Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ping.exe


  • This topic is locked This topic is locked
13 replies to this topic

#1 sireddy

sireddy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 20 December 2011 - 04:28 PM

From my earlier post http://www.bleepingcomputer.com/forums/topic433591.html

I am sure this is an common topic but I can not seem to solve this with info I have seen. I seem to have a a ping.exe process running and using a large amount of resources. I end the task and it comes back. Some one point me in the right direction.

DDS Logs

dds.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Dot2 at 15:21:48 on 2011-12-20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1188 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\32788R22FWJFW\cmd.3XE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Toolbar BHO: {ab56dfde-0c14-45b3-9df6-7b0eba617870} - c:\progra~1\totalr~2\bar\1.bin\14bar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Search Assistant BHO: {df22384f-cf68-4d19-969f-10423715528b} - c:\program files\totalrecipesearch_14\bar\1.bin\14SrcAs.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: TotalRecipeSearch: {a0154e07-2b48-475c-a82a-80efd84ea33e} - c:\program files\totalrecipesearch_14\bar\1.bin\14bar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\windows\installer\{601be80d-247b-4084-94c7-7a54369db7a2}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
IE: &Search - http://tbedits.totalrecipesearch.com/one-toolbaredits/menusearch.jhtml?s=100000459&p=YKxdm004O0us&si=&a=C443AA27-5BBA-4F82-B649-B6B0C3005FA1&n=2011082811
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{33DE3794-F02A-464F-A67E-D319939F727D} : DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-4 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-5 136176]
S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2001-8-18 14336]
S2 TotalRecipeSearch_14Service;TotalRecipeSearchService;c:\progra~1\totalr~2\bar\1.bin\14barsvc.exe --> c:\progra~1\totalr~2\bar\1.bin\14barsvc.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-5 136176]
.
=============== Created Last 30 ================
.
2011-12-20 19:38:06 -------- d-s---w- C:\ComboFix
2011-12-20 19:08:34 -------- d-----w- c:\documents and settings\dot2\application data\Malwarebytes
2011-12-20 19:08:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-20 18:34:30 -------- d-----w- c:\windows\system32\NtmsData
2011-12-20 18:28:01 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-12-20 18:28:01 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-12-20 18:26:57 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2011-12-20 18:25:58 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2011-12-20 18:24:58 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2011-12-20 18:23:59 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2011-12-20 18:22:59 29502 -c--a-w- c:\windows\system32\dllcache\pca200e.sys
2011-12-20 18:21:57 91488 -c--a-w- c:\windows\system32\dllcache\n9i3disp.dll
2011-12-20 18:20:58 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-12-20 18:19:54 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-12-20 18:18:49 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2011-12-20 18:17:58 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-12-20 18:16:59 53248 -c--a-w- c:\windows\system32\dllcache\eqndiag.exe
2011-12-20 18:15:59 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2011-12-20 18:14:56 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2011-12-20 18:13:59 81408 -c--a-w- c:\windows\system32\dllcache\brmfcwia.dll
2011-12-20 18:12:59 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2011-12-20 18:12:58 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2011-12-20 18:12:58 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2011-12-20 18:12:57 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2011-12-20 18:12:56 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2011-12-20 18:12:55 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2011-12-20 18:12:54 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2011-12-20 18:07:00 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2011-12-20 18:05:26 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-12-20 16:30:22 -------- d-----w- c:\windows\pss
2011-12-20 15:34:12 -------- d-sh--w- c:\documents and settings\dot2\PrivacIE
2011-12-20 15:34:09 -------- d-----w- c:\documents and settings\dot2\local settings\application data\Google
2011-12-20 15:30:30 -------- d-----w- c:\documents and settings\dot2\application data\AVG2012
.
==================== Find3M ====================
.
2011-12-18 16:03:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 10:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 10:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 15:23:03.89 ===============

attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/30/2011 1:48:55 PM
System Uptime: 12/20/2011 2:20:20 PM (1 hours ago)
.
Motherboard: ASUSTek Computer INC. | | Salmon
Processor: AMD Sempron™ Processor 3100+ | Socket 754 | 1808/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 143 GiB total, 103.408 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is FIXED (FAT32) - 6 GiB total, 0.979 GiB free.
J: is CDROM ()
K: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP128: 9/21/2011 9:32:31 PM - System Checkpoint
RP129: 9/22/2011 9:56:13 PM - System Checkpoint
RP130: 9/24/2011 12:43:25 PM - System Checkpoint
RP131: 9/25/2011 1:31:29 PM - System Checkpoint
RP132: 9/26/2011 2:06:11 PM - System Checkpoint
RP133: 9/27/2011 2:18:42 PM - System Checkpoint
RP134: 9/28/2011 2:34:16 PM - System Checkpoint
RP135: 9/29/2011 12:36:56 AM - Software Distribution Service 3.0
RP136: 9/29/2011 1:29:47 PM - Installed AVG 2012
RP137: 9/29/2011 1:30:00 PM - Removed AVG 2011
RP138: 9/29/2011 1:30:25 PM - Installed AVG 2012
RP139: 9/29/2011 1:33:35 PM - Removed AVG 2011
RP140: 9/30/2011 5:19:26 PM - System Checkpoint
RP141: 10/1/2011 5:46:35 PM - System Checkpoint
RP142: 10/2/2011 6:00:58 PM - System Checkpoint
RP143: 10/3/2011 7:58:38 PM - System Checkpoint
RP144: 10/4/2011 8:49:02 PM - System Checkpoint
RP145: 10/5/2011 9:26:14 PM - System Checkpoint
RP146: 10/6/2011 10:03:43 PM - System Checkpoint
RP147: 10/7/2011 10:18:34 PM - System Checkpoint
RP148: 10/8/2011 11:01:03 PM - System Checkpoint
RP149: 10/10/2011 4:43:04 PM - System Checkpoint
RP150: 10/11/2011 4:52:46 PM - System Checkpoint
RP151: 10/12/2011 5:57:12 PM - System Checkpoint
RP152: 10/12/2011 11:02:01 PM - Software Distribution Service 3.0
RP153: 10/14/2011 4:20:40 PM - System Checkpoint
RP154: 10/15/2011 5:08:14 PM - System Checkpoint
RP155: 10/16/2011 5:09:48 PM - System Checkpoint
RP156: 10/17/2011 5:18:22 PM - System Checkpoint
RP157: 10/18/2011 5:31:01 PM - System Checkpoint
RP158: 10/19/2011 6:49:11 PM - System Checkpoint
RP159: 10/20/2011 7:18:19 PM - System Checkpoint
RP160: 10/21/2011 7:42:26 PM - System Checkpoint
RP161: 10/22/2011 8:00:07 PM - System Checkpoint
RP162: 10/23/2011 8:42:42 PM - System Checkpoint
RP163: 10/24/2011 9:36:45 PM - System Checkpoint
RP164: 10/25/2011 10:35:52 PM - System Checkpoint
RP165: 10/27/2011 2:51:23 PM - System Checkpoint
RP166: 10/28/2011 4:44:54 PM - System Checkpoint
RP167: 10/29/2011 5:29:46 PM - System Checkpoint
RP168: 10/30/2011 5:38:11 PM - System Checkpoint
RP169: 10/31/2011 6:40:17 PM - System Checkpoint
RP170: 11/1/2011 7:41:13 PM - System Checkpoint
RP171: 11/2/2011 7:59:58 PM - System Checkpoint
RP172: 11/3/2011 8:13:36 PM - System Checkpoint
RP173: 11/4/2011 9:52:50 PM - System Checkpoint
RP174: 11/5/2011 9:05:36 PM - System Checkpoint
RP175: 11/6/2011 9:57:04 PM - System Checkpoint
RP176: 11/7/2011 10:37:33 PM - System Checkpoint
RP177: 11/8/2011 11:13:41 PM - Software Distribution Service 3.0
RP178: 11/10/2011 12:10:21 PM - System Checkpoint
RP179: 11/11/2011 4:31:16 PM - System Checkpoint
RP180: 11/11/2011 11:37:27 PM - Software Distribution Service 3.0
RP181: 11/13/2011 4:06:42 PM - System Checkpoint
RP182: 11/14/2011 4:16:32 PM - System Checkpoint
RP183: 11/15/2011 5:11:33 PM - System Checkpoint
RP184: 11/16/2011 6:42:01 PM - System Checkpoint
RP185: 11/17/2011 6:58:12 PM - System Checkpoint
RP186: 11/18/2011 7:43:46 PM - System Checkpoint
RP187: 11/19/2011 7:49:15 PM - System Checkpoint
RP188: 11/20/2011 8:35:32 PM - System Checkpoint
RP189: 11/21/2011 9:19:45 PM - System Checkpoint
RP190: 11/23/2011 12:47:24 PM - System Checkpoint
RP191: 11/24/2011 11:34:28 PM - System Checkpoint
RP192: 11/26/2011 10:28:38 PM - System Checkpoint
