Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Google redirects, IE script errors, audio commercials


  • This topic is locked This topic is locked
16 replies to this topic

#1 freemanlaw

freemanlaw

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 26 April 2011 - 09:54 AM

I'm running Windows XP Home Edition 5.1.2600 SP3.
I was infected by Windows Fix Disk. Manually fixed it following instructions. Ran Spybot S&D & Malwarebytes Anti-malware, which removed a couple other entries. Now both run clean.
However, I am getting Internet Explorer pop-up script errors for various sites as soon as I log in. Closing just brings up more and then randomly it plays audio ads. Task manager does not appear to show any apps or processes running during these ads.
Also, Google search redirects to various other search sites, if I click on any search result.
These problems all started at the same time and I feel like they are remnants of Windows Fix Disk that I can't remove.
Any help is greatly appreciated!

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by James Freeman at 13:19:02.43 on Mon 04/25/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.480 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
H:\Program Files\AVG\AVG9\avgchsvx.exe
H:\Program Files\AVG\AVG9\avgrsx.exe
H:\Program Files\AVG\AVG9\avgcsrvx.exe
H:\WINDOWS\system32\spoolsv.exe
svchost.exe
H:\WINDOWS\system32\agrsmsvc.exe
H:\Program Files\AVG\AVG9\avgwdsvc.exe
H:\Program Files\Juniper Networks\Common Files\dsNcService.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\WINDOWS\System32\svchost.exe -k imgsvc
H:\WINDOWS\system32\SearchIndexer.exe
H:\Program Files\AVG\AVG9\avgnsx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Documents and Settings\James Freeman\Application Data\Dropbox\bin\Dropbox.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\WINDOWS\system32\taskmgr.exe
H:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
H:\Program Files\AVG\AVG9\avgcsrvx.exe
H:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\WINDOWS\system32\SearchProtocolHost.exe
H:\Documents and Settings\James Freeman\Local Settings\Temporary Internet Files\Content.IE5\63QQGLMX\dds[1].scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.facebook.com/home.php
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - h:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - h:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [cdloader] "h:\documents and settings\james freeman\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [AntiSpywareMaster] h:\program files\antispywaremaster\asm.exe
mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: h:\docume~1\jamesf~1\startm~1\programs\startup\dropbox.lnk - h:\documents and settings\james freeman\application data\dropbox\bin\Dropbox.exe
IE: Add to Google Photos Screensa&ver - h:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: westlaw.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://jran.uscourts.gov/whalecomed36a580762db7cb8d65abf0a0c357b3e95b82c2926b902b/whalecom0/iNotes6W.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/34.09/uploader2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188158620797
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188161423984
DPF: {7B62F6EE-D046-11D3-9C5E-0060082627F7} - hxxps://secured.lsi-lps.com/messenger/download/TWDownload.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://jran.uscourts.gov/InternalSite/WhlCompMgr.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - h:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - h:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - h:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2008-4-24 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;h:\windows\system32\drivers\avgmfx86.sys [2007-8-26 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;h:\windows\system32\drivers\avgtdix.sys [2009-4-13 243024]
R2 avg9wd;AVG Free WatchDog;h:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R3 CardReaderFilter;Card Reader Filter;h:\windows\system32\drivers\USBCRFT.SYS [2007-9-10 13440]
R3 cmudax;C-Media High Definition Audio Interface;h:\windows\system32\drivers\cmudax.sys [2005-5-12 1287296]
S3 IIUSBISP;USB Mass Storage for USB ISP;h:\windows\system32\drivers\iiusbisp.sys --> h:\windows\system32\drivers\iiusbisp.sys [?]
S4 WinDefend;Windows Defender;h:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2011-04-07 18:56:15 -------- d-----w- h:\docume~1\jamesf~1\locals~1\applic~1\Temp
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- h:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- h:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- h:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- h:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- h:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- h:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- h:\windows\system32\html.iec
2011-02-18 21:36:58 4184352 ----a-w- h:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- h:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- h:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ------w- h:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- h:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- h:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- h:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- h:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- h:\windows\system32\mstsc.exe
.
============= FINISH: 13:25:30.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 AM

