Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/Yahoo search results redirect + Random audio playing


  • This topic is locked This topic is locked
29 replies to this topic

#1 jmbtexas

jmbtexas

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 18 June 2011 - 01:59 AM

Dear Experts,

Hi, here is a description of my issues. I got the XP System Restore virus for the second time earlier this week. I rebooted in safe mode, restored an earlier version, and selected to show the hidden files. I thought my troubles were over because this worked like a charm the first time. However, upon going about my business, I noticed two things I have never dealt with before. Malwarebytes, Superantispyware, Spybot, and AVG have not resolved the situation.

First of all, when I click any search results in Google or Yahoo, I am redirected multiple times to various sites like the yellow pages. If I use startpage.com for searching, I have no problem with search redirects.

Secondly, I have audio playing randomly for a few minutes even though I don't have anything running (all browsers and players are closed that I am aware of). I have heard what sounds like news from England, random movie/tv quotes, and celebrity gossip talk. There is never any commercials or any information about what station/program I might actually be listening to.

I have read the Preparation Guide several times and have done my best to follow the directions perfectly. I have pasted the contents of my DDS.txt log below. I have also attached my Attach.txt file as well as the Ark.txt log from GMER.

Please let me know if there is any other information you need. I thank you ahead of time for volunteering your time to share you professional expertise to folks who don't know how to deal with these issues. Your knowledge and effort is much appreciated.

Sincerely,

Jeff

--------------------

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Run by Administrator at 22:01:07 on 2011-06-17
Microsoft Windows XP Professional

5.1.2600.3.1252.1.1033.18.2550.913 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated*

{17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated*

{A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat

4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program

Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Administrator\Local Settings\Application

Data\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\TradeStation 9.0\Program\ORPlat.exe
C:\Program Files\TradeStation 9.0\Program\ordllhst.exe
C:\Program Files\TradeStation

9.0\Program\TradeStationAgentForms.exe
C:\Program Files\TradeStation 9.0\Program\whserver.exe
C:\Program Files\TradeStation 9.0\Program\orcal.exe
C:\Program Files\TradeStation 9.0\Program\orclprxy.exe
C:\PROGRA~1\TRADES~1.0\Program\TSSCAN~1.EXE
C:\PROGRA~1\TRADES~1.0\Program\orchart.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.startpage.com/
uInternet Settings,ProxyOverride = *.local;<local>
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208}

- c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3}

- c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} -

c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper:

{dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class:

{e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program

files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common

files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [SUPERAntiSpyware] c:\program

files\superantispyware\SUPERAntiSpyware.exe
mRun: [CTSVolFE] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [UIUCU] c:\docume~1\jeffb~1\locals~1\temp\UIUCU.EXE

-CLEAN_UP -S
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [<NO NAME>]
mRun: [StatusClient] c:\program

files\hewlett-packard\toolbox2.0\apache tomcat

4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program

files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [NeroFilterCheck] c:\program files\common

files\nero\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program

files\java\jre6\bin\jusched.exe"
mRun: [openvpn-gui] c:\program files\astaro\astaro ssl vpn

client\bin\openvpn-gui.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader

9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech

webcam software\LWS.exe" /hide
mRun: [TkBellExe] "c:\program files\common

files\real\update_ob\realsched.exe" -osboot
mRun: [DigidesignMMERefresh] c:\program

files\digidesign\drivers\MMERefresh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe"

-atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder:

c:\docume~1\admini~1\startm~1\programs\startup\mlbtvn~1.lnk -

c:\documents and settings\administrator\local settings\application

data\autobahn\mlb-nexdef-autobahn.exe
StartupFolder:

c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk -

c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel -

c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java -

file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Yahoo! Backgammon -

hxxp://origin.games.yahoo.net/games/clients/y/at1_x.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} -

hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} -

hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} -

hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex

-2.2.4.3.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} -

hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86

/client/wuweb_site.cab?1215300110373
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.ca

b
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -

hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.c

ab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.ca

b
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.ca

b
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.ca

b
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} -

hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} -

hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{6CEC5974-250C-4106-9D1B-2D7542C83247} :

DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program

files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class:

{5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program

files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and

settings\administrator\application

data\mozilla\firefox\profiles\tgau665v.default\
FF - prefs.js: browser.startup.homepage -

hxxp://www.startpage.com/
FF - component: c:\program

files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\administrator\application

data\mozilla\firefox\profiles\tgau665v.default\extensions\devicede

tection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\administrator\application

data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\documents and settings\administrator\local

settings\application

data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\documents and settings\all

users.windows\application

data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5v

ideoshim.dll
FF - plugin: c:\program files\canon\zoombrowser

ex\program\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys

[2010-10-13 16384]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-6-17 64512]
R1 AvgLdx86;AVG Free AVI Loader Driver

x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-5 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver

x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-5 29584]
R1 AvgTdiX;AVG Free Network

Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-5

243152]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-8

127768]
R1 SASDIFSV;SASDIFSV;c:\program

files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program

files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-8

394952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe

[2010-7-15 308136]
R2 DigiNet;Digidesign Ethernet

Support;c:\windows\system32\drivers\diginet.sys [2009-3-3 16400]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program

files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2151128]
S3 dalwdmservice;dal

service;c:\windows\system32\drivers\Dalwdm.sys [2009-3-3 97808]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys

[2009-3-3 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi

Driver;c:\windows\system32\drivers\mbx2midk.sys [2009-3-3 21904]
S3 vsmon;TrueVector Internet

Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

c:\windows\system32\zonelabs\vsmon.exe -service [?]
.
=============== Created Last 30 ================
.
2011-06-17 20:43:00 -------- d-s---w-

C:\ComboFix
2011-06-17 05:46:01 98392 ----a-w-

c:\windows\system32\drivers\SBREDrv.sys
2011-06-17 05:42:27 -------- d-----w- c:\program

files\Spybot - Search & Destroy
2011-06-17 05:42:27 -------- d-----w-

c:\documents and settings\all users.windows\application

data\Spybot - Search & Destroy
2011-06-17 05:39:12 64512 ----a-w-

c:\windows\system32\drivers\Lbd.sys
2011-06-17 05:38:42 -------- d-----w- c:\program

files\Lavasoft
2011-06-17 04:52:59 -------- d-----w-

c:\windows\SxsCaPendDel
2011-06-17 04:31:30 -------- d-----w-

c:\windows\system32\wbem\repository\FS
2011-06-17 04:31:30 -------- d-----w-

c:\windows\system32\wbem\Repository
2011-06-17 04:14:16 105472 -c----w-

c:\windows\system32\dllcache\mup.sys
2011-06-17 03:06:40 -------- d-----w-

c:\documents and settings\all users.windows\application

data\SUPERAntiSpyware.com
2011-06-17 02:27:30 -------- d-----w-

c:\documents and settings\administrator\application

data\Malwarebytes
2011-06-17 02:27:24 39984 ----a-w-

c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-17 02:27:23 -------- d-----w-

c:\documents and settings\all users.windows\application

data\Malwarebytes
2011-06-17 02:27:20 -------- d-----w- c:\program

files\Malwarebytes' Anti-Malware
2011-06-17 02:06:31 142296 ----a-w- c:\program

files\mozilla firefox\components\browsercomps.dll
2011-06-17 02:06:30 89048 ----a-w- c:\program

files\mozilla firefox\libEGL.dll
2011-06-17 02:06:30 781272 ----a-w- c:\program

files\mozilla firefox\mozsqlite3.dll
2011-06-17 02:06:30 719832 ----a-w- c:\program

files\mozilla firefox\mozcpp19.dll
2011-06-17 02:06:30 465880 ----a-w- c:\program

files\mozilla firefox\libGLESv2.dll
2011-06-17 02:06:30 1974616 ----a-w- c:\program

files\mozilla firefox\D3DCompiler_42.dll
2011-06-17 02:06:30 1892184 ----a-w- c:\program

files\mozilla firefox\d3dx9_42.dll
2011-06-17 02:06:30 1874904 ----a-w- c:\program

files\mozilla firefox\mozjs.dll
2011-06-17 02:06:30 16856 ----a-w- c:\program

files\mozilla firefox\plugin-container.exe
2011-06-17 02:06:30 15832 ----a-w- c:\program

files\mozilla firefox\mozalloc.dll
2011-06-17 00:33:13 -------- d-----w-

c:\documents and settings\administrator\Recent(2)
2011-06-14 06:02:45 -------- d-----w-

c:\documents and settings\administrator\application

data\SUPERAntiSpyware.com
2011-06-14 06:02:37 -------- d-----w- c:\program

files\SUPERAntiSpyware
2011-06-05 00:35:51 -------- d-----w-

c:\windows\pss
2011-05-28 23:09:00 404640 ----a-w-

c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-28 23:06:48 -------- d-----w-

c:\documents and settings\administrator\.autobahn
2011-05-28 23:06:28 -------- d-----w-

c:\documents and settings\administrator\local settings\application

data\Autobahn
.
==================== Find3M ====================
.
2011-05-05 14:56:45 243152 ----a-w-

c:\windows\system32\drivers\avgtdix.sys
2011-05-02 15:31:52 692736 ----a-w-

c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w-

c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51:58 832512 ----a-w-

c:\windows\system32\wininet.dll
2011-04-25 15:51:57 78336 ----a-w-

c:\windows\system32\ieencode.dll
2011-04-25 15:51:57 1830912 ----a-w-

c:\windows\system32\inetcpl.cpl
2011-04-25 15:51:57 17408 ----a-w-

c:\windows\system32\corpol.dll
2011-04-25 12:01:21 389120 ----a-w-

c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w-

c:\windows\system32\drivers\mup.sys
.
============= FINISH: 22:03:00.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 23 June 2011 - 02:59 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jmbtexas

jmbtexas
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 23 June 2011 - 11:35 PM

Hi Gringo,

I am running into an issue. Every time I start the Driver and Stealth scan on RKUnhookerLE, the program closes after a few seconds. There is no message, it just closes. I have all my anti stuff turned off. I have rebooted, and even tried in stealth mode (which isn't allowed) and the same thing happens.