RP193: 11/28/2011 1:58:24 PM - System Checkpoint
RP194: 11/29/2011 2:15:33 PM - System Checkpoint
RP195: 11/30/2011 2:35:16 PM - System Checkpoint
RP196: 12/1/2011 4:29:32 PM - System Checkpoint
RP197: 12/2/2011 4:41:13 PM - System Checkpoint
RP198: 12/3/2011 4:48:44 PM - System Checkpoint
RP199: 12/4/2011 7:00:36 PM - System Checkpoint
RP200: 12/5/2011 8:29:36 PM - System Checkpoint
RP201: 12/7/2011 3:16:41 PM - System Checkpoint
RP202: 12/8/2011 8:40:12 PM - System Checkpoint
RP203: 12/9/2011 8:42:39 PM - System Checkpoint
RP204: 12/10/2011 10:23:30 PM - System Checkpoint
RP205: 12/12/2011 1:06:50 PM - System Checkpoint
RP206: 12/13/2011 1:40:40 PM - System Checkpoint
RP207: 12/14/2011 4:19:44 PM - System Checkpoint
RP208: 12/15/2011 4:54:41 PM - System Checkpoint
RP209: 12/16/2011 5:13:42 PM - System Checkpoint
RP210: 12/17/2011 5:35:04 PM - System Checkpoint
RP211: 12/18/2011 6:01:07 PM - System Checkpoint
RP212: 12/19/2011 9:00:48 PM - System Checkpoint
RP213: 12/20/2011 10:03:39 AM - Restore Operation
RP214: 12/20/2011 10:18:44 AM - Restore Operation
RP215: 12/20/2011 11:38:58 AM - Installed Java™ 6 Update 30
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.1)
ArcSoft PhotoImpression 6
ArcSoft Print Creations
AVG 2012
Bookworm Deluxe 1.03
EPSON CX8400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX8400 Series Scanner Driver Update
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hallmark Card Studio 2010 Deluxe
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
J2SE Runtime Environment 5.0
Java Auto Updater
Java™ 6 Update 30
LSI PCI Soft Modem
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Realtek AC'97 Audio
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
TotalRecipeSearch
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Outlook 2007 Junk Email Filter (KB2596560)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
12/20/2011 2:22:21 PM, error: Service Control Manager [7000] - The TotalRecipeSearchService service failed to start due to the following error: The system cannot find the file specified.
12/20/2011 10:34:04 AM, error: Service Control Manager [7023] - The Help and Support service terminated with the following error: The specified module could not be found.
12/20/2011 10:25:32 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the USB Service service to connect.
12/20/2011 10:25:32 AM, error: Service Control Manager [7000] - The USB Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/20/2011 10:11:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips Processor
12/20/2011 10:03:19 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
12/20/2011 10:03:19 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
12/20/2011 10:03:19 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/20/2011 10:03:19 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/20/2011 10:03:19 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/20/2011 10:02:56 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/20/2011 10:02:35 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/19/2011 11:04:35 PM, error: Service Control Manager [7023] - The USB Service service terminated with the following error: The specified module could not be found.
12/19/2011 11:04:35 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
12/19/2011 1:32:40 PM, error: Service Control Manager [7023] - The USB Service service terminated with the following error: Access is denied.
12/14/2011 3:44:13 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/13/2011 10:21:53 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86
12/13/2011 10:10:05 AM, error: Service Control Manager [7000] - The AVG AVI Loader Driver service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================