Posted 03 May 2011 - 07:43 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 freemanlaw

freemanlaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 04 May 2011 - 12:57 PM

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by James Freeman at 8:27:18.87 on Wed 05/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.608 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
H:\Program Files\AVG\AVG9\avgchsvx.exe
H:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
H:\Program Files\AVG\AVG9\avgcsrvx.exe
H:\WINDOWS\system32\spoolsv.exe
svchost.exe
H:\WINDOWS\system32\agrsmsvc.exe
H:\Program Files\AVG\AVG9\avgwdsvc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Juniper Networks\Common Files\dsNcService.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\WINDOWS\System32\svchost.exe -k imgsvc
H:\WINDOWS\system32\SearchIndexer.exe
H:\Program Files\AVG\AVG9\avgnsx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Program Files\iTunes\iTunesHelper.exe
H:\Documents and Settings\James Freeman\Application Data\Dropbox\bin\Dropbox.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Documents and Settings\James Freeman\Application Data\mjusbsp\magicJack.exe
H:\WINDOWS\system32\WISPTIS.EXE
H:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
H:\Program Files\AVG\AVG9\avgcsrvx.exe
H:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\WINDOWS\system32\SearchProtocolHost.exe
H:\Documents and Settings\James Freeman\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.facebook.com/home.php
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - h:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - h:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [cdloader] "h:\documents and settings\james freeman\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [AntiSpywareMaster] h:\program files\antispywaremaster\asm.exe
mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
StartupFolder: h:\docume~1\jamesf~1\startm~1\programs\startup\dropbox.lnk - h:\documents and settings\james freeman\application data\dropbox\bin\Dropbox.exe
IE: Add to Google Photos Screensa&ver - h:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: westlaw.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://jran.uscourts.gov/whalecomed36a580762db7cb8d65abf0a0c357b3e95b82c2926b902b/whalecom0/iNotes6W.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/34.09/uploader2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188158620797
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188161423984
DPF: {7B62F6EE-D046-11D3-9C5E-0060082627F7} - hxxps://secured.lsi-lps.com/messenger/download/TWDownload.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://jran.uscourts.gov/InternalSite/WhlCompMgr.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - h:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - h:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - h:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2008-4-24 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;h:\windows\system32\drivers\avgmfx86.sys [2007-8-26 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;h:\windows\system32\drivers\avgtdix.sys [2009-4-13 243024]
R2 avg9wd;AVG Free WatchDog;h:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R3 CardReaderFilter;Card Reader Filter;h:\windows\system32\drivers\USBCRFT.SYS [2007-9-10 13440]
R3 cmudax;C-Media High Definition Audio Interface;h:\windows\system32\drivers\cmudax.sys [2005-5-12 1287296]
S3 IIUSBISP;USB Mass Storage for USB ISP;h:\windows\system32\drivers\iiusbisp.sys --> h:\windows\system32\drivers\iiusbisp.sys [?]
S4 WinDefend;Windows Defender;h:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2011-04-30 17:44:52 -------- d-----w- h:\program files\iPod
2011-04-30 17:44:49 -------- d-----w- h:\program files\iTunes
2011-04-30 17:41:43 -------- d-----w- h:\program files\Bonjour
2011-04-07 18:56:15 -------- d-----w- h:\docume~1\jamesf~1\locals~1\applic~1\Temp
2011-04-06 20:20:16 91424 ----a-w- h:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- h:\windows\system32\dns-sd.exe
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- h:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- h:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- h:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- h:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- h:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- h:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- h:\windows\system32\html.iec
2011-02-18 21:36:58 4184352 ----a-w- h:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- h:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- h:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ------w- h:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- h:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- h:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- h:\windows\system32\mfc42u.dll
.
============= FINISH: 8:28:11.18 ===============

Attached Files



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:37 PM

Posted 05 May 2011 - 04:38 PM

Good evening. :)
Download CKScanner by askey127 from here and save it to your Desktop.

  • Double click CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • Please copy and paste the contents of CKFiles.txt into your next reply.

