411844817-695408471-2797\Scripts\Logon\0\0]
"Script"=m86.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4143790956-3411844817-695408471-4049\Scripts\Logon\0\0]
"Script"=flush.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-21 12:17 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Belkin\\Belkin USB Print and Storage Center\\Connect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19540:UDP"= 19540:UDP:SXUPTP

R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2/19/2010 6:43 PM 380928]
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [1/16/2011 11:06 AM 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [1/16/2011 11:06 AM 49152]
R2 nidimk;nidimk;c:\windows\system32\drivers\nidimk.dll [4/23/2003 8:15 PM 107102]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [4/18/2003 1:45 PM 36463]
R2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\SMART Product Drivers\UCService.exe [7/15/2010 4:48 PM 844688]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [12/17/2008 8:42 AM 55424]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [7/21/2009 8:48 AM 4352]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [1/16/2011 11:06 AM 246936]
S2 gupdate1ca6237eccedfb0;Google Update Service (gupdate1ca6237eccedfb0);c:\program files\Google\Update\GoogleUpdate.exe [11/10/2009 12:59 PM 133104]
S3 ACTIVhidmini;Promethean USB Board Driver;c:\windows\system32\drivers\ACTIVhidmini.sys [7/21/2009 8:48 AM 58240]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [1/22/2004 11:15 PM 39936]
S3 NiViPxiK;NiViPxiK;c:\windows\system32\drivers\NiViPxiK.sys [6/24/2003 6:41 PM 17920]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe [7/15/2010 4:48 PM 1662352]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2011-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-10 18:59]

2011-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-10 18:59]

2011-01-17 c:\windows\Tasks\User_Feed_Synchronization-{E06203A3-D0B2-4DD5-B161-4ECBC7DE76AD}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
HKCU-Run-Lnihuyagasutiya - c:\windows\prvcows.dll
HKLM-Run-Qnolosifaduju - c:\windows\okogiwabafit.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-17 15:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe
c:\windows\system32\TODDSrv.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\nipalsm.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Activ Software\Activdriver\activmgr.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\windows\system32\authenticat.exe
c:\program files\SMART Technologies\SMART Product Drivers\Aware.exe
c:\program files\SMART Technologies\SMART Product Drivers\Marker.exe
c:\program files\Belkin\Belkin USB Print and Storage Center\connect.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
c:\program files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
.
**************************************************************************
.
Completion time: 2011-01-17 15:48:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-17 21:48

Pre-Run: 205,253,414,912 bytes free
Post-Run: 205,650,616,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1F47C5FF8B61D54C6EB5246E3FC160D2

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 17 January 2011 - 05:26 PM

Well done. :thumbup2:

have not donwloaded any 'protection' yet, feel a little vulnerable

No worries. Stay off the internet except for the sites that I direct you until we get your AV re-installed and all should be good.

==========

After this next run let me know if the popups persist. If so then write down exactly what you see and post it here.

==========

:exclame: Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :exclame:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present) into it:

4. Combofix might upload a few suspicious files. Please allow this!!

File::
c:\windows\Mjakera.bin
c:\windows\okogiwabafit.dll
c:\windows\prvcows.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Qnolosifaduju"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lnihuyagasutiya"=-



Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Open MBAM, press the update tab, then run it again. Post the log.

==========

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

==========

As per our discussions via pm please re-install AVG
http://dw.com.com/redir?edId=3&siteId=4&oId=3000-2239_4-10320142&ontId=2239_4&spi=f8629cb2cc0abee715bec262f18acae5&lop=link&tag=tdw_dltext&ltype=dl_dlnow&pid=11668370&mfgId=10044820&merId=10044820&pguid=PU08JQoOYJAAAE5A8ugAAABT&destUrl=http%3A%2F%2Fdownload.cnet.com%2F3001-2239_4-10320142.html%3Fspi%3Df8629cb2cc0abee715bec262f18acae5%26part%3Ddl-10044820

Pay attention. Uncheck any offers for toolbars and do not provide any personal information!

==========

Run DDS and post the log.