GMER Log
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-20 16:21:46
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SP1604N rev.TM100-24
Running: 8h29m3i1.exe; Driver: C:\DOCUME~1\Dot2\LOCALS~1\Temp\kflyqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xAF407F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xAF407FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xAF408080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xAF40811C]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Dot2\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1112] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0177000A
.text C:\WINDOWS\System32\svchost.exe[1112] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0178000A
.text C:\WINDOWS\System32\svchost.exe[1112] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0176000C
.text C:\WINDOWS\Explorer.EXE[1564] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03E1000A
.text C:\WINDOWS\Explorer.EXE[1564] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 03E2000A
.text C:\WINDOWS\Explorer.EXE[1564] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 03C2000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) AF8D2000-AF8EC000 (106496 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Dot2\Cookies\LMS8XFLC.txt 0 bytes
File C:\Documents and Settings\Dot2\Cookies\M65QS7B0.txt 0 bytes
File C:\Documents and Settings\Dot2\Cookies\YFJTLWM5.txt 0 bytes
File C:\Documents and Settings\Dot2\Cookies\MG6K0ILI.txt 0 bytes
File C:\Documents and Settings\Dot2\Cookies\SKNL7PCX.txt 0 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\8JUZ4N1R\r[1].js 182 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\8JUZ4N1R\st[9] 0 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\8JUZ4N1R\load[1] 317 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\NLADZZMK\detect[1].act 0 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\NLADZZMK\iframe3[2].htm 0 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\NLADZZMK\selena-gomez-wango-tango-rockin-506481[1].txt 0 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\NLADZZMK\if[2].txt 224 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\NLADZZMK\banagrams_thumb[1].jpg 0 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\Q0DUFY9B\dark-knight-rises-movie-trailer[1].txt 55135 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\Q0DUFY9B\p-01-0VIaSjnOLg[1].gif 35 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\Q0DUFY9B\ddc[1].htm 11861 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\Q0DUFY9B\sandbox[4].php 9774 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\W1YV8PMT\crossdomain[3].xml 269 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\W1YV8PMT\click-audit[1].js 3410 bytes
File C:\Documents and Settings\Dot2\Local Settings\Temporary Internet Files\Content.IE5\W1YV8PMT\search[2].htm 0 bytes
File C:\WINDOWS\$NtUninstallKB28768$\2924141437 0 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494 0 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\bckfg.tmp 849 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\cfg.ini 206 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\keywords 35 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\L 0 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\L\akygdmgo 456320 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\U 0 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB28768$\3022439494\U\80000032.@ 97792 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 sireddy