Edited by Noviciate, 05 May 2011 - 04:43 PM.

So long, and thanks for all the fish.

 

 


#5 freemanlaw

freemanlaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 05 May 2011 - 04:49 PM

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:37 PM

Posted 05 May 2011 - 04:54 PM

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#7 freemanlaw

freemanlaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 05 May 2011 - 05:18 PM

2011/05/05 18:01:03.0560 5556 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/05 18:01:03.0982 5556 ================================================================================
2011/05/05 18:01:03.0982 5556 SystemInfo:
2011/05/05 18:01:03.0982 5556
2011/05/05 18:01:03.0982 5556 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/05 18:01:03.0982 5556 Product type: Workstation
2011/05/05 18:01:03.0982 5556 ComputerName: JAMESOLDPC
2011/05/05 18:01:03.0982 5556 UserName: James Freeman
2011/05/05 18:01:03.0982 5556 Windows directory: H:\WINDOWS
2011/05/05 18:01:03.0982 5556 System windows directory: H:\WINDOWS
2011/05/05 18:01:03.0982 5556 Processor architecture: Intel x86
2011/05/05 18:01:03.0982 5556 Number of processors: 2
2011/05/05 18:01:03.0982 5556 Page size: 0x1000
2011/05/05 18:01:03.0982 5556 Boot type: Normal boot
2011/05/05 18:01:03.0982 5556 ================================================================================
2011/05/05 18:01:05.0201 5556 Initialize success
2011/05/05 18:01:11.0498 4816 ================================================================================
2011/05/05 18:01:11.0498 4816 Scan started
2011/05/05 18:01:11.0498 4816 Mode: Manual;
2011/05/05 18:01:11.0498 4816 ================================================================================
2011/05/05 18:01:14.0717 4816 ACPI (8fd99680a539792a30e97944fdaecf17) H:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/05 18:01:14.0904 4816 ACPIEC (9859c0f6936e723e4892d7141b1327d5) H:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/05 18:01:15.0451 4816 adfs (6d7f09cd92a9fef3a8efce66231fdd79) H:\WINDOWS\system32\drivers\adfs.sys
2011/05/05 18:01:15.0670 4816 aec (8bed39e3c35d6a489438b8141717a557) H:\WINDOWS\system32\drivers\aec.sys
2011/05/05 18:01:15.0764 4816 AFD (7618d5218f2a614672ec61a80d854a37) H:\WINDOWS\System32\drivers\afd.sys
2011/05/05 18:01:15.0935 4816 AFS2K (0ebb674888cbdefd5773341c16dd6a07) H:\WINDOWS\system32\drivers\AFS2K.sys
2011/05/05 18:01:16.0248 4816 AgereSoftModem (35c391e40471a0b479328fc7b1b5f40f) H:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/05/05 18:01:17.0576 4816 AN983 (116bff96077a4a724e0aab800525ceb5) H:\WINDOWS\system32\DRIVERS\AN983.sys
2011/05/05 18:01:17.0826 4816 Arp1394 (b5b8a80875c1dededa8b02765642c32f) H:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/05 18:01:18.0185 4816 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) H:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/05 18:01:18.0357 4816 atapi (9f3a2f5aa6875c72bf062c712cfa2674) H:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/05 18:01:18.0451 4816 Atmarpc (9916c1225104ba14794209cfa8012159) H:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/05 18:01:18.0592 4816 audstub (d9f724aa26c010a217c97606b160ed68) H:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/05 18:01:18.0764 4816 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) H:\WINDOWS\System32\Drivers\avgldx86.sys
2011/05/05 18:01:18.0826 4816 AvgMfx86 (53b3f979930a786a614d29cafe99f645) H:\WINDOWS\System32\Drivers\avgmfx86.sys
2011/05/05 18:01:18.0889 4816 AvgTdiX (22e3b793c3e61720f03d3a22351af410) H:\WINDOWS\System32\Drivers\avgtdix.sys
2011/05/05 18:01:18.0967 4816 Beep (da1f27d85e0d1525f6621372e7b685e9) H:\WINDOWS\system32\drivers\Beep.sys
2011/05/05 18:01:19.0264 4816 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) H:\WINDOWS\system32\DRIVERS\bridge.sys
2011/05/05 18:01:19.0435 4816 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) H:\WINDOWS\system32\DRIVERS\bridge.sys
2011/05/05 18:01:19.0514 4816 CardReaderFilter (b2cec14780842613f9495171a5f73c2c) H:\WINDOWS\system32\Drivers\USBCRFT.SYS
2011/05/05 18:01:19.0701 4816 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) H:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/05 18:01:20.0014 4816 Cdaudio (c1b486a7658353d33a10cc15211a873b) H:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/05 18:01:20.0264 4816 Cdfs (c885b02847f5d2fd45a24e219ed93b32) H:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/05 18:01:20.0310 4816 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) H:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/05 18:01:20.0701 4816 cmudax (d7fcada6833a0e243ca89c03bd559bd9) H:\WINDOWS\system32\drivers\cmudax.sys
2011/05/05 18:01:20.0967 4816 Disk (044452051f3e02e7963599fc8f4f3e25) H:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/05 18:01:21.0060 4816 dmboot (d992fe1274bde0f84ad826acae022a41) H:\WINDOWS\system32\drivers\dmboot.sys
2011/05/05 18:01:21.0357 4816 dmio (7c824cf7bbde77d95c08005717a95f6f) H:\WINDOWS\system32\drivers\dmio.sys
2011/05/05 18:01:21.0560 4816 dmload (e9317282a63ca4d188c0df5e09c6ac5f) H:\WINDOWS\system32\drivers\dmload.sys
2011/05/05 18:01:21.0779 4816 DMusic (8a208dfcf89792a484e76c40e5f50b45) H:\WINDOWS\system32\drivers\DMusic.sys
