Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect issue


  • This topic is locked This topic is locked
23 replies to this topic

#1 lampiejohn

lampiejohn

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 04 June 2011 - 06:02 PM

Hi All,

I'm suffering from a Google redirect after this machine aquired a virus.

I am also not able to run the tdsskiller.exe.

DSS Log:

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Rachael at 23:51:08 on 2011-06-04
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.135 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nike+ Utility\Nike+ Utility.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG10\avgscanx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Settings,ProxyServer = socks=127.0.0.1:1080
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [BatteryLifeExtender] c:\program files\samsung\batterylifeextender\BatteryLifeExtender.exe /2
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SUPBackground] c:\program files\samsung\samsung update plus\SUPBackground.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nike_u~1.lnk - c:\program files\nike+ utility\Nike+ Utility.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
TCP: DhcpNameServer = 172.16.100.1
TCP: Interfaces\{FC7E565E-CAA8-498C-8126-278F28A80E51} : DhcpNameServer = 172.16.100.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 172.16.100.4 HP00215AA0C511
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rachael\application data\mozilla\firefox\profiles\2f80vtvc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-5-24 2234800]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-5-24 36368]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-8-6 4300]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-6 55152]
R2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\srs labs\srs wow xt and tsxt\SRS_PostInstaller.exe [2009-5-19 66792]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-5-24 110032]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-5-24 673456]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
R3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [2009-8-6 517504]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-8-6 233512]
R3 VMC33F;Vimicro Camera Service VMC33F;c:\windows\system32\drivers\VMC33F.sys [2009-8-6 237952]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-6 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-7 533360]
.
=============== Created Last 30 ================
.
2011-06-04 22:26:23 1431344 ----a-w- C:\tdsskiller.exe
2011-06-04 22:24:59 1431344 ----a-w- C:\jk.exe
2011-06-04 22:07:58 -------- d-----w- c:\documents and settings\rachael\application data\AVG10
2011-06-04 21:52:18 -------- d-----w- c:\windows\system32\drivers\AVG
2011-06-04 21:52:18 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-06-04 21:51:20 -------- d-----w- c:\program files\AVG
2011-06-04 21:44:46 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-04 21:44:01 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-04 21:37:07 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-04 21:37:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-04 21:30:50 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2011-04-14 20:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-04 23:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 15:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2009-09-22 04:12:17 6669256 ----a-w- c:\program files\Thunderbird Setup 2.0.0.23.exe
2009-09-22 04:08:22 7895336 ----a-w- c:\program files\Firefox Setup 3.5.3.exe
.
============= FINISH: 23:57:35.45 ===============



GMER log to follow when it's finished scanning.

Thanks
John

GMER log:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-05 16:22:34
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HM160HI rev.HH100-06
Running: gmer.exe; Driver: C:\DOCUME~1\Rachael\LOCALS~1\Temp\uwtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF4E73738]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF4E737DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF4E73878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF4E73914]

---- Kernel code sections - GMER 1.0.15 ----

INITc VolSnap.sys F7636BD0 4 Bytes [82, AA, 4D, 80]
INITc VolSnap.sys F7636BF8 4 Bytes [E6, 7D, 4E, 80]
INITc VolSnap.sys F7636C21 3 Bytes [C4, 4D, 80] {LES ECX, DWORD [EBP-0x80]}
INITc VolSnap.sys F7636C48 4 Bytes [96, 34, 4E, 80]
INITc VolSnap.sys F7636C70 4 Bytes [F6, 14, 4E, 80]
INITc ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[676] kernel32.dll!FindResourceW 7C80BC6E 5 Bytes JMP 0042B700 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[676] kernel32.dll!FindResourceA 7C80BF29 5 Bytes JMP 0042B6C0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[676] USER32.dll!LoadStringW 7E419E36 5 Bytes JMP 0042B8E0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[676] USER32.dll!CreateDialogParamW 7E41EA3B 5 Bytes JMP 0042B7B0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[676] USER32.dll!LoadStringA 7E42C908 5 Bytes JMP 0042B990 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[676] USER32.dll!LoadMenuW 7E42EB48 5 Bytes JMP 0042B880 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[676] USER32.dll!CreateDialogParamA 7E43C7DB 5 Bytes JMP 0042B740 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[676] USER32.dll!LoadMenuA 7E44FA83 5 Bytes JMP 0042B820 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E4000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E1000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00E0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E2000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2120] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00C3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00BF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C1000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00C2000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2520] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Threads - GMER 1.0.15 ----