What should I do?

Thanks,

Jeff

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 23 June 2011 - 11:44 PM

OK just give me the DDS scan

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jmbtexas

jmbtexas
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 24 June 2011 - 12:20 AM

Hi Gringo,

Ok, here are the results from the dds and attach

Thanks,

Jeff



-------------------------
dds

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Run by Administrator at 23:00:37 on 2011-06-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1343 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\jgmd40032.exe
C:\WINDOWS\system32\iasrecst32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\My Documents\My Downloads\Defogger(1).exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.startpage.com/
uInternet Settings,ProxyOverride = <local>;*.local
BHO: {00b3a71c-8fd8-4a5a-91c8-4ac959655744} - c:\windows\system32\atmfd(3)32.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: 28029550: {5a8a99f6-606d-20f4-5057-6dd70bcc604c} - c:\windows\system32\kbdsmsno32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [CTSVolFE] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [UIUCU] c:\docume~1\jeffb~1\locals~1\temp\UIUCU.EXE -CLEAN_UP -S
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [<NO NAME>]
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [openvpn-gui] c:\program files\astaro\astaro ssl vpn client\bin\openvpn-gui.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\mlbtvn~1.lnk - c:\documents and settings\administrator\local settings\application data\autobahn\mlb-nexdef-autobahn.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Yahoo! Backgammon - hxxp://origin.games.yahoo.net/games/clients/y/at1_x.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215300110373
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{6CEC5974-250C-4106-9D1B-2D7542C83247} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\tgau665v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.startpage.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2010-10-13 16384]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-6-17 64512]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-5 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-5 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-5 243152]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-8 127768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-8 394952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2009-3-3 16400]
R2 digiSPTIService32;digiSPTIService ;c:\windows\system32\jgmd40032.exe [2011-6-18 764416]
S2 COMSysApp32;COM+ System Application ;c:\windows\system32\6to4svc32.exe --> c:\windows\system32\6to4svc32.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2151128]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2009-3-3 97808]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [2009-3-3 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2009-3-3 21904]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
.
=============== Created Last 30 ================
.
2011-06-23 01:28:22 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-23 01:28:22 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-18 19:15:46 -------- d-----w- c:\program files\iPod
2011-06-18 19:15:30 -------- d-----w- c:\program files\iTunes
2011-06-18 18:44:37 -------- d-----w- c:\program files\Bonjour
2011-06-18 16:15:39 0 ---ha-w- c:\documents and settings\administrator\ofdephhumg.tmp
2011-06-18 11:30:14 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-18 06:30:33 764416 ----a-w- c:\windows\system32\iasrecst32.exe
2011-06-18 06:30:32 169472 ----a-w- c:\windows\system32\kbdsmsno32.dll
2011-06-18 06:30:17 764416 ----a-w- c:\windows\system32\jgmd40032.exe
2011-06-18 06:30:15 349696 ----a-w- c:\windows\system32\atmfd(3)32.dll
2011-06-18 06:30:03 764416 ----a-w- c:\documents and settings\administrator\0.5189894787761442.exe
2011-06-18 06:30:01 764416 ----a-w- c:\documents and settings\administrator\0.32855595027478657.exe
2011-06-17 20:43:00 -------- d-s---w- C:\ComboFix
2011-06-17 05:46:01 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-17 05:42:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-17 05:42:27 -------- d-----w- c:\documents and settings\all users.windows\application data\Spybot - Search & Destroy
2011-06-17 05:39:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-06-17 05:38:42 -------- d-----w- c:\program files\Lavasoft
2011-06-17 04:52:59 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-17 04:31:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-17 04:31:30 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-17 04:14:16 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-17 03:06:40 -------- d-----w- c:\documents and settings\all users.windows\application data\SUPERAntiSpyware.com
2011-06-17 02:27:30 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-06-17 02:27:24 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-17 02:27:23 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2011-06-17 02:27:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-17 02:06:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-17 02:06:30 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-06-17 02:06:30 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-17 02:06:30 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-06-17 02:06:30 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-06-17 02:06:30 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-06-17 02:06:30 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-06-17 02:06:30 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-06-17 00:33:13 -------- d-----w- c:\documents and settings\administrator\Recent(2)
2011-06-14 06:02:45 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-06-14 06:02:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-05 00:35:51 -------- d-----w- c:\windows\pss
2011-05-28 23:09:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-28 23:06:48 -------- d-----w- c:\documents and settings\administrator\.autobahn
2011-05-28 23:06:28 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Autobahn
.
==================== Find3M ====================
.
2011-05-05 14:56:45 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01:21 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 23:02:35.24 ===============