sireddy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 21 December 2011 - 10:17 AM

I am also now getting a pickup by anti virus of trojanhorse.oow

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:43 AM

Posted 24 December 2011 - 11:16 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 sireddy

sireddy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 25 December 2011 - 09:57 AM

Ran combo fix per instructions. Only issue encountered was AVG 2012 finding nircmd.3xe during what appeared to be combo fix generating a log. At which time combo fix stopped. I ran combo fix again and it generated the following log.

At this point I have seen no issues with the computer.

====

ComboFix 11-12-24.10 - Dot2 12/25/2011 9:40.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1534 [GMT -5:00]
Running from: c:\documents and settings\Dot2\Desktop\Malware Pack\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\ceexxb5c1dhw3mbd0art2r660v3r
c:\program files\TotalRecipeSearch_14\bar\1.bin\14auxstb.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14brmon.exe
c:\program files\TotalRecipeSearch_14\bar\1.bin\14brstub.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14datact.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14dlghk.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14dyn.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14feedmg.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14highin.exe
c:\program files\TotalRecipeSearch_14\bar\1.bin\14html.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14htmlmu.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14httpct.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14idle.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14ieovr.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14impipe.exe
c:\program files\TotalRecipeSearch_14\bar\1.bin\14medint.exe
c:\program files\TotalRecipeSearch_14\bar\1.bin\14mlbtn.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14msg.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14Plugin.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14radio.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14regfft.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14regiet.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14script.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14skin.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14skplay.exe
c:\program files\TotalRecipeSearch_14\bar\1.bin\14tpinst.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14uabtn.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\CHROME.MANIFEST
c:\program files\TotalRecipeSearch_14\bar\1.bin\chrome\14ffxtbr.jar
c:\program files\TotalRecipeSearch_14\bar\1.bin\INSTALL.RDF
c:\program files\TotalRecipeSearch_14\bar\1.bin\LOGO.BMP
c:\program files\TotalRecipeSearch_14\bar\1.bin\NP14Stub.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\T8FFTBPR.DLL
c:\program files\TotalRecipeSearch_14\bar\1.bin\T8PATCH.DLL
c:\program files\TotalRecipeSearch_14\bar\1.bin\T8RES.DLL
c:\program files\TotalRecipeSearch_14\bar\1.bin\T8UNPAT.DLL
c:\program files\TotalRecipeSearch_14\bar\Cache\000A05AC
c:\program files\TotalRecipeSearch_14\bar\Cache\000A105A.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A154C.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A183A.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A1934.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A1B67.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A1DC8.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A1F20.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A2029.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A2123.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A21C0.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A227B.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\000A2411.jhtml
c:\program files\TotalRecipeSearch_14\bar\Cache\008F839F.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0131C846
c:\program files\TotalRecipeSearch_14\bar\Cache\015858D5.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0173D12E
c:\program files\TotalRecipeSearch_14\bar\Cache\0173F83E.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\018F6F5F
c:\program files\TotalRecipeSearch_14\bar\Cache\01AAFA17
c:\program files\TotalRecipeSearch_14\bar\Cache\01AB0DCE.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\files.ini
c:\program files\TotalRecipeSearch_14\bar\Cache\Thumbs.db
c:\program files\TotalRecipeSearch_14\bar\History\search3
c:\program files\TotalRecipeSearch_14\bar\IE9Mesg\COMMON.T8S
c:\program files\TotalRecipeSearch_14\bar\Message\COMMON.T8S
c:\program files\TotalRecipeSearch_14\bar\Settings\prevcfg2.htm
c:\program files\TotalRecipeSearch_14\bar\Settings\s_pid.dat
c:\program files\TotalRecipeSearch_14\bar\Settings\s_w1.dat
c:\program files\TotalRecipeSearch_14\bar\Settings\s_w1.dat.bak
c:\program files\TotalRecipeSearch_14\bar\Settings\s_w2.dat
c:\program files\TotalRecipeSearch_14\bar\Settings\s_w2.dat.bak
c:\program files\TotalRecipeSearch_14\bar\Settings\setting3.htm
c:\program files\TotalRecipeSearch_14\bar\Settings\setting3.htm.bak
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100023737.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100023739.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100024344.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100025727.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100025731.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100065004.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties200821740.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\Radio.html