Thread System [4:120] 86320E7A
Thread System [4:124] 86323008

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8FC45F7CBF6DA0E4393A6EA80E6D4C67\Usage@ContextManager10 1053131917

---- EOF - GMER 1.0.15 ----

EDIT: Posts merged ~Budapest

Edited by Budapest, 05 June 2011 - 05:57 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 05 June 2011 - 09:25 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Programs > Uninstall a program or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.
  • Double click to run AppRemover
  • Follow the prompts to remove AVG
  • Reboot
Once you've removed AVG with this tool please continue with these instructions
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log
  • The Attach.txt log from DDS

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 lampiejohn

lampiejohn
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 06 June 2011 - 04:20 AM

Hi,

ComboFix seems to have frozen. It's been sat for about 2 hours without any thing more happening. The last thing on the text output is "Output folder: C:\32788R22FWJFW"

Thanks

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 06 June 2011 - 05:57 PM

lampiejohn:

Please try this:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Please include the following in your next post:
  • TDSSKiller log
  • The Attach.txt log from DDS

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 lampiejohn

lampiejohn
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 06 June 2011 - 06:50 PM

Hiya,

TDSSkiller won't run.

Thanks
John

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 06 June 2011 - 07:50 PM

lampiejohn:

Sorry, I forgot that you mentioned that. Try running ComboFix again, but this time do so from the Safe Mode

Please include the following in your next post:
  • ComboFix log
  • The Attach.txt log from DDS

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 lampiejohn

lampiejohn
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 07 June 2011 - 04:54 AM

Unfortunately it still gets stuck at the same place in Safe Mode.

If I kill the process and run it again I get the error:

Error opening file for writing: C;\32788R22FWJFW\iexplore.exe"

#8 lampiejohn

lampiejohn
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 07 June 2011 - 05:27 AM

Ok, I clicked Ignore on the last error and combofix worked.

I also couldn't find the attach log, so re-ran DDS and both logs are below.

ComboFix 11-06-05.06 - Rachael 07/06/2011 10:59:05.1.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.705 [GMT 1:00]
Running from: c:\documents and settings\Rachael\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Rachael\Application Data\.#
.
.
((((((((((((((((((((((((( Files Created from 2011-05-07 to 2011-06-07 )))))))))))))))))))))))))))))))
.
.
2011-06-05 08:09 . 2011-06-05 08:09 -------- d-----w- C:\$AVG
2011-06-04 22:26 . 2011-06-04 22:13 1431344 ----a-w- C:\tdsskiller.exe
2011-06-04 22:24 . 2011-06-04 22:13 1431344 ----a-w- C:\jk.exe
2011-06-04 22:07 . 2011-06-04 22:07 -------- d-----w- c:\documents and settings\Rachael\Application Data\AVG10
2011-06-04 21:52 . 2011-06-06 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-06-04 21:51 . 2011-06-04 21:51 -------- d-----w- c:\program files\AVG
2011-06-04 21:44 . 2011-06-04 21:44 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-06-04 21:44 . 2011-06-06 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-06-04 21:37 . 2011-06-04 21:37 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 04:12 . 2009-09-22 04:12 6669256 ----a-w- c:\program files\Thunderbird Setup 2.0.0.23.exe
2009-09-22 04:08 . 2009-09-22 04:08 7895336 ----a-w- c:\program files\Firefox Setup 3.5.3.exe
2009-10-06 15:01 . 2009-10-06 15:01 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-10-06 15:01 . 2009-10-06 15:01 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-10-06 15:01 . 2009-10-06 15:01 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-10-06 15:01 . 2009-10-06 15:01 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BatteryLifeExtender"="c:\program files\Samsung\BatteryLifeExtender\BatteryLifeExtender.exe" [2009-03-13 550912]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-06 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2009-08-06 36972]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SUPBackground"="c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe" [2009-05-21 298664]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2009-06-02 3153408]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2010-8-22 1795488]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-6-20 607584]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Nike+ Utility.lnk - c:\program files\Nike+ Utility\Nike+ Utility.exe [2008-4-30 1228800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2007-05-24 09:13 24665 ----a-w- c:\windows\system32\ckpNotify.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
S1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [24/05/2007 10:13 2234800]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [24/05/2007 10:13 36368]
S2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [06/08/2009 05:30 4300]
S2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\SRS Labs\SRS WOW XT and TSXT\SRS_PostInstaller.exe [19/05/2009 18:39 66792]
S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [24/05/2007 10:13 110032]
S2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [24/05/2007 10:13 673456]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [06/08/2009 05:32 1684736]
S3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [06/08/2009 05:34 517504]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [06/08/2009 05:33 233512]
S3 VMC33F;Vimicro Camera Service VMC33F;c:\windows\system32\drivers\VMC33F.sys [06/08/2009 05:36 237952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Settings,ProxyServer = socks=127.0.0.1:1080
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 172.16.100.1
FF - ProfilePath - c:\documents and settings\Rachael\Application Data\Mozilla\Firefox\Profiles\2f80vtvc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-07 11:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1288)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-06-07 11:14:36
ComboFix-quarantined-files.txt 2011-06-07 10:14
.
Pre-Run: 104,374,169,600 bytes free
Post-Run: 107,290,517,504 bytes free
.
- - End Of File - - 9659349ECF6398511F9E7FAF4B731833