-------------------------
attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/5/2008 4:10:33 PM
System Uptime: 6/20/2011 4:54:53 AM (91 hours ago)
.
Motherboard: Dell Inc. | | 0WG261
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 17.109 GiB free.
E: is FIXED (NTFS) - 111 GiB total, 111.002 GiB free.
F: is FIXED (NTFS) - 38 GiB total, 22.573 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Video Controller
Device ID: PCI\VEN_8086&DEV_2776&SUBSYS_01D21028&REV_02\3&172E68DD&0&11
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_8086&DEV_2776&SUBSYS_01D21028&REV_02\3&172E68DD&0&11
Service:
.
==== System Restore Points ===================
.
RP849: 3/25/2011 9:56:29 AM - System Checkpoint
RP850: 3/26/2011 11:50:26 AM - System Checkpoint
RP851: 3/26/2011 10:20:32 PM - Software Distribution Service 3.0
RP852: 3/27/2011 12:15:02 AM - Software Distribution Service 3.0
RP853: 3/28/2011 1:34:06 AM - System Checkpoint
RP854: 3/29/2011 10:16:18 AM - System Checkpoint
RP855: 3/30/2011 2:46:35 PM - System Checkpoint
RP856: 3/31/2011 4:03:49 PM - System Checkpoint
RP857: 4/1/2011 4:04:10 PM - System Checkpoint
RP858: 4/2/2011 4:41:33 PM - System Checkpoint
RP859: 4/3/2011 10:05:29 PM - System Checkpoint
RP860: 4/7/2011 10:34:53 PM - System Checkpoint
RP861: 4/12/2011 1:36:50 AM - System Checkpoint
RP862: 4/14/2011 10:01:44 AM - System Checkpoint
RP863: 4/15/2011 3:49:20 PM - System Checkpoint
RP864: 4/19/2011 1:32:37 AM - System Checkpoint
RP865: 4/20/2011 9:32:24 AM - System Checkpoint
RP866: 4/21/2011 9:55:37 AM - System Checkpoint
RP867: 4/22/2011 2:48:20 PM - System Checkpoint
RP868: 4/24/2011 12:03:36 AM - System Checkpoint
RP869: 4/25/2011 1:25:27 AM - System Checkpoint
RP870: 4/26/2011 4:31:03 PM - System Checkpoint
RP871: 4/29/2011 8:17:07 PM - System Checkpoint
RP872: 4/30/2011 10:45:13 PM - System Checkpoint
RP873: 5/2/2011 1:19:08 AM - System Checkpoint
RP874: 5/3/2011 9:53:49 AM - System Checkpoint
RP875: 5/5/2011 9:56:53 AM - Avg Update
RP876: 5/12/2011 11:02:59 AM - System Checkpoint
RP877: 5/14/2011 12:22:02 PM - Avg Update
RP878: 5/17/2011 4:08:11 AM - System Checkpoint
RP879: 5/18/2011 11:45:19 AM - System Checkpoint
RP880: 5/22/2011 6:08:45 PM - System Checkpoint
RP881: 5/23/2011 8:15:19 PM - System Checkpoint
RP882: 5/25/2011 1:29:25 AM - System Checkpoint
RP883: 5/26/2011 4:03:28 PM - System Checkpoint
RP884: 5/28/2011 12:16:46 PM - System Checkpoint
RP885: 5/29/2011 2:14:25 PM - System Checkpoint
RP886: 6/1/2011 12:56:53 AM - System Checkpoint
RP887: 6/2/2011 2:00:01 AM - System Checkpoint
RP888: 6/4/2011 7:41:43 PM - Restore Operation
RP889: 6/4/2011 7:51:21 PM - Software Distribution Service 3.0
RP890: 6/5/2011 11:49:58 PM - System Checkpoint
RP891: 6/7/2011 1:17:31 AM - System Checkpoint
RP892: 6/8/2011 1:23:06 AM - System Checkpoint
RP893: 6/9/2011 8:44:35 AM - System Checkpoint
RP894: 6/10/2011 7:02:04 PM - System Checkpoint
RP895: 6/12/2011 3:53:07 AM - System Checkpoint
RP896: 6/13/2011 7:03:38 AM - System Checkpoint
RP897: 6/14/2011 8:49:02 AM - Restore Operation
RP898: 6/16/2011 7:30:36 PM - Restore Operation
RP899: 6/16/2011 11:19:37 PM - Restore Operation
RP900: 6/16/2011 11:49:39 PM - Software Distribution Service 3.0
RP901: 6/17/2011 12:37:59 AM - Installed Ad-Aware
RP902: 6/17/2011 12:38:37 AM - Installed Ad-Aware
RP903: 6/17/2011 8:50:58 PM - Software Distribution Service 3.0
RP904: 6/19/2011 1:18:17 AM - System Checkpoint
RP905: 6/20/2011 9:33:59 AM - System Checkpoint
RP906: 6/22/2011 5:14:14 PM - System Checkpoint
.
==== Installed Programs ======================
.
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Astaro SSL VPN Client 1.3
AVG Free 9.0
BitTorrent
Bonjour
Canon Camera Access Library
Canon Digital Camera Solution Disk 40-46 Software Starter Guide
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Critical Update for Windows Media Player 11 (KB959772)
Digidesign Free Bomb Factory Plug-Ins 7.4