==========

  • Click on Start, then Run.
  • Copy and Paste the green bold text below in to the Run Box:

cmd /c dir /a /s C:\QooBox >log.txt&start log.txt


  • Then click on OK.
  • A Text File will open up, please Copy and Paste the contents in your next reply.

Regards,
thcbytes

Edited by thcbytes, 17 January 2011 - 05:41 PM.
Additional instructions

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 17 January 2011 - 10:22 PM

Keep your questions here please.

In regards to the router that should not be a concern. We will address it later.

Malwarebytes' Anti-Malware (MBAM) is already installed on your computer. I see it in the logs you provided.

If you do not see the desktop icon then do this....

  • Simultaneously press the "Windows logo" on the keyboard and the letter "R"
  • Copy and paste the green bolded in the run box and press Ok
    "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
  • MBAM will open
  • Press the Update tab and allow the program to update
  • After a successful update scan your computer and post the log

Next...

Follow all the other steps I outlined in my previous post.

With your next post please provide...

  • Exact popup message if still present
  • New Combofix log
  • MBAM log
  • ESET log
  • DDS log
  • Log.txt
  • How is your computer running?
Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 betc

betc
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 17 January 2011 - 11:13 PM

Do I need to restart the ESET scan - since I did not clean up the malware threats first?

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 17 January 2011 - 11:20 PM

No. Just re-run MBAM after ESET and remove the threats. Be sure to save the logs to post for my review.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 betc

betc
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 18 January 2011 - 01:46 AM

No longer getting popup messages

Combofix log

ComboFix 11-01-17.03 - ceresiab 01/17/2011 19:57:41.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1916.1399 [GMT -6:00]
Running from: c:\documents and settings\ceresiab\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ceresiab\Desktop\CFScript.txt

FILE ::
"c:\windows\Mjakera.bin"
"c:\windows\okogiwabafit.dll"
"c:\windows\prvcows.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ceresiab\LOCALS~1\Temp\1.tmp\F_IN_BOX.dll
c:\documents and settings\ceresiab\Local Settings\Temp\1.tmp\F_IN_BOX.dll
c:\windows\Mjakera.bin

.
((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
.

2011-01-16 17:08 . 2011-01-16 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Affinegy
2011-01-16 17:06 . 2011-01-16 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2011-01-16 17:06 . 2009-06-22 22:50 246936 ----a-w- c:\windows\system32\drivers\sxuptp.sys
2011-01-16 17:05 . 2010-06-24 00:12 27072 ----a-w- c:\windows\system32\drivers\AFGSp50.sys
2011-01-16 17:05 . 2011-01-16 17:06 -------- d-----w- c:\program files\Belkin
2011-01-09 19:33 . 2011-01-09 19:33 -------- d-----w- c:\documents and settings\ceresiab\Local Settings\Application Data\SMART Technologies
2011-01-05 12:56 . 2003-02-15 01:14 110592 ----a-w- c:\windows\system32\tsccvid.dll
2011-01-05 12:54 . 2011-01-07 17:18 -------- d-----w- c:\windows\SxsCaPendDel
2011-01-05 12:50 . 2011-01-05 12:58 -------- d-----w- c:\documents and settings\ceresiab\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-07-20 18:20 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-04-14 10:42 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2008-04-14 10:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2008-04-14 10:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-03 12:25 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 05:27 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-14 10:39 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-04-14 06:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-20 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-03 170520]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16860672]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2009-03-05 585728]
"ActivControl"="c:\program files\Activ Software\Activdriver\ActivControl2.exe" [2009-01-20 1074688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-03 141848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-03 150040]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-01 155648]
"SearchSettings"="c:\program files\YouTube Downloader Toolbar\SearchSettings.exe" [2010-02-20 974848]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-12-3 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
logonhelper.bat [2010-4-28 36]
SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe [2010-7-15 12375952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4143790956-3411844817-695408471-1198\Scripts\Logon\0\0]
"Script"=flush.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4143790956-3411844817-695408471-2797\Scripts\Logon\0\0]
"Script"=m86.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4143790956-3411844817-695408471-4049\Scripts\Logon\0\0]
"Script"=flush.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-21 12:17 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Belkin\\Belkin USB Print and Storage Center\\Connect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19540:UDP"= 19540:UDP:SXUPTP