2011/05/05 18:01:21.0935 4816 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) H:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/05 18:01:22.0029 4816 dsNcAdpt (4823163c246868863d41a2f5ee06a21e) H:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
2011/05/05 18:01:22.0217 4816 Fastfat (38d332a6d56af32635675f132548343e) H:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/05 18:01:22.0279 4816 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) H:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/05 18:01:22.0529 4816 Fips (d45926117eb9fa946a6af572fbe1caa3) H:\WINDOWS\system32\drivers\Fips.sys
2011/05/05 18:01:22.0748 4816 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) H:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/05 18:01:23.0014 4816 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) H:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/05 18:01:23.0092 4816 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) H:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/05 18:01:23.0279 4816 Ftdisk (6ac26732762483366c3969c9e4d2259d) H:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/05 18:01:23.0342 4816 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) H:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/05/05 18:01:23.0435 4816 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) H:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/05 18:01:23.0670 4816 HdAudAddService (160b24fd894e79e71c983ea403a6e6e7) H:\WINDOWS\system32\drivers\HdAudio.sys
2011/05/05 18:01:23.0920 4816 HDAudBus (573c7d0a32852b48f3058cfd8026f511) H:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/05 18:01:24.0154 4816 hidusb (ccf82c5ec8a7326c3066de870c06daf1) H:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/05 18:01:24.0435 4816 HPZid412 (30ca91e657cede2f95359d6ef186f650) H:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/05/05 18:01:24.0623 4816 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) H:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/05/05 18:01:24.0795 4816 HPZius12 (abcb05ccdbf03000354b9553820e39f8) H:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/05 18:01:24.0967 4816 HTTP (f80a415ef82cd06ffaf0d971528ead38) H:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/05 18:01:25.0201 4816 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) H:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/05 18:01:25.0389 4816 Imapi (083a052659f5310dd8b6a6cb05edcf8e) H:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/05 18:01:25.0685 4816 intelppm (8c953733d8f36eb2133f5bb58808b66b) H:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/05 18:01:25.0842 4816 ip6fw (3bb22519a194418d5fec05d800a19ad0) H:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/05 18:01:26.0060 4816 IpInIp (b87ab476dcf76e72010632b5550955f5) H:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/05 18:01:26.0357 4816 IpNat (cc748ea12c6effde940ee98098bf96bb) H:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/05 18:01:26.0560 4816 IPSec (23c74d75e36e7158768dd63d92789a91) H:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/05 18:01:26.0764 4816 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) H:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/05 18:01:26.0982 4816 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) H:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/05 18:01:27.0029 4816 Kbdclass (463c1ec80cd17420a542b7f36a36f128) H:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/05 18:01:27.0201 4816 kbdhid (9ef487a186dea361aa06913a75b3fa99) H:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/05 18:01:27.0357 4816 kmixer (692bcf44383d056aed41b045a323d378) H:\WINDOWS\system32\drivers\kmixer.sys
2011/05/05 18:01:27.0451 4816 KSecDD (b467646c54cc746128904e1654c750c1) H:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/05 18:01:27.0623 4816 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) H:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/05 18:01:27.0795 4816 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) H:\WINDOWS\system32\drivers\Modem.sys
2011/05/05 18:01:28.0029 4816 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) H:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/05 18:01:28.0248 4816 mouhid (b1c303e17fb9d46e87a98e4ba6769685) H:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/05 18:01:28.0389 4816 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) H:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/05 18:01:28.0482 4816 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) H:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/05 18:01:28.0560 4816 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) H:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/05 18:01:28.0639 4816 Msfs (c941ea2454ba8350021d774daf0f1027) H:\WINDOWS\system32\drivers\Msfs.sys
2011/05/05 18:01:28.0685 4816 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) H:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/05 18:01:28.0857 4816 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) H:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/05 18:01:29.0045 4816 MSPQM (bad59648ba099da4a17680b39730cb3d) H:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/05 18:01:29.0201 4816 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) H:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/05 18:01:29.0404 4816 Mup (2f625d11385b1a94360bfc70aaefdee1) H:\WINDOWS\system32\drivers\Mup.sys
