Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with AV guard online


  • This topic is locked This topic is locked
18 replies to this topic

#1 palaniappan

palaniappan

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 21 October 2011 - 07:20 PM

My computer is affected with AV guard online. It keeps directing every time a web page is opened and will not let any kind of malware removal program run. It swiftly closes all malware removal programs for eg(Malware anti-byte's antimalware). I ran it but it suddenly crashed. I am currently in windows safe-mode and it didnt let me run malware anti-byte's antimalware of even GMER. The instruction in bleeping computer was to run GMER and provide ark.txt file but when I ran GMER.exe it suddenly crashed. I am not sure how to get rid of this AV guard online.

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 19:03:24 on 2011-10-21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.330 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\2030404000:1602157190.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
.
============== Pseudo HJT Report ===============
.
mSearchAssistant = hxxp://www.google.com/ie
BHO: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.6\iobitToolbarIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.6\iobitToolbarIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AROReminder] c:\program files\advanced registry optimizer\aro.exe -rem
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTSVolFE] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [B22iibD3pnG5QHd8234A] c:\windows\system32\FssQQJ77dE8gRqY.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.1.121\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\philips webcam\Monitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 65.5.49.18 205.152.37.23 65.5.49.19
TCP: Interfaces\{F0EEF102-58B6-44D5-AEEA-7F26613FEAAF} : DhcpNameServer = 65.5.49.18 205.152.37.23 65.5.49.19
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
S2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-8-17 402328]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Ca2001v;CA2001 WebCam Driver;c:\windows\system32\drivers\ca2001v.sys --> c:\windows\system32\drivers\Ca2001v.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2006-11-20 506112]
.
=============== Created Last 30 ================
.
2011-10-21 23:54:08 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2011-10-21 23:53:44 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2011-10-08 11:32:16 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-08 11:31:46 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 11:31:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-08 10:49:39 1558320 ----a-w- C:\tdsskiller.exe
2011-10-07 21:46:51 3032064 ----a-w- c:\windows\system32\FssQQJ77dE8gRqY.exe
.
==================== Find3M ====================
.
2011-10-08 11:36:35 256 ----a-w- c:\windows\system32\pool.bin
.
============= FINISH: 19:04:30.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 AM

Posted 22 October 2011 - 12:08 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 palaniappan

palaniappan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 23 October 2011 - 01:37 PM

I did as instructed and ran combofix. It downloaded MS windows recovery console and said is scanning for malware. I got a message window that said you have been infected with a serious rootkit.zeroaccess at TCP/IP core so you need to reboot. It also said that ' computer will automatically reboot and please don't manually reboot'. Further,it said if you are not able to connect to internet after re-boot please run combofix again. But in your original post you had asked not to re-run combofix. I clicked ok for re-boot but didn't want to risk anymore so I shut down my computer and wanted to report what happened before I do anything else. I am typing this reply from my friend's computer as I didnt want to re-start and screw up again. Can you please help me? Am I doing anything wrong or what should I do now.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 AM

Posted 23 October 2011 - 03:04 PM

reboot the machine and follow the instructions ComboFix gave you.

It may just continue and produce a log, if not, re-run combofix


give it lots of time and wait till a log is produced

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 palaniappan

palaniappan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 23 October 2011 - 08:53 PM

I have completed as instructed and below is the combofix.txt. I have also attached the text file. Please let me know what I should do next and Thanks again for all the help.