R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2/19/2010 6:43 PM 380928]
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [1/16/2011 11:06 AM 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [1/16/2011 11:06 AM 49152]
R2 nidimk;nidimk;c:\windows\system32\drivers\nidimk.dll [4/23/2003 8:15 PM 107102]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [4/18/2003 1:45 PM 36463]
R2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\SMART Product Drivers\UCService.exe [7/15/2010 4:48 PM 844688]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [12/17/2008 8:42 AM 55424]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [7/21/2009 8:48 AM 4352]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [1/16/2011 11:06 AM 246936]
S2 gupdate1ca6237eccedfb0;Google Update Service (gupdate1ca6237eccedfb0);c:\program files\Google\Update\GoogleUpdate.exe [11/10/2009 12:59 PM 133104]
S3 ACTIVhidmini;Promethean USB Board Driver;c:\windows\system32\drivers\ACTIVhidmini.sys [7/21/2009 8:48 AM 58240]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [1/22/2004 11:15 PM 39936]
S3 NiViPxiK;NiViPxiK;c:\windows\system32\drivers\NiViPxiK.sys [6/24/2003 6:41 PM 17920]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe [7/15/2010 4:48 PM 1662352]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2011-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-10 18:59]

2011-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-10 18:59]

2011-01-17 c:\windows\Tasks\User_Feed_Synchronization-{E06203A3-D0B2-4DD5-B161-4ECBC7DE76AD}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-17 20:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe
c:\windows\system32\TODDSrv.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\nipalsm.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Activ Software\Activdriver\activmgr.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\windows\system32\authenticat.exe
c:\program files\SMART Technologies\SMART Product Drivers\Aware.exe
c:\program files\SMART Technologies\SMART Product Drivers\Marker.exe
c:\program files\Belkin\Belkin USB Print and Storage Center\connect.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
c:\program files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
.
**************************************************************************
.
Completion time: 2011-01-17 20:11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-18 02:11
ComboFix2.txt 2011-01-17 21:48

Pre-Run: 205,953,556,480 bytes free
Post-Run: 205,941,190,656 bytes free

- - End Of File - - 83823E56FA910470C4793DBB67FA0752


MBAM log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5543

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/18/2011 12:14:52 AM
mbam-log-2011-01-18 (00-14-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 334120
Time elapsed: 1 hour(s), 1 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Log

C:\Documents and Settings\ceresiab\Application Data\Sun\Java\Deployment\cache\6.0\47\728428af-1bf15ba0 a variant of Java/TrojanDownloader.OpenStream.NAY trojan
C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe Win32/Adware.Toolbar.Dealio application
C:\Program Files\YouTube Downloader Toolbar\WidgiHelper.exe Win32/Adware.Toolbar.Dealio application
C:\Qoobox\Quarantine\C\Program Files\YouTube Downloader Toolbar\SearchSettings.dll.vir Win32/Adware.Toolbar.Dealio application
C:\Qoobox\Quarantine\C\Program Files\YouTube Downloader Toolbar\IE\1.0\youtubedownloaderToolbarIE.dll.vir Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{7D636519-62BD-4DD0-ABA8-A88DFB7CF21C}\RP211\A0037598.dll Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{7D636519-62BD-4DD0-ABA8-A88DFB7CF21C}\RP211\A0037599.dll Win32/Adware.Toolbar.Dealio application