2011/05/05 18:01:29.0482 4816 NDIS (1df7f42665c94b825322fae71721130d) H:\WINDOWS\system32\drivers\NDIS.sys
2011/05/05 18:01:29.0545 4816 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) H:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/05 18:01:29.0701 4816 Ndisuio (f927a4434c5028758a842943ef1a3849) H:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/05 18:01:29.0748 4816 NdisWan (edc1531a49c80614b2cfda43ca8659ab) H:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/05 18:01:29.0935 4816 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) H:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/05 18:01:30.0123 4816 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) H:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/05 18:01:30.0170 4816 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) H:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/05 18:01:30.0342 4816 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) H:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/05 18:01:30.0529 4816 Npfs (3182d64ae053d6fb034f44b6def8034a) H:\WINDOWS\system32\drivers\Npfs.sys
2011/05/05 18:01:30.0607 4816 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) H:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/05 18:01:30.0685 4816 NuidFltr (cf7e041663119e09d2e118521ada9300) H:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/05/05 18:01:30.0732 4816 Null (73c1e1f395918bc2c6dd67af7591a3ad) H:\WINDOWS\system32\drivers\Null.sys
2011/05/05 18:01:31.0217 4816 nv (f8be83f0c686533170f7537e94bf411a) H:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/05 18:01:31.0826 4816 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) H:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/05 18:01:32.0014 4816 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) H:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/05 18:01:32.0232 4816 ohci1394 (ca33832df41afb202ee7aeb05145922f) H:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/05 18:01:32.0295 4816 Parport (5575faf8f97ce5e713d108c2a58d7c7c) H:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/05 18:01:32.0482 4816 PartMgr (beb3ba25197665d82ec7065b724171c6) H:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/05 18:01:32.0701 4816 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) H:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/05 18:01:32.0810 4816 PCI (a219903ccf74233761d92bef471a07b1) H:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/05 18:01:32.0889 4816 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) H:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/05 18:01:33.0060 4816 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) H:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/05 18:01:33.0357 4816 pdiddcci (47c4e87650ffee4011de215e578f4941) H:\WINDOWS\system32\DRIVERS\pdiddcci.sys
2011/05/05 18:01:33.0560 4816 PdiPorts (19032c974c8864f488b4953abc200e1a) H:\WINDOWS\system32\Drivers\PdiPorts.sys
2011/05/05 18:01:33.0982 4816 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) H:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/05 18:01:34.0123 4816 Processor (a32bebaf723557681bfc6bd93e98bd26) H:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/05 18:01:34.0295 4816 PSched (09298ec810b07e5d582cb3a3f9255424) H:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/05 18:01:34.0545 4816 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) H:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/05 18:01:34.0732 4816 PxHelp20 (153d02480a0a2f45785522e814c634b6) H:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/05 18:01:34.0982 4816 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) H:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/05 18:01:35.0139 4816 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) H:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/05 18:01:35.0295 4816 RasPppoe (5bc962f2654137c9909c3d4603587dee) H:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/05 18:01:35.0482 4816 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) H:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/05 18:01:35.0639 4816 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) H:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/05 18:01:35.0685 4816 RDPCDD (4912d5b403614ce99c28420f75353332) H:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/05 18:01:35.0935 4816 RDPWD (6728e45b66f93c08f11de2e316fc70dd) H:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/05 18:01:36.0123 4816 redbook (f828dd7e1419b6653894a8f97a0094c5) H:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/05 18:01:36.0373 4816 RimUsb (616eac1b0e48b236a5a9b8ae07fdb81c) H:\WINDOWS\system32\Drivers\RimUsb.sys
2011/05/05 18:01:36.0435 4816 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) H:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/05/05 18:01:36.0623 4816 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) H:\WINDOWS\system32\Drivers\RootMdm.sys