ComboFix 11-10-23.01 - Administrator 10/23/2011 20:29:37.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.375 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Valli\Application Data\kjjUUCelIBr
c:\documents and settings\Valli\Application Data\kjjUUCelIBr\Guard Online .ico
c:\documents and settings\Valli\Application Data\ldr.ini
c:\documents and settings\Valli\Application Data\sekIBrzONx1v2b4
c:\documents and settings\Valli\Application Data\sekIBrzONx1v2b4\Guard Online .ico
c:\documents and settings\Valli\Application Data\tG4aQH6sW7RgqUe
c:\documents and settings\Valli\Application Data\tG4aQH6sW7RgqUe\Guard Online .ico
c:\documents and settings\Valli\Desktop\Guard Online .lnk
c:\documents and settings\Valli\Start Menu\Programs\Guard Online
c:\documents and settings\Valli\Start Menu\Programs\Startup\crss.exe
c:\program files\Internet Explorer\321.tmp
c:\program files\Internet Explorer\A.tmp
c:\program files\Internet Explorer\B.tmp
c:\program files\Internet Explorer\C.tmp
c:\program files\Internet Explorer\D.tmp
c:\windows\$NtUninstallKB23047$
c:\windows\$NtUninstallKB23047$\113759970
c:\windows\$NtUninstallKB23047$\2692810105\@
c:\windows\$NtUninstallKB23047$\2692810105\bckfg.tmp
c:\windows\$NtUninstallKB23047$\2692810105\cfg.ini
c:\windows\$NtUninstallKB23047$\2692810105\Desktop.ini
c:\windows\$NtUninstallKB23047$\2692810105\keywords
c:\windows\$NtUninstallKB23047$\2692810105\kwrd.dll
c:\windows\$NtUninstallKB23047$\2692810105\L\mrxqxhrd
c:\windows\$NtUninstallKB23047$\2692810105\lsflt7.ver
c:\windows\$NtUninstallKB23047$\2692810105\U\00000001.@
c:\windows\$NtUninstallKB23047$\2692810105\U\00000002.@
c:\windows\$NtUninstallKB23047$\2692810105\U\80000000.@
c:\windows\$NtUninstallKB23047$\2692810105\U\80000032.@
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\kb913800.exe
c:\windows\system32\d3d9caps.dat
.
Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_a0810579
.
.
((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))
.
.
2011-10-23 18:25 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-21 23:54 . 2011-10-21 23:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-21 23:53 . 2011-10-21 23:53 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-10-08 11:35 . 2011-10-08 11:35 -------- d-----w- c:\documents and settings\Valli\Application Data\EDoGamH6s7E9TqY
2011-10-08 11:32 . 2011-10-08 11:32 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-08 11:31 . 2011-10-08 11:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-08 11:31 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 10:49 . 2011-10-08 10:49 1558320 ----a-w- C:\tdsskiller.exe
2011-10-08 10:34 . 2011-10-08 10:34 -------- d-----w- c:\documents and settings\Valli\Application Data\pOBtxP0yc1b3
2011-10-08 10:29 . 2011-10-08 10:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-10-08 10:23 . 2011-10-08 10:23 -------- d-----w- c:\documents and settings\Valli\Local Settings\Application Data\PCHealth
2011-10-08 01:09 . 2011-10-08 01:09 -------- d-----w- c:\documents and settings\Valli\Application Data\mrrllONNtx
2011-10-08 01:09 . 2011-10-08 01:09 -------- d-----w- c:\documents and settings\Valli\Application Data\kK77fRLL9hXqjCk
2011-10-07 21:47 . 2011-10-07 21:47 -------- d-----w- c:\documents and settings\Valli\Application Data\DQQHH6ddWKfR9hX
2011-10-07 21:46 . 2011-10-07 21:46 3032064 ----a-w- c:\windows\system32\FssQQJ77dE8gRqY.exe
2011-10-07 21:46 . 2011-10-07 21:46 -------- d-----w- c:\documents and settings\Valli\Application Data\oxxA11uvD2ob4pH
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-02 12:45 . 2011-04-26 01:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-08-17 534880]
"B22iibD3pnG5QHd8234A"="c:\windows\system32\FssQQJ77dE8gRqY.exe" [2011-10-07 3032064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Valli\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-3-25 390432]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
Monitor.lnk - c:\program files\Philips Webcam\Monitor.exe [2007-10-16 249856]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-6-23 610120]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8/17/2011 1:00 PM 402328]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Ca2001v;CA2001 WebCam Driver;c:\windows\system32\Drivers\Ca2001v.sys --> c:\windows\system32\Drivers\Ca2001v.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.1.121\McCHSvc.exe [9/3/2010 1:45 AM 227232]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [11/20/2006 8:48 AM 506112]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-515967899-682003330-1003Core.job
- c:\documents and settings\Valli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-515967899-682003330-1003UA.job
- c:\documents and settings\Valli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
.
2011-10-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 65.5.49.18 205.152.37.23 65.5.49.19
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AROReminder - c:\program files\Advanced Registry Optimizer\aro.exe
MSConfigStartUp-CTFMON - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-23 20:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-515967899-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,36,d5,d1,b8,2d,32,4f,a6,bc,cd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,36,d5,d1,b8,2d,32,4f,a6,bc,cd,\
.
Completion time: 2011-10-23 20:44:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-24 01:44
.
Pre-Run: 281,315,053,568 bytes free
Post-Run: 285,703,675,904 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - CF68D7A392A4885D46BDA9A693590E54
Attached File  ComboFix.txt   12.08KB   0 downloads