Digidesign Pro Tools LE 7.4
Digidesign Shared Plug-Ins 7.4
DVD Shrink 3.2
EarMaster Pro 5
Easy CD-DA Extractor 4.5.0
eMedia Guitar Master
eMedia Toolkit
GoToMeeting 4.5.0.457
High Definition Audio Driver Package - KB835221
Homestead SiteBuilder
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp LaserJet 1010 Series
Intel® PRO Network Connections Drivers
Interlok driver setup x32
iTunes
Java™ 6 Update 12
Juice 2.2
K-Lite Codec Pack 5.9.0 (Full)
Logitech Audio Echo Cancellation Component
Logitech Vid HD
Logitech Video Enumerator
Logitech Webcam Software
Logitech Webcam Software Driver Package
Logitech® VoIP Driver
Malwarebytes' Anti-Malware version 1.51.0.1200
Maxthon Browser (remove only)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Live Meeting 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio 2007 Service Pack 2 (SP2)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office XP Professional with FrontPage
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mixer
MLB.TV NexDef Plug-in
Modem Helper
Mozilla Firefox 5.0 (x86 en-US)
MP3 Player Utilities 4.18
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8 Essentials
neroxml
OLYMPUS CAMEDIA Master 1.2
Photodex Presenter
Quicken 2006
QuickTime
RealPlayer
RealUpgrade 1.0
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio 2007 (KB2434737)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Skype™ 5.3
SnagIt 8
Spybot - Search & Destroy
Stream Torrent 1.0
SUPERAntiSpyware
The Rosetta Stone
TradeStation 8.3 (Build 1631)
TradeStation 8.4 (Build 1688)
TradeStation 8.4 (Build 1693)
TradeStation 9.0
TrueCrypt
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
TV Player Pro v0.7
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VCRedistSetup
ViewSonic Monitor Drivers
ViewSonic Windows XP Signed Files
Wake up News 5.0
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinZip 12.1
WinZip Self-Extractor
Yahoo! BrowserPlus 2.9.8
ZoneAlarm
ZoneAlarm Spy Blocker
.
==== Event Viewer Messages From Past Week ========
.
6/19/2011 1:50:17 PM, error: Service Control Manager [7034] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s).
6/18/2011 9:44:26 PM, error: System Error [1003] - Error code 1000008e, parameter1 80000004, parameter2 b9ec1d95, parameter3 9925c56c, parameter4 00000000.
6/18/2011 8:57:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/18/2011 11:03:24 AM, error: Service Control Manager [7034] - The digiSPTIService service terminated unexpectedly. It has done this 1 time(s).
6/17/2011 3:53:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL StarOpen Tcpip truecrypt vsdatant
6/17/2011 3:36:20 PM, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
6/16/2011 8:47:39 PM, error: DCOM [10000] - Unable to start a DCOM Server: {C2BFE331-6739-4270-86C9-493D9A04CD38}. The error: "%2" Happened while starting this command: C:\WINDOWS\System32\igfxsrvc.exe -Embedding
6/16/2011 8:47:39 PM, error: DCOM [10000] - Unable to start a DCOM Server: {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C}. The error: "%2" Happened while starting this command: C:\WINDOWS\System32\igfxsrvc.exe -Embedding
6/16/2011 7:29:31 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/16/2011 7:28:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/16/2011 7:28:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss StarOpen Tcpip truecrypt vsdatant
6/16/2011 7:28:42 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
6/16/2011 7:28:42 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/16/2011 7:28:42 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/16/2011 7:28:42 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/16/2011 7:28:42 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/16/2011 7:28:42 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/16/2011 11:19:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm KLIF StarOpen truecrypt
.
==== End Of File ===========================