2011/05/05 18:01:36.0873 4816 Secdrv (90a3935d05b494a5a39d37e71f09a677) H:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/05 18:01:36.0967 4816 serenum (0f29512ccd6bead730039fb4bd2c85ce) H:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/05 18:01:37.0154 4816 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) H:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/05 18:01:37.0389 4816 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) H:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/05 18:01:37.0607 4816 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) H:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/05/05 18:01:37.0857 4816 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) H:\WINDOWS\system32\drivers\splitter.sys
2011/05/05 18:01:37.0935 4816 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) H:\WINDOWS\System32\DRIVERS\sr.sys
2011/05/05 18:01:38.0185 4816 Srv (47ddfc2f003f7f9f0592c6874962a2e7) H:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/05 18:01:38.0264 4816 swenum (3941d127aef12e93addf6fe6ee027e0f) H:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/05 18:01:38.0451 4816 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) H:\WINDOWS\system32\drivers\swmidi.sys
2011/05/05 18:01:38.0670 4816 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) H:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/05 18:01:38.0779 4816 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) H:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/05 18:01:38.0967 4816 TDPIPE (6471a66807f5e104e4885f5b67349397) H:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/05 18:01:39.0123 4816 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) H:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/05 18:01:39.0310 4816 TermDD (88155247177638048422893737429d9e) H:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/05 18:01:39.0560 4816 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) H:\WINDOWS\system32\drivers\Udfs.sys
2011/05/05 18:01:39.0779 4816 Update (402ddc88356b1bac0ee3dd1580c76a31) H:\WINDOWS\system32\DRIVERS\update.sys
2011/05/05 18:01:39.0982 4816 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) H:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/05 18:01:40.0029 4816 usbaudio (e919708db44ed8543a7c017953148330) H:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/05 18:01:40.0076 4816 usbccgp (173f317ce0db8e21322e71b7e60a27e8) H:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/05 18:01:40.0295 4816 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) H:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/05 18:01:40.0451 4816 usbhub (1ab3cdde553b6e064d2e754efe20285c) H:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/05 18:01:40.0623 4816 usbprint (a717c8721046828520c9edf31288fc00) H:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/05 18:01:40.0795 4816 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) H:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/05 18:01:40.0967 4816 usbstor (a32426d9b14a089eaa1d922e0c5801a9) H:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/05 18:01:41.0014 4816 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) H:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/05 18:01:41.0185 4816 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) H:\WINDOWS\system32\DRIVERS\usb8023x.sys
2011/05/05 18:01:41.0373 4816 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) H:\WINDOWS\System32\drivers\vga.sys
2011/05/05 18:01:41.0623 4816 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) H:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/05 18:01:41.0623 4816 Suspicious file (Forged): H:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/05/05 18:01:41.0623 4816 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/05/05 18:01:41.0670 4816 Wanarp (e20b95baedb550f32dd489265c1da1f6) H:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/05 18:01:41.0857 4816 Wdf01000 (d918617b46457b9ac28027722e30f647) H:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/05 18:01:42.0014 4816 wdmaud (6768acf64b18196494413695f0c3a00f) H:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/05 18:01:42.0170 4816 WpdUsb (cf4def1bf66f06964dc0d91844239104) H:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/05/05 18:01:42.0248 4816 WudfPf (f15feafffbb3644ccc80c5da584e6311) H:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/05 18:01:42.0295 4816 WudfRd (28b524262bce6de1f7ef9f510ba3985b) H:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/05 18:01:42.0498 4816 ================================================================================
2011/05/05 18:01:42.0498 4816 Scan finished
2011/05/05 18:01:42.0498 4816 ================================================================================
2011/05/05 18:01:42.0498 5712 Detected object count: 1
2011/05/05 18:01:56.0779 5712 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) H:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/05 18:01:56.0779 5712 Suspicious file (Forged): H:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/05/05 18:01:58.0279 5712 Backup copy found, using it..
2011/05/05 18:01:58.0295 5712 H:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/05/05 18:01:58.0295 5712 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/05/05 18:02:03.0607 3576 Deinitialize success