DDS log


DDS (Ver_10-12-12.02) - NTFSx86
Run by ceresiab at 0:32:50.34 on Tue 01/18/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1916.1075 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\UCService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Activ Software\Activdriver\ActivControl2.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Activ Software\Activdriver\activmgr.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\Aware.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\Marker.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Documents and Settings\ceresiab\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\smart notebook\NotebookPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\logonhelper.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartb~1.lnk - c:\program files\smart technologies\smart product drivers\SMARTBoardTools.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248116776750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248180332453
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\belkin\belkin usb print and storage center\BkBackupScheduler.exe [2011-1-16 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\belkin\belkin usb print and storage center\Bkapcs.exe [2011-1-16 49152]
R2 nidimk;nidimk;c:\windows\system32\drivers\nidimk.dll [2003-4-23 107102]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [2003-4-18 36463]
R2 SMART Display Controller;SMART Display Controller;c:\program files\smart technologies\smart product drivers\UCService.exe [2010-7-15 844688]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2008-12-17 55424]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2009-7-21 4352]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2011-1-16 246936]
S2 gupdate1ca6237eccedfb0;Google Update Service (gupdate1ca6237eccedfb0);c:\program files\google\update\GoogleUpdate.exe [2009-11-10 133104]
S3 ACTIVhidmini;Promethean USB Board Driver;c:\windows\system32\drivers\ACTIVhidmini.sys [2009-7-21 58240]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [2004-1-22 39936]
S3 NiViPxiK;NiViPxiK;c:\windows\system32\drivers\NiViPxiK.sys [2003-6-24 17920]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\smart technologies\smart product drivers\SMARTSNMPAgent.exe [2010-7-15 1662352]

=============== Created Last 30 ================

2011-01-18 06:31:42 -------- d-----w- c:\docume~1\ceresiab\applic~1\AVG10
2011-01-18 06:30:39 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-01-18 06:29:27 -------- d-----w- c:\windows\system32\drivers\AVG
2011-01-18 06:29:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-01-18 06:21:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-01-18 03:48:08 -------- d-----w- c:\program files\ESET
2011-01-18 02:40:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-18 02:40:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-18 02:40:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-18 02:40:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-18 01:56:11 -------- d-----w- C:\ComboFix
2011-01-17 21:28:54 -------- d-sha-r- C:\cmdcons
2011-01-17 21:26:22 98816 ----a-w- c:\windows\sed.exe
2011-01-17 21:26:22 89088 ----a-w- c:\windows\MBR.exe
2011-01-17 21:26:22 256512 ----a-w- c:\windows\PEV.exe
2011-01-17 21:26:22 161792 ----a-w- c:\windows\SWREG.exe
2011-01-16 17:08:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Affinegy
2011-01-16 17:06:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Belkin
2011-01-16 17:06:03 246936 ----a-w- c:\windows\system32\drivers\sxuptp.sys
2011-01-16 17:05:51 27072 ----a-w- c:\windows\system32\drivers\AFGSp50.sys
2011-01-16 17:05:37 -------- d-----w- c:\program files\Belkin
2011-01-09 19:33:31 -------- d-----w- c:\docume~1\ceresiab\locals~1\applic~1\SMART Technologies
2011-01-05 12:56:34 110592 ----a-w- c:\windows\system32\tsccvid.dll
2011-01-05 12:54:39 -------- d-----w- c:\windows\SxsCaPendDel
2011-01-05 12:50:13 -------- d-----w- c:\docume~1\ceresiab\locals~1\applic~1\Downloaded Installations

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 0:33:17.48 ===============


Log
Volume in drive C has no label.
Volume Serial Number is 9819-2B3D

Directory of C:\QooBox

01/17/2011 08:11 PM <DIR> .
01/17/2011 08:11 PM <DIR> ..
01/17/2011 08:10 PM 13,619 Add-Remove Programs.txt
01/17/2011 07:56 PM <DIR> BackEnv
01/17/2011 07:52 PM 282 CFScript_used_2011-01-17_19.57.39.txt
01/17/2011 08:11 PM 2,511 ComboFix-quarantined-files.txt
01/17/2011 03:48 PM 14,010 ComboFix2.txt
01/17/2011 07:57 PM <DIR> Quarantine
01/17/2011 08:10 PM 0 SnapShot@2011-01-18_02.05.56.dat
5 File(s) 30,422 bytes