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 AM

Posted 23 October 2011 - 09:30 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic424507.html/page__pid__2452173#entry2452173

Collect::
c:\windows\system32\FssQQJ77dE8gRqY.exe

Folder::
c:\documents and settings\Valli\Application Data\EDoGamH6s7E9TqY
c:\documents and settings\Valli\Application Data\pOBtxP0yc1b3
c:\documents and settings\Valli\Application Data\mrrllONNtx
c:\documents and settings\Valli\Application Data\kK77fRLL9hXqjCk
c:\documents and settings\Valli\Application Data\DQQHH6ddWKfR9hX
c:\documents and settings\Valli\Application Data\oxxA11uvD2ob4pH

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"B22iibD3pnG5QHd8234A"=-

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 palaniappan

palaniappan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 23 October 2011 - 10:14 PM

Please find below the copy of text file as instructed. Should I log on to the windows in normal mode or safe mode with networking when I log in next time to my computer? Thanks again for your help.

ComboFix 11-10-23.03 - Administrator 10/23/2011 21:57:23.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.354 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
file zipped: c:\windows\system32\FssQQJ77dE8gRqY.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Valli\Application Data\DQQHH6ddWKfR9hX
c:\documents and settings\Valli\Application Data\EDoGamH6s7E9TqY
c:\documents and settings\Valli\Application Data\kK77fRLL9hXqjCk
c:\documents and settings\Valli\Application Data\mrrllONNtx
c:\documents and settings\Valli\Application Data\mrrllONNtx\Guard Online .ico
c:\documents and settings\Valli\Application Data\oxxA11uvD2ob4pH
c:\documents and settings\Valli\Application Data\pOBtxP0yc1b3
c:\windows\system32\FssQQJ77dE8gRqY.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))
.
.
2011-10-23 18:25 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-21 23:54 . 2011-10-21 23:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-21 23:53 . 2011-10-21 23:53 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-10-08 11:32 . 2011-10-08 11:32 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-08 11:31 . 2011-10-08 11:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-08 11:31 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 10:49 . 2011-10-08 10:49 1558320 ----a-w- C:\tdsskiller.exe
2011-10-08 10:29 . 2011-10-08 10:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-10-08 10:23 . 2011-10-08 10:23 -------- d-----w- c:\documents and settings\Valli\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-02 12:45 . 2011-04-26 01:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-08-17 534880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Valli\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-3-25 390432]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
Monitor.lnk - c:\program files\Philips Webcam\Monitor.exe [2007-10-16 249856]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-6-23 610120]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8/17/2011 1:00 PM 402328]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Ca2001v;CA2001 WebCam Driver;c:\windows\system32\Drivers\Ca2001v.sys --> c:\windows\system32\Drivers\Ca2001v.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.1.121\McCHSvc.exe [9/3/2010 1:45 AM 227232]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [11/20/2006 8:48 AM 506112]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-515967899-682003330-1003Core.job
- c:\documents and settings\Valli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-515967899-682003330-1003UA.job
- c:\documents and settings\Valli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
.
2011-10-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 65.5.49.18 205.152.37.23 65.5.49.19
FF - ProfilePath -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-23 22:06
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-515967899-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,36,d5,d1,b8,2d,32,4f,a6,bc,cd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,36,d5,d1,b8,2d,32,4f,a6,bc,cd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\COMRes.dll
.
- - - - - - - > 'explorer.exe'(1056)
c:\windows\system32\ieframe.dll
.
Completion time: 2011-10-23 22:09:47 - machine was rebooAttached File  reruncombofix.txt   8.89KB   0 downloadsted
ComboFix-quarantined-files.txt 2011-10-24 03:09
ComboFix2.txt 2011-10-24 01:44
.
Pre-Run: 285,698,985,984 bytes free
Post-Run: 285,682,413,568 bytes free
.
- - End Of File - - CB8251E299F1E6152804C24AEC3F0327
Upload was successful