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 24 June 2011 - 02:05 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

AVG right now is very hard to shut down long enough to run our scans and is actively going after some of our tools - for this reason we are going to have to remove it until we are finished

I would like you to uninstall AVG and run their AVG removal tool - 32 bit



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 jmbtexas

jmbtexas
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 24 June 2011 - 09:28 PM

Hi Gringo,

The Combo Fix status bar has been at about 60% for close to an hour and the screen says "Output File..."

I haven't seen any movement in a while.

I haven't clicked on anything, and all the other anti-stuff is closed.

Does combo fix take a while to run?

Thanks,

Jeff

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 24 June 2011 - 09:45 PM

give it 15 more min if nothing then quit it and come tell me


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 jmbtexas

jmbtexas
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 24 June 2011 - 10:26 PM

Gringo,

I shut it down, tried again, got stuck on an IE file, I ignored it, and it wound up getting hung up again where it did the first time.

What should we do next?

Thanks,

Jeff

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 24 June 2011 - 11:56 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 jmbtexas

jmbtexas
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 25 June 2011 - 12:50 PM

Hola Gringo,

I was able to run ComboFix in SafeMode. The computer didn't need to restart for the scan to finish.

Here is the ComboFix log. Please let me know what we need to next!

Thanks,

Jeff

-----------------------------------


ComboFix 11-06-25.03 - Administrator 06/25/2011 12:29:26.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.2344 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\0.32855595027478657.exe
c:\documents and settings\Administrator\0.5189894787761442.exe
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tgau665v.default\extensions\{4d5766b8-5cdd-4348-8b7b-a65cf760cfbc}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tgau665v.default\extensions\{4d5766b8-5cdd-4348-8b7b-a65cf760cfbc}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tgau665v.default\extensions\{4d5766b8-5cdd-4348-8b7b-a65cf760cfbc}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tgau665v.default\extensions\{4d5766b8-5cdd-4348-8b7b-a65cf760cfbc}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tgau665v.default\extensions\{4d5766b8-5cdd-4348-8b7b-a65cf760cfbc}\install.rdf
c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\WINDOWS
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-05-25 to 2011-06-25 )))))))))))))))))))))))))))))))
.
.
2011-06-23 01:28 . 2011-06-23 01:28 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-23 01:28 . 2011-06-23 01:28 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-18 19:15 . 2011-06-18 19:15 -------- d-----w- c:\program files\iPod
2011-06-18 19:15 . 2011-06-18 19:16 -------- d-----w- c:\program files\iTunes
2011-06-18 18:44 . 2011-06-18 18:44 -------- d-----w- c:\program files\Bonjour
2011-06-18 16:15 . 2011-06-18 16:15 0 ---ha-w- c:\documents and settings\Administrator\ofdephhumg.tmp
2011-06-18 06:30 . 2011-06-18 06:30 169472 ----a-w- c:\windows\system32\kbdsmsno32.dll
2011-06-18 06:30 . 2011-06-18 06:30 349696 ----a-w- c:\windows\system32\atmfd(3)32.dll
2011-06-17 05:46 . 2011-06-17 05:46 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-17 05:42 . 2011-06-17 20:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2011-06-17 05:42 . 2011-06-17 14:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-17 05:38 . 2011-06-17 05:38 -------- d-----w- c:\program files\Lavasoft
2011-06-17 05:38 . 2011-06-25 01:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2011-06-17 04:52 . 2011-06-17 05:12 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-17 04:31 . 2011-06-17 04:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-17 04:14 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-17 03:06 . 2011-06-17 03:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2011-06-17 02:27 . 2011-06-17 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-17 02:27 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-17 02:27 . 2011-06-17 02:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-06-17 02:27 . 2011-06-17 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-17 02:06 . 2011-06-23 01:28 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-17 02:06 . 2011-06-23 01:28 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-17 02:06 . 2011-06-23 01:28 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-17 02:06 . 2011-06-23 01:28 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-17 02:06 . 2011-06-23 01:28 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-06-17 02:06 . 2011-06-23 01:28 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-17 02:06 . 2011-06-23 01:28 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-17 02:06 . 2011-06-23 01:28 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-06-17 02:02 . 2011-06-17 02:02 -------- d-----w- c:\program files\Common Files\Skype