Directory of C:\QooBox\BackEnv

01/17/2011 07:56 PM <DIR> .
01/17/2011 07:56 PM <DIR> ..
01/17/2011 07:56 PM 512 AppData.folder.dat
01/17/2011 07:56 PM 638 Cache.folder.dat
01/17/2011 07:56 PM 332 Cookies.folder.dat
01/17/2011 07:56 PM 277 Desktop.folder.dat
01/17/2011 07:56 PM 289 Favorites.folder.dat
01/17/2011 07:56 PM 437 History.folder.dat
01/17/2011 07:56 PM 500 LocalAppData.folder.dat
01/17/2011 07:56 PM 440 LocalSettings.folder.dat
01/17/2011 07:56 PM 358 Music.folder.dat
01/17/2011 07:56 PM 230 NetHood.folder.dat
01/17/2011 07:56 PM 304 Personal.folder.dat
01/17/2011 07:56 PM 376 Pictures.folder.dat
01/17/2011 07:56 PM 294 PrintHood.folder.dat
01/17/2011 07:56 PM 381 Profiles.Folder.dat
01/17/2011 07:56 PM 701 Profiles.Folder.folder.dat
01/17/2011 07:56 PM 411 Programs.folder.dat
01/17/2011 07:56 PM 276 Recent.folder.dat
01/17/2011 07:56 PM 276 SendTo.folder.dat
01/17/2011 07:56 PM 5,927 SetPath.bat
01/17/2011 07:56 PM 295 StartMenu.folder.dat
01/17/2011 07:56 PM 467 StartUp.folder.dat
01/17/2011 07:56 PM 2,004 SysPath.dat
01/17/2011 07:56 PM 289 Templates.folder.dat
01/17/2011 07:56 PM 2,192 VikPev00
24 File(s) 18,206 bytes

Directory of C:\QooBox\Quarantine

01/17/2011 07:57 PM <DIR> .
01/17/2011 07:57 PM <DIR> ..
01/17/2011 03:33 PM <DIR> C
01/17/2011 07:56 PM 255 catchme.log
01/17/2011 07:57 PM 0 catchme.txt
01/17/2011 08:10 PM <DIR> Registry_backups
2 File(s) 255 bytes

Directory of C:\QooBox\Quarantine\C

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> Documents and Settings
01/17/2011 03:33 PM <DIR> DOCUME~1
01/17/2011 03:33 PM <DIR> Program Files
01/17/2011 08:01 PM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> ceresiab
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\ceresiab

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> Local Settings
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\ceresiab\Local Settings

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> Application Data
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\ceresiab\Local Settings\Application Data

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> {A17AF450-42A8-41B5-9709-03CED7478E0B}
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\ceresiab\Local Settings\Application Data\{A17AF450-42A8-41B5-9709-03CED7478E0B}

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> chrome
01/11/2011 08:50 PM 122 chrome.manifest.vir
01/11/2011 08:50 PM 764 install.rdf.vir
2 File(s) 886 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\ceresiab\Local Settings\Application Data\{A17AF450-42A8-41B5-9709-03CED7478E0B}\chrome

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> content
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Documents and Settings\ceresiab\Local Settings\Application Data\{A17AF450-42A8-41B5-9709-03CED7478E0B}\chrome\content

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/11/2011 08:50 PM 5,954 overlay.xul.vir
01/11/2011 08:50 PM 2,130 _cfg.js.vir
2 File(s) 8,084 bytes

Directory of C:\QooBox\Quarantine\C\DOCUME~1

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> ceresiab
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\DOCUME~1\ceresiab

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> LOCALS~1
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\DOCUME~1\ceresiab\LOCALS~1

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> Temp
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\DOCUME~1\ceresiab\LOCALS~1\Temp

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 08:01 PM <DIR> 1.tmp
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\DOCUME~1\ceresiab\LOCALS~1\Temp\1.tmp

01/17/2011 08:01 PM <DIR> .
01/17/2011 08:01 PM <DIR> ..
01/17/2011 03:43 PM 180,224 F_IN_BOX.dll.vir
1 File(s) 180,224 bytes

Directory of C:\QooBox\Quarantine\C\Program Files

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> YouTube Downloader Toolbar
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Program Files\YouTube Downloader Toolbar

01/17/2011 11:08 PM <DIR> .
01/17/2011 11:08 PM <DIR> ..
01/17/2011 03:33 PM <DIR> IE
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Program Files\YouTube Downloader Toolbar\IE

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> 1.0
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Program Files\YouTube Downloader Toolbar\IE\1.0