c:\windows\$NtUninstallKB28768$\2924141437
c:\windows\$NtUninstallKB28768$\3022439494\@
c:\windows\$NtUninstallKB28768$\3022439494\bckfg.tmp
c:\windows\$NtUninstallKB28768$\3022439494\cfg.ini
c:\windows\$NtUninstallKB28768$\3022439494\Desktop.ini
c:\windows\$NtUninstallKB28768$\3022439494\keywords
c:\windows\$NtUninstallKB28768$\3022439494\kwrd.dll
c:\windows\$NtUninstallKB28768$\3022439494\L\akygdmgo
c:\windows\$NtUninstallKB28768$\3022439494\lsflt7.ver
c:\windows\$NtUninstallKB28768$\3022439494\U\00000001.@
c:\windows\$NtUninstallKB28768$\3022439494\U\00000002.@
c:\windows\$NtUninstallKB28768$\3022439494\U\00000004.@
c:\windows\$NtUninstallKB28768$\3022439494\U\80000000.@
c:\windows\$NtUninstallKB28768$\3022439494\U\80000004.@
c:\windows\$NtUninstallKB28768$\3022439494\U\80000032.@
c:\windows\alcrmv.exe
I:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TOTALRECIPESEARCH_14SERVICE
-------\Service_TotalRecipeSearch_14Service
.
.
((((((((((((((((((((((((( Files Created from 2011-11-25 to 2011-12-25 )))))))))))))))))))))))))))))))
.
.
2011-12-20 19:08 . 2011-12-20 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-20 18:34 . 2011-12-20 18:35 -------- d-----w- c:\windows\system32\NtmsData
2011-12-20 18:28 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-12-20 18:28 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-12-20 18:26 . 2004-08-04 03:29 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2011-12-20 18:25 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2011-12-20 18:24 . 2001-08-17 19:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2011-12-20 18:23 . 2001-08-17 17:19 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2011-12-20 18:22 . 2004-08-04 03:31 29502 -c--a-w- c:\windows\system32\dllcache\pca200e.sys
2011-12-20 18:21 . 2008-04-13 19:46 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2011-12-20 18:20 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-12-20 18:19 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-12-20 18:18 . 2001-08-18 03:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2011-12-20 18:17 . 2008-04-13 19:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-12-20 18:16 . 2001-08-18 03:36 53248 -c--a-w- c:\windows\system32\dllcache\eqndiag.exe
2011-12-20 18:15 . 2001-08-18 03:36 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2011-12-20 18:14 . 2008-04-13 19:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2011-12-20 18:13 . 2001-08-18 03:36 81408 -c--a-w- c:\windows\system32\dllcache\brmfcwia.dll
2011-12-20 18:12 . 2001-08-17 17:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2011-12-20 18:12 . 2001-08-17 18:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2011-12-20 18:12 . 2001-08-17 18:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2011-12-20 18:12 . 2001-08-17 17:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2011-12-20 18:12 . 2001-08-17 19:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2011-12-20 18:12 . 2001-08-17 19:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2011-12-20 18:12 . 2001-08-17 18:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2011-12-20 18:07 . 2001-08-17 19:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2011-12-20 18:05 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-12-20 15:29 . 2011-12-21 16:33 -------- d-----w- c:\documents and settings\Dot2
2011-12-20 15:02 . 2011-12-20 15:03 -------- d-----w- c:\documents and settings\Administrator
2011-12-19 18:33 . 2011-12-19 18:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-18 16:03 . 2011-05-31 16:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 10:54 . 2011-06-05 22:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2011-06-05 22:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-10 14:22 . 2011-05-30 17:45 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 10:23 . 2011-10-07 10:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 10:21 . 2011-02-10 11:53 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06 . 2001-08-18 14:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2001-08-18 14:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2001-08-18 14:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-09-05 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\Dot2\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminder 2010.lnk - c:\windows\Installer\{601BE80D-247B-4084-94C7-7A54369DB7A2}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2011-6-17 341328]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 3:03 PM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 5:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/4/2011 11:59 PM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 8:28 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 16720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2011 12:48 PM 136176]
S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [8/18/2001 9:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2011 12:48 PM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-05 17:48]
.
2011-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-05 17:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-25 09:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.avgldx86]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\CLBCATQ.DLL
.
- - - - - - - > 'explorer.exe'(2420)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-25 09:45:22
ComboFix-quarantined-files.txt 2011-12-25 14:45
.
Pre-Run: 111,448,322,048 bytes free
Post-Run: 111,435,956,224 bytes free
.
- - End Of File - - BF8ECA9CF7D50741B8CDA2DF78686932