2011-06-14 06:02 . 2011-06-14 06:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-06-14 06:02 . 2011-06-17 03:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-14 05:21 . 2011-06-17 04:21 -------- d-----w- c:\program files\Microsoft Silverlight
2011-05-28 23:09 . 2011-06-19 00:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-28 23:06 . 2011-05-28 23:06 -------- d-----w- c:\documents and settings\Administrator\.autobahn
2011-05-28 23:06 . 2011-05-28 23:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Autobahn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:31 . 2008-07-05 21:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2001-08-23 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2001-08-23 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2001-08-23 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2001-08-23 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-06-23 01:28 . 2011-06-17 02:06 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00B3A71C-8FD8-4A5A-91C8-4AC959655744}]
2011-06-18 06:30 349696 ----a-w- c:\windows\system32\atmfd(3)32.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A8A99F6-606D-20F4-5057-6DD70BCC604C}]
2011-06-18 06:30 169472 ----a-w- c:\windows\system32\kbdsmsno32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=Digi32.dll
"MIDI3"=diomidi.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2007-10-31 04:35 77824 ----a-w- c:\program files\Digidesign\Drivers\MMERefresh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 22:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\openvpn-gui]
2007-10-05 09:23 90112 ----a-w- c:\program files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
2002-12-16 21:51 36864 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-18 02:56 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-06-10 16:26 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-08-09 04:00 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
2003-04-01 00:28 155648 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\program files\TradeStation 8.3 (Build 1631)\Program\ORPlat.exe"= c:\program files\TradeStation 8.3 (Build 1631)\Program\ORPlat.exe:63.99.207.101/255.255.255.255,63.99.207.102/255.255.255.255,63.99.207.103/255.255.255.255,63.99.207.118/255.255.255.255,63.99.207.119/255.255.255.255,64.74.235.37/255.255.255.255,64.74.235.144/255.255.255.255,64.74.235.149/255.255.255.255,64.74.235.150/255.255.255.255,64.74.235.151/255.255.255.255,64.74.235.175/255.255.255.255,64.74.235.176/255.255.255.255,72.5.192.81/255.255.255.255,72.5.192.101/255.255.255.255,72.5.192.102/255.255.255.255:Enabled:TradeStation 8.3 (Build 1631)
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11000:TCP"= 11000:TCP:11000
"11001:TCP"= 11001:TCP:11001
"11010:TCP"= 11010:TCP:11010
"11020:TCP"= 11020:TCP:11020
.
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [10/13/2010 11:16 PM 16384]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S2 COMSysApp32;COM+ System Application ;c:\windows\system32\6to4svc32.exe --> c:\windows\system32\6to4svc32.exe [?]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [3/3/2009 8:20 PM 16400]
S2 digiSPTIService32;digiSPTIService ;c:\windows\system32\jgmd40032.exe --> c:\windows\system32\jgmd40032.exe [?]
S3 BlackBox;BlackBox SR2; [x]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [3/3/2009 8:20 PM 97808]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [3/3/2009 8:20 PM 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [3/3/2009 8:20 PM 21904]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-24 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2001-08-23 00:12]
.
2011-06-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-527237240-688789844-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2011-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-527237240-688789844-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.startpage.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Yahoo! Backgammon - hxxp://origin.games.yahoo.net/games/clients/y/at1_x.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tgau665v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.startpage.com/
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
HKLM-Run-UIUCU - c:\docume~1\JEFFB~1\LOCALS~1\Temp\UIUCU.EXE
Notify-avgrsstarter - avgrsstx.dll
MSConfigStartUp-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-25 12:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-06-25 12:42:27
ComboFix-quarantined-files.txt 2011-06-25 17:42
.
Pre-Run: 21,670,150,144 bytes free
Post-Run: 27,035,430,912 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 6EBD95EAB0DE1DE6DE4C9989BC84EE9E