.
DDS (Ver_2011-06-03.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by Rachael at 11:19:09 on 2011-06-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.690 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Settings,ProxyServer = socks=127.0.0.1:1080
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [BatteryLifeExtender] c:\program files\samsung\batterylifeextender\BatteryLifeExtender.exe /2
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SUPBackground] c:\program files\samsung\samsung update plus\SUPBackground.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nike_u~1.lnk - c:\program files\nike+ utility\Nike+ Utility.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
TCP: DhcpNameServer = 172.16.100.1
TCP: Interfaces\{FC7E565E-CAA8-498C-8126-278F28A80E51} : DhcpNameServer = 172.16.100.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 172.16.100.4 HP00215AA0C511
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rachael\application data\mozilla\firefox\profiles\2f80vtvc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
S1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-5-24 2234800]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-5-24 36368]
S2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-8-6 4300]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-6 55152]
S2 SRS_WOWXT_Service;SRS WOWXT/TSXT Service;c:\program files\srs labs\srs wow xt and tsxt\SRS_PostInstaller.exe [2009-5-19 66792]
S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-5-24 110032]
S2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-5-24 673456]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-6 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-7 533360]
S3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [2009-8-6 517504]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-8-6 233512]
S3 VMC33F;Vimicro Camera Service VMC33F;c:\windows\system32\drivers\VMC33F.sys [2009-8-6 237952]
.
=============== Created Last 30 ================
.
2011-06-07 09:54:37 98816 ----a-w- c:\windows\sed.exe
2011-06-07 09:54:37 518144 ----a-w- c:\windows\SWREG.exe
2011-06-07 09:54:37 256512 ----a-w- c:\windows\PEV.exe
2011-06-07 09:54:37 208896 ----a-w- c:\windows\MBR.exe
2011-06-05 08:09:24 -------- d-----w- C:\$AVG
2011-06-04 22:26:23 1431344 ----a-w- C:\tdsskiller.exe
2011-06-04 22:24:59 1431344 ----a-w- C:\jk.exe
2011-06-04 22:07:58 -------- d-----w- c:\documents and settings\rachael\application data\AVG10
2011-06-04 21:52:18 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-06-04 21:51:20 -------- d-----w- c:\program files\AVG
2011-06-04 21:44:46 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-04 21:44:01 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-04 21:37:07 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-04 21:37:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-04 21:30:50 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2009-09-22 04:12:17 6669256 ----a-w- c:\program files\Thunderbird Setup 2.0.0.23.exe
2009-09-22 04:08:22 7895336 ----a-w- c:\program files\Firefox Setup 3.5.3.exe
.
============= FINISH: 11:19:38.64 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 22/09/2009 03:12:05
System Uptime: 07/06/2011 10:47:23 (1 hours ago)
.
Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | N140
Processor: Intel® Atom™ CPU N270 @ 1.60GHz | U2E1 | 1596/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 116 GiB total, 99.946 GiB free.
D: is FIXED (NTFS) - 26 GiB total, 25.907 GiB free.
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP231: 10/03/2011 07:33:49 - Software Distribution Service 3.0
RP232: 12/03/2011 13:42:42 - System Checkpoint
RP233: 13/03/2011 14:53:58 - System Checkpoint
RP234: 16/03/2011 19:46:23 - System Checkpoint
RP235: 20/03/2011 12:16:53 - System Checkpoint
RP236: 23/03/2011 22:03:02 - System Checkpoint
RP237: 25/03/2011 06:29:10 - Software Distribution Service 3.0
RP238: 31/03/2011 18:33:02 - System Checkpoint
RP239: 06/04/2011 21:20:01 - System Checkpoint
RP240: 12/04/2011 19:17:52 - System Checkpoint
RP241: 13/04/2011 19:33:29 - System Checkpoint
RP242: 14/04/2011 03:00:24 - Software Distribution Service 3.0
RP243: 19/04/2011 18:31:43 - System Checkpoint
RP244: 23/04/2011 18:00:50 - Software Distribution Service 3.0
RP245: 28/04/2011 07:14:02 - Software Distribution Service 3.0
RP246: 10/05/2011 21:51:52 - System Checkpoint
RP247: 13/05/2011 03:00:18 - Software Distribution Service 3.0
RP248: 14/05/2011 16:13:28 - System Checkpoint
RP249: 15/05/2011 19:39:22 - System Checkpoint
RP250: 26/05/2011 18:50:46 - System Checkpoint
RP251: 31/05/2011 22:38:46 - System Checkpoint
RP252: 03/06/2011 22:20:06 - System Checkpoint
RP253: 04/06/2011 22:32:30 - Restore Operation
RP254: 04/06/2011 22:51:05 - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP255: 04/06/2011 22:51:18 - Installed AVG 2011