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 AM

Posted 24 October 2011 - 04:07 PM

Hi,

Yes, Please log on normally now,

please run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 palaniappan

palaniappan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 24 October 2011 - 08:50 PM

Hi

Please find below the MBAM scan results and ESETSCAN results. Thanks again!

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8014

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

10/24/2011 7:38:49 PM
mbam-log-2011-10-24 (19-38-49).txt

Scan type: Quick scan
Objects scanned: 241501
Time elapsed: 11 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


C:\Documents and Settings\Guest\Local Settings\Application Data\adsldpcw.exe a variant of Win32/Kryptik.AWG trojan
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\3CVTWSBO\oHb51a7cbaV0100f070006R80e64fb7102Tfebe9ca4201l0409K5f45ff12317[1].pdf JS/Exploit.Pdfka.NUI trojan
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\6HKOVJS7\KAV6[1].htm JS/Exploit.Agent.NBA trojan
C:\Documents and Settings\Valli\Local Settings\Application Data\Mozilla\Firefox\Profiles\330d6lya.default\Cache\E\C0\9FA91d01 JS/Exploit.Pdfka.PEN trojan
C:\Documents and Settings\Valli\My Documents\Downloads\cnet_ScreenShotSetup1_1_msi.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Valli\My Documents\Downloads\cnet_ZapGrab_screen-capture-for-XP_bloq_zip(1).exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Valli\My Documents\Downloads\cnet_ZapGrab_screen-capture-for-XP_bloq_zip.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Valli\My Documents\Downloads\winzip155.exe Win32/OpenCandy application
C:\Program Files\Application Updater\ApplicationUpdater.exe probably a variant of Win32/Adware.Toolbar.Dealio application
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Adware.Toolbar.Dealio application
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5 a variant of Win32/Adware.Toolbar.Dealio application
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.6 a variant of Win32/Adware.Toolbar.Dealio application
C:\Program Files\IObit Toolbar\IE\4.6\iobitToolbarIE.dll a variant of Win32/Adware.Toolbar.Dealio application
C:\Qoobox\Quarantine\[4]-Submit_2011-10-23_21.57.11.zip a variant of Win32/Kryptik.TTW trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Valli\Start Menu\Programs\Startup\crss.exe.vir Win32/Agent.TDD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP61\A0005620.rbf a variant of Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP61\A0005625.rbf a variant of Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP61\A0005626.rbf probably a variant of Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP61\A0005636.msi a variant of Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP62\A0005656.old a variant of Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP82\A0006504.dll a variant of Win32/Adware.Toolbar.Dealio application
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0006712.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0007712.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0007744.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0007823.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0007909.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0007923.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0007929.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0007949.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0008949.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0008974.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0009974.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0009982.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0009995.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0010004.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0011004.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0011030.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0011083.exe a variant of Win32/Adware.HotBar.H application
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0011084.exe a variant of Win32/Adware.HotBar.H application
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0011085.exe a variant of Win32/Adware.HotBar.H application
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0011087.exe a variant of Win32/Adware.HotBar.H application
C:\System Volume Information\_restore{8D8533A9-D241-4D97-BA53-B0B6186BE07E}\RP85\A0011099.exe Win32/Agent.TDD trojan
Operating memory a variant of Win32/Adware.Toolbar.Dealio application

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 AM

Posted 25 October 2011 - 06:50 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic424507.html/page__pid__2453361#entry2453361