01/17/2011 11:08 PM <DIR> .
01/17/2011 11:08 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS

01/17/2011 08:01 PM <DIR> .
01/17/2011 08:01 PM <DIR> ..
01/16/2011 11:08 AM 0 Mjakera.bin.vir
01/17/2011 03:33 PM <DIR> system32
1 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> drivers
03/21/2007 08:54 PM 69,632 TWUNK_32.EXE.vir
1 File(s) 69,632 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32\drivers

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/17/2011 03:33 PM <DIR> etc
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\etc

01/17/2011 03:33 PM <DIR> .
01/17/2011 03:33 PM <DIR> ..
01/16/2011 11:09 AM 89 lmhosts.vir
1 File(s) 89 bytes

Directory of C:\QooBox\Quarantine\Registry_backups

01/17/2011 08:10 PM <DIR> .
01/17/2011 08:10 PM <DIR> ..
01/17/2011 03:47 PM 151 HKCU-Run-Lnihuyagasutiya.reg.dat
01/17/2011 03:47 PM 154 HKLM-Run-Qnolosifaduju.reg.dat
01/17/2011 08:00 PM 8,103 tcpip.reg
01/17/2011 08:10 PM 118 URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D}.reg.dat
4 File(s) 8,526 bytes

Total Files Listed:
43 File(s) 316,324 bytes
74 Dir(s) 205,173,387,264 bytes free



Remember - I ran the ESET scan and then reran the MBAM..

Machine seems to be running fine

Thanks for your help

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 18 January 2011 - 10:05 AM

Much better. :thumbup2:

Your clear!

It appears the method of one of the infections might have been by way of an outdated Java! This illustrates the importance of keeping software up to date.

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

==========

Please pay particularly close attention to the instructions that follow. To neglect these steps risk needless reinfection!!

**********

  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall


    Posted Image

  • The following will implement some very important cleanup procedures as well as reset System Restore points.

**********

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

**********

Right click and delete any tools/logs from the cleanup that remain.

**********

Recommendations To Consider


Below are some recommendations to lower your chances of (re)infection.


  • Have one antivirus application installed and running at all times.

  • Avoid file sharing, P2P, illegal downloads or rogue sites. This is a sure way to get severely infected.

  • Install an Anti-Spyware program, and update it regularly

    Malwarebytes' Anti-Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.

    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  • Prevention article : To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

  • Keep your other software up to date as well. Periodically run the Secunia Online Software Inspector (OSI).

  • Consider Firefox as your primary browser. Its safer, fast and secure!

  • Install WOT. Never inadvertently surf to a dangerous website again.

  • Install NoScript. Pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.

  • Stay up to date!

    Again the MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Good luck & safe surfing,
Kind Regards,
thcbytes

Edited by thcbytes, 18 January 2011 - 10:06 AM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 18 January 2011 - 05:53 PM

Don't miss my prior post. After you have completed the steps I outlined above then do this.

I almost forgot about your router.

Let's see if you still have access to your router. If not then we can reset it to factory defaults and reset a new password. It is not a big deal either way.

  • Please type 192.168.2.1 in your browser and press enter.
  • Press login in the upper right
  • Enter your password (DO NOT POST IT HERE!)
  • Does it still allow access?
  • If not then perform the same steps on your Desktop computer
Success?
  • If that fails then do it again and leave the password blank and press enter
Success?
  • If that fails then please type Admin in the password and press enter
Success?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 betc

betc
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 18 January 2011 - 11:06 PM

Error message occured when Combofix / Uninstall ran - conflicts with AVG. Advises to uninstall AVG...
Please advise
Thank you

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 18 January 2011 - 11:31 PM

Ohhhhh AVG. :angry:

Do it manually please.

Right click and delete Combofix.


Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 betc

betc
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 18 January 2011 - 11:57 PM

One more question...should I run the OTC program before or after I create a New Restore Point?
thanks

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 19 January 2011 - 12:02 AM

After.:)
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 betc

betc
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 19 January 2011 - 12:38 AM

Looks like everything has been done on the list. I checked the router, no problem logging in to my router with password. Will review and download the other program to help stay protected.
Thanks for your help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users