RP256: 04/06/2011 22:51:55 - Installed AVG 2011
RP257: 05/06/2011 23:26:22 - System Checkpoint
RP258: 06/06/2011 08:08:58 - Removed AVG 2011
RP259: 06/06/2011 08:15:03 - Removed AVG 2011
RP260: 06/06/2011 08:16:27 - Removed AVG 2011
RP261: 07/06/2011 09:13:17 - System Checkpoint
.
==== Installed Programs ======================
.
7500_7600_7700_Help
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9
Advertising Center
Alice Greenfingers
AnyPC Client
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros WLAN Client
AudibleManager
BatteryLifeExtender
Bonjour
BPD_HPSU
BPD_Scan
BPDfax
BPDSoftware
BPDSoftware_Ini
BufferChm
Cake Mania
Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2
Chicken Invaders 3
Choice Guard
Cooking Dash
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
Diner Dash 2
DocProc
DocProcQFolder
DolbyFiles
Dream Chronicles
Dream Day First Home
Easy Display Manager
Easy Network Manager
Easy Resolution Manager
eSupportQFolder
Galapago
Game Pack
Go Go Gourmet Chef of the Year
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Officejet Pro All-In-One Series
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
imagine digital freedom - Samsung
ImagXpress
InstantShareDevicesMFC
Intel® Graphics Media Accelerator Driver
iTunes
J2SE Runtime Environment 5.0
Junk Mail filter update
L7500
Magic Keyboard
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Activation Assistant for Netbooks
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.19)
Mozilla Thunderbird (3.1.10)
MPM
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero StartSmart OEM
Nero Vision
Nero Vision Help
NeroExpress
neroxml
Nike+ Utility
OCR Software by I.R.I.S 7.0
PanoStandAlone
ProductContext
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
REALTEK Wireless LAN Software
Safari
Samsung Battery Manager
Samsung Magic Doctor
Samsung Recovery Solution III
Samsung Update Plus
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Skype Toolbars
Skype™ 5.1
SolutionCenter
SRS WOW XT and TSXT
Status
Synaptics Pointing Device Driver
Toolbox
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Guide
WebCam SCB-0340N
WebEx
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
XML Paper Specification Shared Components Pack 1.0
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
31/05/2011 19:12:11, error: FW1 [1] - FW1: FW-1: last packet seen 40536 seconds ago, assumi-->
31/05/2011 02:57:26, error: FW1 [1] - FW1: F Sending reset dire
05/06/2011 08:23:55, error: System Error [1003] - Error code 100000d1, parameter1 e3d6d000, parameter2 000000ff, parameter3 00000000, parameter4 f7903a28.
05/06/2011 08:22:51, error: FW1 [1] - FW1: FW-1: last packet seen 24467 seconds ago, assumi-->
04/06/2011 23:55:19, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
04/06/2011 23:21:39, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips FW1 intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
04/06/2011 22:01:14, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
04/06/2011 21:54:41, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips FW1 intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
04/06/2011 21:54:41, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
04/06/2011 21:54:41, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
04/06/2011 21:54:41, error: Service Control Manager [7001] - The fssfltr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
04/06/2011 21:54:41, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
04/06/2011 21:54:41, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
04/06/2011 21:54:41, error: Service Control Manager [7001] - The Check Point VPN-1 Securemote watchdog service depends on the SecuRemote Miniport service which failed to start because of the following error: A device attached to the system is not functioning.
04/06/2011 21:54:41, error: Service Control Manager [7001] - The Check Point VPN-1 Securemote service service depends on the SecuRemote Miniport service which failed to start because of the following error: A device attached to the system is not functioning.
04/06/2011 21:54:41, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
04/06/2011 21:54:41, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
04/06/2011 21:54:25, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
04/06/2011 21:54:24, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
03/06/2011 17:10:10, error: FW1 [1] - FW1: FW-1: last packet seen 67498 seconds ago, assumi-->
03/06/2011 17:10:10, error: FW1 [1] - FW1: -->ng clock change.
02/06/2011 18:32:11, error: FW1 [1] - FW1: FW-1: last packet seen 37797 seconds ago, assumi-->
02/06/2011 07:07:53, error: FW1 [1] - FW1: FW-1: last packet seen 35396 seconds ago, assumi-->
01/06/2011 18:48:43, error: FW1 [1] - FW1: FW-1: last packet seen 38685 seconds ago, assumi-->
.
==== End Of File ===========================