Collect::
C:\Documents and Settings\Guest\Local Settings\Application Data\adsldpcw.exe 

File::
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\3CVTWSBO\oHb51a7cbaV0100f070006R80e64fb7102Tfebe9ca4201l0409K5f45ff12317[1].pdf 
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\6HKOVJS7\KAV6[1].htm 
C:\Documents and Settings\Valli\Local Settings\Application Data\Mozilla\Firefox\Profiles\330d6lya.default\Cache\E\C0\9FA91d01 
C:\Program Files\Application Updater\ApplicationUpdater.exe 
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe 
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5 
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.6 
C:\Program Files\IObit Toolbar\IE\4.6\iobitToolbarIE.dll 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 palaniappan

palaniappan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 25 October 2011 - 06:52 PM

Hi

Please find below the log report of latest combofix. My computer now seems to be ok and I dont' get the AV guard online any more but I am not still sure if it won't come back. Can you tell from the log if it is gone for good and also what should I do to not get these kind of malware anymore.

ComboFix 11-10-25.04 - Valli 10/25/2011 18:33:38.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.196 [GMT -5:00]
Running from: c:\documents and settings\Valli\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Valli\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\3CVTWSBO\oHb51a7cbaV0100f070006R80e64fb7102Tfebe9ca4201l0409K5f45ff12317[1].pdf"
"c:\documents and settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\6HKOVJS7\KAV6[1].htm"
"c:\documents and settings\Valli\Local Settings\Application Data\Mozilla\Firefox\Profiles\330d6lya.default\Cache\E\C0\9FA91d01"
"c:\program files\Application Updater\ApplicationUpdater.exe"
"c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe"
"c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5"
"c:\program files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.6"
"c:\program files\IObit Toolbar\IE\4.6\iobitToolbarIE.dll"
.
file zipped: c:\documents and settings\Guest\Local Settings\Application Data\adsldpcw.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))
.
.
2011-10-25 00:47 . 2011-10-25 00:47 -------- d-----w- c:\program files\ESET
2011-10-25 00:27 . 2011-10-18 07:28 6668624 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-10-23 18:25 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-21 23:54 . 2011-10-21 23:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-21 23:53 . 2011-10-21 23:53 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-10-08 11:31 . 2011-10-25 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-08 11:31 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 10:49 . 2011-10-08 10:49 1558320 ----a-w- C:\tdsskiller.exe
2011-10-08 10:29 . 2011-10-08 10:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-10-08 10:23 . 2011-10-08 10:23 -------- d-----w- c:\documents and settings\Valli\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-02 12:45 . 2011-04-26 01:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-24_01.40.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-25 23:43 . 2011-10-25 23:43 16384 c:\windows\temp\Perflib_Perfdata_27c.dat
+ 2009-10-03 13:39 . 2011-05-25 00:14 222080 c:\windows\system32\MpSigStub.exe
- 2009-10-03 13:39 . 2011-02-02 23:11 222080 c:\windows\system32\MpSigStub.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2011-03-22 2403024]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-08-17 534880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Valli\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-3-25 390432]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
Monitor.lnk - c:\program files\Philips Webcam\Monitor.exe [2007-10-16 249856]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-6-23 610120]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8/17/2011 1:00 PM 402328]
R3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [11/20/2006 8:48 AM 506112]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Ca2001v;CA2001 WebCam Driver;c:\windows\system32\Drivers\Ca2001v.sys --> c:\windows\system32\Drivers\Ca2001v.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.1.121\McCHSvc.exe [9/3/2010 1:45 AM 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-515967899-682003330-1003Core.job
- c:\documents and settings\Valli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-515967899-682003330-1003UA.job
- c:\documents and settings\Valli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
.
2011-10-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: eset.com\go
TCP: DhcpNameServer = 65.5.49.18 205.152.37.23 65.5.49.19
FF - ProfilePath - c:\documents and settings\Valli\Application Data\Mozilla\Firefox\Profiles\330d6lya.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=685749&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 6522
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-25 18:44
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1204)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-25 18:47:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-25 23:47
ComboFix2.txt 2011-10-24 03:11
ComboFix3.txt 2011-10-24 01:44
.
Pre-Run: 285,167,243,264 bytes free
Post-Run: 285,182,951,424 bytes free
.
- - End Of File - - D4F37E8978AF5A330A3F758C389D889C
Upload was successful