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:37 PM

Posted 05 May 2011 - 06:08 PM

Reboot the PC, if you haven't already, and then give it a run out and tell me how it's behaving.

So long, and thanks for all the fish.

 

 


#9 freemanlaw

freemanlaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 06 May 2011 - 07:28 AM

It appears to be working great. Thank you so much for your help!

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:37 PM

Posted 06 May 2011 - 01:29 PM

Good evening. :)

I think a little online scan to check for leftovers and then we'll wrap this one up.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#11 freemanlaw

freemanlaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 07 May 2011 - 09:03 AM

The computer is behaving well, but the following were found on the ESET scan:

H:\Documents and Settings\Other\Application Data\Sun\Java\Deployment\cache\6.0\53\460fef5-5e4f9161 multiple threats
H:\Documents and Settings\Other\Application Data\Sun\Java\Deployment\cache\6.0\59\1e702afb-5b33fc05 multiple threats
H:\Documents and Settings\Other\Local Settings\Temp\jar_cache1426586342521598646.tmp multiple threats
H:\Documents and Settings\Other\Local Settings\Temp\jar_cache4102547349600934023.tmp multiple threats

Here is the DDS txt:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by James Freeman at 9:59:30.39 on Sat 05/07/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.613 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
H:\Program Files\AVG\AVG9\avgchsvx.exe
H:\Program Files\AVG\AVG9\avgrsx.exe
H:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
svchost.exe
H:\WINDOWS\system32\agrsmsvc.exe
H:\Program Files\AVG\AVG9\avgwdsvc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Juniper Networks\Common Files\dsNcService.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\WINDOWS\System32\svchost.exe -k imgsvc
H:\WINDOWS\system32\SearchIndexer.exe
H:\Program Files\AVG\AVG9\avgnsx.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Program Files\iTunes\iTunesHelper.exe
H:\Documents and Settings\James Freeman\Application Data\Dropbox\bin\Dropbox.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Documents and Settings\James Freeman\Application Data\mjusbsp\magicJack.exe
H:\WINDOWS\system32\WISPTIS.EXE
H:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
H:\Program Files\AVG\AVG9\avgcsrvx.exe
H:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\iTunes\iTunes.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
H:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
H:\Documents and Settings\James Freeman\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.facebook.com/home.php
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - h:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - h:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [cdloader] "h:\documents and settings\james freeman\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRunOnce: [FlashPlayerUpdate] h:\windows\system32\macromed\flash\FlashUtil10o_ActiveX.exe -update activex
mRun: [AntiSpywareMaster] h:\program files\antispywaremaster\asm.exe
mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
StartupFolder: h:\docume~1\jamesf~1\startm~1\programs\startup\dropbox.lnk - h:\documents and settings\james freeman\application data\dropbox\bin\Dropbox.exe
IE: Add to Google Photos Screensa&ver - h:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: westlaw.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://jran.uscourts.gov/whalecomed36a580762db7cb8d65abf0a0c357b3e95b82c2926b902b/whalecom0/iNotes6W.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/34.09/uploader2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188158620797
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188161423984
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7B62F6EE-D046-11D3-9C5E-0060082627F7} - hxxps://secured.lsi-lps.com/messenger/download/TWDownload.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://jran.uscourts.gov/InternalSite/WhlCompMgr.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - h:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - h:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - h:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2008-4-24 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;h:\windows\system32\drivers\avgmfx86.sys [2007-8-26 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;h:\windows\system32\drivers\avgtdix.sys [2009-4-13 243152]