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 07 June 2011 - 11:01 PM

lampiejohn:

Posted Image Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    volsnap.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Please include the following in your next post:
  • SystemLook log

Edited by RPMcMurphy, 07 June 2011 - 11:02 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 lampiejohn

lampiejohn
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 08 June 2011 - 04:34 AM

Hiya,

Here is the systemlook log.

Thanks

SystemLook 04.09.10 by jpshortstuff
Log created at 10:31 on 08/06/2011 by Rachael
Administrator - Elevation successful

========== filefind ==========

Searching for "volsnap.*"
C:\WINDOWS\I386\VOLSNAP.IN_ ------- 698 bytes [03:58 06/08/2009] [12:00 14/04/2008] 62C53D73B499DF617902EEA3C96F7D89
C:\WINDOWS\I386\VOLSNAP.SY_ ------- 25386 bytes [03:58 06/08/2009] [12:00 14/04/2008] 64409F40C23B1395594B71E4EB54E019
C:\WINDOWS\inf\volsnap.inf --a---- 1095 bytes [03:58 06/08/2009] [12:00 14/04/2008] 1C43F4D998567C9D2463E18669F33A3C
C:\WINDOWS\inf\volsnap.PNF --a---- 4964 bytes [21:19 05/08/2009] [21:19 05/08/2009] 3C2BFA45184C0F3AF12A00447C9978AC
C:\WINDOWS\system32\dllcache\volsnap.sys --a--c- 52352 bytes [03:58 06/08/2009] [12:00 14/04/2008] 4C8FCB5CC53AAB716D810740FE59D025
C:\WINDOWS\system32\drivers\volsnap.sys ------- 52352 bytes [03:58 06/08/2009] [12:00 14/04/2008] 4C8FCB5CC53AAB716D810740FE59D025

-= EOF =-

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 08 June 2011 - 10:28 AM

lampiejohn:

We need to rename a file, then use the Recovery Console to replace an infected driver:

1. Open Notepad
2. Copy and paste the content of the following codebox into Notepad:

@echo off
copy /y C:\WINDOWS\system32\dllcache\volsnap.sys c:\
del %0

3. Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes.
4. Double click fix.bat. to run it. A small black box should open and close - this is normal.

Print out these instructions to use while in the Recovery Console:

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. At the C:\Windows prompt, type the following bolded entries, one at a time and press 'Enter' after each line. (refer to the quote box under the commands for the location of the spaces which are very important):

cd c:\windows\system32\drivers
ren volsnap.sys volsnap.old
copy c:\volsnap.sys
exit


cd<space>c:\windows\system32\drivers
ren<space>volsnap.sys<space>volsnap.old
copy<space>c:\volsnap.sys


You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.

If you do not see 1 file copied on the screen, even after ensuring the commands are correct, rename the file back to it's original name by typing the following command then hitting Enter.
ren volsnap.old volsnap.sys

ren<space>nvgts.old<space>volsnap.sys


You should NOT be prompted to overwrite an existing file, but if you are, select No then type exit to restart and notify me of your results)

6. Type exit and press 'Enter'. Your computer should reboot.

Please include the following in your next post:
  • Let me know when you've completed these steps

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 lampiejohn

lampiejohn
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 08 June 2011 - 11:00 AM

It didn't work. On further inspection I don't seem to have a dllcache directory.

#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 08 June 2011 - 11:14 AM

At what point did you have trouble? I need more detailed information. SystemLook reported the presence of that dllcache directory - it's likely a hidden directory which is why you aren't seeing it.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 lampiejohn

lampiejohn
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 08 June 2011 - 11:16 AM

Ok, I've taken a copy of the file off another win XP machine. That seems to have worked, but please let me know if that was a bad idea.

Thanks

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 08 June 2011 - 11:23 AM

If the other PC was the same version and service pack of Windows that should work. Copy it to c:\ then proceed as instructed.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users