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 AM

Posted 25 October 2011 - 07:18 PM

There is a proxy hijack showing up which we need to get rid of, so please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DDS::
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522

FireFox::
FF - ProfilePath - c:\documents and settings\Valli\Application Data\Mozilla\Firefox\Profiles\330d6lya.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 6522

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Reset your Router:

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you don’t know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

NEXT

  • Go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 palaniappan

palaniappan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 25 October 2011 - 09:18 PM

Hi

Please find below the combofix report. I don't use a router instead I use a cable modem and vonage device. There was no reset button on my cable modem so I unplugged it for 10 sec and hit the reset button the vonage device. Do you still see any issues from the log below? Thanks again for your help and time.

ComboFix 11-10-25.04 - Valli 10/25/2011 20:30:40.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.217 [GMT -5:00]
Running from: c:\documents and settings\Valli\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Valli\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-09-26 to 2011-10-26 )))))))))))))))))))))))))))))))
.
.
2011-10-25 00:47 . 2011-10-25 00:47 -------- d-----w- c:\program files\ESET
2011-10-25 00:27 . 2011-10-18 07:28 6668624 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2011-10-23 18:25 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-21 23:54 . 2011-10-21 23:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-21 23:53 . 2011-10-21 23:53 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-10-08 11:31 . 2011-10-25 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-08 11:31 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 10:49 . 2011-10-08 10:49 1558320 ----a-w- C:\tdsskiller.exe
2011-10-08 10:29 . 2011-10-08 10:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-10-08 10:23 . 2011-10-08 10:23 -------- d-----w- c:\documents and settings\Valli\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-02 12:45 . 2011-04-26 01:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-24_01.40.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-26 01:20 . 2011-10-26 01:20 16384 c:\windows\temp\Perflib_Perfdata_e8.dat
+ 2009-10-03 13:39 . 2011-05-25 00:14 222080 c:\windows\system32\MpSigStub.exe
- 2009-10-03 13:39 . 2011-02-02 23:11 222080 c:\windows\system32\MpSigStub.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2011-03-22 2403024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CTSVolFE"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-08-17 534880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Valli\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-3-25 390432]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
Monitor.lnk - c:\program files\Philips Webcam\Monitor.exe [2007-10-16 249856]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-6-23 610120]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8/17/2011 1:00 PM 402328]
R3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [11/20/2006 8:48 AM 506112]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Ca2001v;CA2001 WebCam Driver;c:\windows\system32\Drivers\Ca2001v.sys --> c:\windows\system32\Drivers\Ca2001v.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.1.121\McCHSvc.exe [9/3/2010 1:45 AM 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-515967899-682003330-1003Core.job
- c:\documents and settings\Valli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-515967899-682003330-1003UA.job
- c:\documents and settings\Valli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
.
2011-10-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: eset.com\go
TCP: DhcpNameServer = 65.5.49.18 205.152.37.23 65.5.49.19
FF - ProfilePath - c:\documents and settings\Valli\Application Data\Mozilla\Firefox\Profiles\330d6lya.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=685749&p=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-25 20:39
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3264)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-25 20:41:43
ComboFix-quarantined-files.txt 2011-10-26 01:41
ComboFix2.txt 2011-10-25 23:48
ComboFix3.txt 2011-10-24 03:11
ComboFix4.txt 2011-10-24 01:44
.
Pre-Run: 285,186,662,400 bytes free
Post-Run: 285,176,885,248 bytes free
.
- - End Of File - - 75341BC4F81D214A4B4B082B89D27B1A

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:05 AM

Posted 25 October 2011 - 09:38 PM

Hi

Log looks good,

Please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 24 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 palaniappan

palaniappan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 26 October 2011 - 07:35 PM