R2 avg9wd;AVG Free WatchDog;h:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R3 CardReaderFilter;Card Reader Filter;h:\windows\system32\drivers\USBCRFT.SYS [2007-9-10 13440]
R3 cmudax;C-Media High Definition Audio Interface;h:\windows\system32\drivers\cmudax.sys [2005-5-12 1287296]
S3 IIUSBISP;USB Mass Storage for USB ISP;h:\windows\system32\drivers\iiusbisp.sys --> h:\windows\system32\drivers\iiusbisp.sys [?]
S4 WinDefend;Windows Defender;h:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2011-05-06 21:32:56 -------- d-----w- h:\program files\ESET
2011-04-30 17:44:52 -------- d-----w- h:\program files\iPod
2011-04-30 17:44:49 -------- d-----w- h:\program files\iTunes
2011-04-30 17:41:43 -------- d-----w- h:\program files\Bonjour
2011-04-07 18:56:15 -------- d-----w- h:\docume~1\jamesf~1\locals~1\applic~1\Temp
.
==================== Find3M ====================
.
2011-04-06 20:20:16 91424 ----a-w- h:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- h:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- h:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- h:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- h:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- h:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- h:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- h:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- h:\windows\system32\html.iec
2011-02-18 21:36:58 4184352 ----a-w- h:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- h:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- h:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ------w- h:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- h:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- h:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- h:\windows\system32\mfc42u.dll
.
============= FINISH: 10:00:32.75 ===============

Attached Files



#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:37 PM

Posted 07 May 2011 - 04:18 PM

Good evening. :)

the following were found on the ESET scan

Right, them first.


Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

Once you've done the above, do the below:

Download TFC by OldTimer from here and save it to your Desktop.

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

Once the PC has rebooted, check the H:\Documents and Settings\Other\Local Settings\Temp folder for any files resembling jar_cache4102547349600934023.tmp.
All being well there should be no matches, although you may find some other files in there which are legitimate as PCs create Temp files in the Temp folder as and when they need to.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#13 freemanlaw

freemanlaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 08 May 2011 - 10:10 AM

Java removal went smoothly, but when I try to install Java I keep getting the following error message:
Internal Error 2753, regutils.dll
When it closes it takes me to Java help screen & the solution for this error is to download the offline file I'm already trying to install.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:37 PM

Posted 08 May 2011 - 02:13 PM

Good evening. :)

Download Revo Uninstaller Freeware by VS Revo Group from this page - note: you want the Freeware version.

See if you can find Java in it's uninstall options and if so, let it do it's thing. It should also look for leftovers once the main uninstall has been completed and that may be enough to get a fresh install working successfully.

The alternative is to download a fresh installation file as it is possible that your original one has somehow been corrupted.

So long, and thanks for all the fish.

 

 


#15 freemanlaw

freemanlaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 10 May 2011 - 07:59 AM

Revo Uninstaller appears to have done the trick. I ran TFC and I've downloaded a new firewall. Everything seems to be going well. I'll let you know in a few days.
Thanks again for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users