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 25 June 2011 - 01:49 PM

I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
c:\windows\system32\kbdsmsno32.dll
c:\windows\system32\atmfd(3)32.dll


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 jmbtexas

jmbtexas
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 25 June 2011 - 05:11 PM

Hi Gringo,

I followed your instructions. Here is the log for my second ComboFix scan using the script you gave me above.

Thanks,

Jeff

-------------------

ComboFix 11-06-25.05 - Administrator 06/25/2011 16:57:33.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.2234 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\windows\system32\atmfd(3)32.dll"
"c:\windows\system32\kbdsmsno32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\atmfd(3)32.dll
c:\windows\system32\kbdsmsno32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-25 to 2011-06-25 )))))))))))))))))))))))))))))))
.
.
2011-06-25 18:49 . 2011-06-25 18:49 -------- d-----w- c:\program files\iPod
2011-06-25 18:49 . 2011-06-25 18:50 -------- d-----w- c:\program files\iTunes
2011-06-25 18:45 . 2011-06-25 18:45 -------- d-----w- c:\program files\Apple Software Update
2011-06-23 01:28 . 2011-06-23 01:28 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-23 01:28 . 2011-06-23 01:28 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-18 18:44 . 2011-06-18 18:44 -------- d-----w- c:\program files\Bonjour
2011-06-18 16:15 . 2011-06-18 16:15 0 ---ha-w- c:\documents and settings\Administrator\ofdephhumg.tmp
2011-06-17 05:46 . 2011-06-17 05:46 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-17 05:42 . 2011-06-17 20:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2011-06-17 05:42 . 2011-06-17 14:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-17 05:38 . 2011-06-17 05:38 -------- d-----w- c:\program files\Lavasoft
2011-06-17 05:38 . 2011-06-25 01:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2011-06-17 04:52 . 2011-06-17 05:12 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-17 04:31 . 2011-06-17 04:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-17 04:14 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-17 03:06 . 2011-06-17 03:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2011-06-17 02:27 . 2011-06-17 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-17 02:27 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-17 02:27 . 2011-06-17 02:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-06-17 02:27 . 2011-06-17 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-17 02:06 . 2011-06-23 01:28 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-17 02:06 . 2011-06-23 01:28 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-17 02:06 . 2011-06-23 01:28 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-17 02:06 . 2011-06-23 01:28 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-17 02:06 . 2011-06-23 01:28 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-06-17 02:06 . 2011-06-23 01:28 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-17 02:06 . 2011-06-23 01:28 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-17 02:06 . 2011-06-23 01:28 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-06-17 02:02 . 2011-06-17 02:02 -------- d-----w- c:\program files\Common Files\Skype
2011-06-14 06:02 . 2011-06-14 06:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-06-14 06:02 . 2011-06-17 03:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-14 05:21 . 2011-06-17 04:21 -------- d-----w- c:\program files\Microsoft Silverlight
2011-05-28 23:09 . 2011-06-19 00:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-28 23:06 . 2011-05-28 23:06 -------- d-----w- c:\documents and settings\Administrator\.autobahn
2011-05-28 23:06 . 2011-05-28 23:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Autobahn
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:31 . 2008-07-05 21:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2001-08-23 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2001-08-23 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2001-08-23 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2001-08-23 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-06-23 01:28 . 2011-06-17 02:06 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-25_17.39.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-25 18:45 . 2011-06-25 18:45 27136 c:\windows\Installer\{C6579A65-9CAE-4B31-8B6B-3306E0630A66}\AppleSoftwareUpdateIco.exe
+ 2011-06-25 18:45 . 2011-06-25 18:45 771584 c:\windows\Installer\348bba.msi
+ 2011-06-25 18:50 . 2011-06-25 18:50 380928 c:\windows\Installer\{C897FCB3-2F8B-4185-8035-79E2AF3A92A4}\iTunesIco.exe
+ 2011-06-25 18:50 . 2011-06-25 18:50 6541312 c:\windows\Installer\3495a0.msi
+ 2008-07-09 01:37 . 2011-06-25 21:51 378503200 c:\windows\system32\drivers\fidbox.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=Digi32.dll
"MIDI3"=diomidi.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2007-10-31 04:35 77824 ----a-w- c:\program files\Digidesign\Drivers\MMERefresh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 22:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\openvpn-gui]
2007-10-05 09:23 90112 ----a-w- c:\program files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
2002-12-16 21:51 36864 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-18 02:56 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-06-10 16:26 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-08-09 04:00 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
2003-04-01 00:28 155648 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\program files\TradeStation 8.3 (Build 1631)\Program\ORPlat.exe"= c:\program files\TradeStation 8.3 (Build 1631)\Program\ORPlat.exe:63.99.207.101/255.255.255.255,63.99.207.102/255.255.255.255,63.99.207.103/255.255.255.255,63.99.207.118/255.255.255.255,63.99.207.119/255.255.255.255,64.74.235.37/255.255.255.255,64.74.235.144/255.255.255.255,64.74.235.149/255.255.255.255,64.74.235.150/255.255.255.255,64.74.235.151/255.255.255.255,64.74.235.175/255.255.255.255,64.74.235.176/255.255.255.255,72.5.192.81/255.255.255.255,72.5.192.101/255.255.255.255,72.5.192.102/255.255.255.255:Enabled:TradeStation 8.3 (Build 1631)
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11000:TCP"= 11000:TCP:11000
"11001:TCP"= 11001:TCP:11001
"11010:TCP"= 11010:TCP:11010
"11020:TCP"= 11020:TCP:11020
.
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [10/13/2010 11:16 PM 16384]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S2 COMSysApp32;COM+ System Application ;c:\windows\system32\6to4svc32.exe --> c:\windows\system32\6to4svc32.exe [?]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [3/3/2009 8:20 PM 16400]
S2 digiSPTIService32;digiSPTIService ;c:\windows\system32\jgmd40032.exe --> c:\windows\system32\jgmd40032.exe [?]
S3 BlackBox;BlackBox SR2; [x]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [3/3/2009 8:20 PM 97808]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [3/3/2009 8:20 PM 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [3/3/2009 8:20 PM 21904]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-24 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2001-08-23 00:12]
.
2011-06-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-527237240-688789844-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2011-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-527237240-688789844-725345543-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.startpage.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Yahoo! Backgammon - hxxp://origin.games.yahoo.net/games/clients/y/at1_x.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tgau665v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.startpage.com/
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{00B3A71C-8FD8-4A5A-91C8-4AC959655744} - c:\windows\system32\atmfd(3)32.dll
BHO-{5A8A99F6-606D-20F4-5057-6DD70BCC604C} - c:\windows\system32\kbdsmsno32.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-25 17:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-06-25 17:09:03
ComboFix-quarantined-files.txt 2011-06-25 22:09
ComboFix2.txt 2011-06-25 17:42
.
Pre-Run: 27,265,495,040 bytes free
Post-Run: 27,506,888,704 bytes free
.
- - End Of File - - 202491A788A41CE9BA67F9FCB248A207

#14 jmbtexas

jmbtexas
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 25 June 2011 - 09:03 PM

Hi Gringo,

One thing I did notice...ComboFix got stuck on an IE file during the second scan. It wouldn't work on a retry, so I just ignored it. I left for a while and came back with the computer still in Safe Mode. I received an message the IE had a problem and needed to shut down, but I am not aware that IE was even running because I didn't have an IE browser open. Anyway, I thought I would mention it since it seemed strange.

Thanks,

Jeff

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:25 PM

Posted 25 June 2011 - 10:01 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.3

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users