Hi

I have pasted the dds log and attach log below. My computer seems to run ok now since I don't see the AV guard online. Please let me know if everything is o.k.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Valli at 19:32:05 on 2011-10-26
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.106 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Google\Google Talk\googletalk.exe
svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Philips Webcam\Monitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [Google Update] "c:\documents and settings\valli\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTSVolFE] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\valli\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\valli\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.1.121\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\philips webcam\Monitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: eset.com\go
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 65.5.49.18 205.152.37.23 65.5.49.19
TCP: Interfaces\{F0EEF102-58B6-44D5-AEEA-7F26613FEAAF} : DhcpNameServer = 65.5.49.18 205.152.37.23 65.5.49.19
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\valli\application data\mozilla\firefox\profiles\330d6lya.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=685749&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\valli\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-8-17 402328]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2006-11-20 506112]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Ca2001v;CA2001 WebCam Driver;c:\windows\system32\drivers\ca2001v.sys --> c:\windows\system32\drivers\Ca2001v.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
.
=============== Created Last 30 ================
.
2011-10-25 00:47:36 -------- d-----w- c:\program files\ESET
2011-10-25 00:27:34 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-10-25 00:27:34 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-10-25 00:27:33 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-10-25 00:27:31 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-10-25 00:27:31 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-10-25 00:27:29 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-10-25 00:27:18 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-10-25 00:27:01 6668624 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\updates\mpengine.dll
2011-10-23 18:25:45 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-23 18:22:25 -------- d-sha-r- C:\cmdcons
2011-10-23 18:19:24 98816 ----a-w- c:\windows\sed.exe
2011-10-23 18:19:24 518144 ----a-w- c:\windows\SWREG.exe
2011-10-23 18:19:24 256000 ----a-w- c:\windows\PEV.exe
2011-10-23 18:19:24 208896 ----a-w- c:\windows\MBR.exe
2011-10-08 11:31:46 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 11:31:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-08 10:49:39 1558320 ----a-w- C:\tdsskiller.exe
2011-10-08 10:23:25 -------- d-----w- c:\documents and settings\valli\local settings\application data\PCHealth
.
==================== Find3M ====================
.
2011-10-27 00:22:56 256 ----a-w- c:\windows\system32\pool.bin
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 19:33:03.96 ===============


Attach.txt log below:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/25/2011 8:08:11 PM
System Uptime: 10/26/2011 7:21:51 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0JC474
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 265.048 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&10BD256C&0&10F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&10BD256C&0&10F0
Service:
.
==== System Restore Points ===================
.
RP42: 7/9/2011 7:36:42 PM - System Checkpoint
RP43: 7/12/2011 9:50:50 PM - System Checkpoint
RP44: 7/15/2011 6:41:24 PM - System Checkpoint
RP45: 7/18/2011 9:51:43 AM - System Checkpoint
RP46: 7/18/2011 5:40:25 PM - Installed Windows XP -- Software Updates KB952011.
RP47: 7/24/2011 10:15:02 AM - System Checkpoint
RP48: 7/25/2011 11:38:17 AM - System Checkpoint
RP49: 7/26/2011 6:11:23 PM - System Checkpoint
RP50: 7/29/2011 10:08:49 AM - System Checkpoint
RP51: 7/30/2011 10:26:46 AM - System Checkpoint
RP52: 7/31/2011 6:27:25 PM - System Checkpoint
RP53: 8/2/2011 2:22:26 PM - System Checkpoint
RP54: 8/3/2011 7:06:07 PM - System Checkpoint
RP55: 8/7/2011 8:53:34 PM - System Checkpoint
RP56: 8/9/2011 6:39:39 PM - System Checkpoint
RP57: 8/15/2011 5:29:54 PM - System Checkpoint
RP58: 8/17/2011 9:10:02 AM - System Checkpoint
RP59: 8/26/2011 6:50:12 PM - System Checkpoint
RP60: 8/28/2011 2:57:23 PM - System Checkpoint
RP61: 8/29/2011 7:28:39 PM - Removed IObit Toolbar v4.5.
RP62: 8/29/2011 8:05:25 PM - Installed WinZip 15.5
RP63: 9/1/2011 9:34:41 AM - System Checkpoint
RP64: 9/2/2011 2:00:06 PM - System Checkpoint
RP65: 9/4/2011 9:46:09 AM - System Checkpoint
RP66: 9/5/2011 3:41:37 PM - System Checkpoint
RP67: 9/8/2011 5:00:22 PM - System Checkpoint
RP68: 9/10/2011 7:58:22 PM - System Checkpoint
RP69: 9/11/2011 8:28:00 PM - System Checkpoint
RP70: 9/13/2011 9:51:55 AM - System Checkpoint
RP71: 9/15/2011 9:00:40 PM - System Checkpoint
RP72: 9/16/2011 9:30:18 PM - System Checkpoint
RP73: 9/18/2011 9:28:00 AM - System Checkpoint
RP74: 9/19/2011 9:49:36 PM - System Checkpoint
RP75: 9/21/2011 7:49:31 AM - System Checkpoint
RP76: 9/22/2011 8:08:23 AM - System Checkpoint
RP77: 9/23/2011 12:49:43 PM - System Checkpoint
RP78: 9/25/2011 10:44:38 AM - System Checkpoint
RP79: 9/27/2011 7:29:19 AM - System Checkpoint
RP80: 9/29/2011 8:35:12 AM - System Checkpoint
RP81: 9/30/2011 9:25:31 AM - System Checkpoint
RP82: 10/1/2011 4:48:03 PM - System Checkpoint
RP83: 10/2/2011 4:59:32 PM - System Checkpoint
RP84: 10/4/2011 8:46:53 AM - System Checkpoint
RP85: 10/5/2011 4:28:00 PM - System Checkpoint
RP86: 10/24/2011 7:26:47 PM - Software Distribution Service 3.0
RP87: 10/25/2011 6:24:31 PM - Software Distribution Service 3.0
RP88: 10/25/2011 6:27:04 PM - Software Distribution Service 3.0
RP89: 10/25/2011 6:28:07 PM - Installed Windows XP KB971961.
RP90: 10/26/2011 7:13:38 PM - Software Distribution Service 3.0
RP91: 10/26/2011 7:16:38 PM - Software Distribution Service 3.0
RP92: 10/26/2011 7:18:44 PM - Removed Adobe Reader 9.
RP93: 10/26/2011 7:19:19 PM - Installed Adobe Reader X (10.1.1).
RP94: 10/26/2011 7:24:47 PM - Installed Java™ 6 Update 29
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader X (10.1.1)
Adobe Shockwave Player 11.5
Adobe SVG Viewer 3.0
Advanced SystemCare 3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Parental Control
AutoUpdate
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Basic Webcam
BlackBerry Desktop Software 5.0.1
BlackBerry® Media Sync
Bonjour
CCleaner
DivX Codec
DivX Converter
DivX Player
DivX Web Player
ESET Online Scanner v3
Google Chrome
Google Earth
Google Talk (remove only)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
IObit Toolbar v4.6
iSofter DVD Ripper Platinum 3.0.2007.228
iTunes
Java Auto Updater
Java™ 6 Update 29
LeapFrog Connect
LeapFrog Leapster2 Plugin
Malwarebytes' Anti-Malware version 1.51.2.1300
McAfee Security Scan Plus
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mixer
Mozilla Firefox 7.0.1 (x86 en-US)
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Music Transfer
Otto
Philips PC Camera
Philips Webcam
Picasa 3
PMB Launcher
PowerDVD 5.5
Primo
QuickTime
RealPlayer
Roxio DLA
Roxio Media Manager
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Runtime
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
SigmaTel Audio
Sonic Encoders
Sonic Update Manager
Sony Picture Utility
Sound Blaster Audigy ADVANCED MB Demo
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2522999)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster2 Plugin)
VC80CRTRedist - 8.0.50727.762
VoiceOver Kit
WebCam Suite 2.0
WebFldrs XP
Windows Defender
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
WinRAR archiver
WinZip 15.5
Yahoo! Messenger
.
==== End Of File ===========================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users