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:43 AM

Posted 25 December 2011 - 02:33 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 sireddy

sireddy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 25 December 2011 - 08:16 PM

First...sometime today after the initial combofix I had an AVG 2012 warning of Trojan Horse Hider.OOW. No other apparent issues after the initial run.

Prior to the combofix run with CFScript.txt I disabled AVG2012 and firewall. Hope that was the correct thing to do. Combofix reported a newer version available and I let combofix up date and restart on it's own. Below is the log.

All seems to be fine with computer at present. Will be watching to see if AVG picks up anything else.

Thank you so much for your help. Let me know what the next step is.

====

ComboFix 11-12-25.01 - Dot2 12/25/2011 19:53:47.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1400 [GMT -5:00]
Running from: c:\documents and settings\Dot2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dot2\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-26 to 2011-12-26 )))))))))))))))))))))))))))))))
.
.
2011-12-25 19:19 . 2011-12-25 19:19 -------- d-----w- c:\windows\LastGood
2011-12-20 19:08 . 2011-12-20 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-20 18:34 . 2011-12-20 18:35 -------- d-----w- c:\windows\system32\NtmsData
2011-12-20 18:28 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-12-20 18:28 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-12-20 18:26 . 2004-08-04 03:29 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2011-12-20 18:25 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2011-12-20 18:24 . 2001-08-17 19:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2011-12-20 18:23 . 2001-08-17 17:19 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2011-12-20 18:22 . 2004-08-04 03:31 29502 -c--a-w- c:\windows\system32\dllcache\pca200e.sys
2011-12-20 18:21 . 2008-04-13 19:46 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2011-12-20 18:20 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-12-20 18:19 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-12-20 18:18 . 2001-08-18 03:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2011-12-20 18:17 . 2008-04-13 19:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-12-20 18:16 . 2001-08-18 03:36 53248 -c--a-w- c:\windows\system32\dllcache\eqndiag.exe
2011-12-20 18:15 . 2001-08-18 03:36 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2011-12-20 18:14 . 2008-04-13 19:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2011-12-20 18:13 . 2001-08-18 03:36 81408 -c--a-w- c:\windows\system32\dllcache\brmfcwia.dll
2011-12-20 18:12 . 2001-08-17 17:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2011-12-20 18:12 . 2001-08-17 18:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2011-12-20 18:12 . 2001-08-17 18:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2011-12-20 18:12 . 2001-08-17 17:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2011-12-20 18:12 . 2001-08-17 19:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2011-12-20 18:12 . 2001-08-17 19:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2011-12-20 18:12 . 2001-08-17 18:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2011-12-20 18:07 . 2001-08-17 19:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2011-12-20 18:05 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-12-20 15:29 . 2011-12-21 16:33 -------- d-----w- c:\documents and settings\Dot2
2011-12-20 15:02 . 2011-12-20 15:03 -------- d-----w- c:\documents and settings\Administrator
2011-12-19 18:33 . 2011-12-19 18:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-18 16:03 . 2011-05-31 16:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 10:54 . 2011-06-05 22:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2011-06-05 22:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-10 14:22 . 2011-05-30 17:45 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 10:23 . 2011-10-07 10:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 10:21 . 2011-02-10 11:53 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06 . 2001-08-18 14:00 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-25_14.28.43 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-09-05 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\Dot2\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminder 2010.lnk - c:\windows\Installer\{601BE80D-247B-4084-94C7-7A54369DB7A2}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2011-6-17 341328]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 3:03 PM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 5:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/4/2011 11:59 PM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 8:28 PM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 16720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2011 12:48 PM 136176]
S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [8/18/2001 9:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2011 12:48 PM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-05 17:48]
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-05 17:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-25 19:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.avgldx86]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\CLBCATQ.DLL
.
- - - - - - - > 'explorer.exe'(2732)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-25 19:59:27
ComboFix-quarantined-files.txt 2011-12-26 00:59
ComboFix2.txt 2011-12-25 14:45
.
Pre-Run: 111,273,832,448 bytes free
Post-Run: 111,291,514,880 bytes free
.
- - End Of File - - 895465BE426FCF211C56042D3C788485

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:43 AM

Posted 25 December 2011 - 08:37 PM

Hello


if avg warns again make sure tyo find out the location




TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 sireddy

sireddy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 28 December 2011 - 02:42 PM

The Trojan Horse Hider.OOW is always trying to gain access to c:\system volume information\_restore or so it appears. I always send it to the vault. This happens once or twice a day. Other than that everything seems fine.

Let me know where from here!

mbam-log
Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.28.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dot2 :: NONE-9TUT11ZU6Y [administrator]

Protection: Disabled

12/28/2011 2:05:21 PM
mbam-log-2011-12-28 (14-05-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 171476
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 30
HKCR\TotalRecipeSearch_14.DynamicBarButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.DynamicBarButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.FeedManager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.FeedManager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.HTMLMenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.HTMLMenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.HTMLPanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.HTMLPanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.MultipleButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.MultipleButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.PseudoTransparentPlugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.PseudoTransparentPlugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.Radio (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.Radio.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.RadioSettings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.RadioSettings.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.ScriptButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.ScriptButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.SettingsPlugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.SettingsPlugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.ThirdPartyInstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.ThirdPartyInstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.ToolbarPlugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.ToolbarPlugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.UrlAlertButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.UrlAlertButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.XMLSessionPlugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.XMLSessionPlugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TotalRecipeSearch_14bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MozillaPlugins\@TotalRecipeSearch_14.com/Plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Mozilla\Firefox\Extensions|14ffxtbr@TotalRecipeSearch_14.com (Adware.MyWebSearch) -> Data: C:\Program Files\TotalRecipeSearch_14\bar\1.bin -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


hijackthis
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:33:41 PM, on 12/28/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2010 Deluxe\Planner\PLNRnote.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Event Planner Reminder 2010.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6557 bytes

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:43 AM

Posted 29 December 2011 - 12:48 AM

That is in system restore and we will remove that soon



These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
      O4 - Global Startup: Event Planner Reminder 2010.lnk = ?
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:43 AM

Posted 02 January 2012 - 11:57 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 sireddy

sireddy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 02 January 2012 - 12:19 PM

Sorry things have been hectic last couple of days. Plan on the next step sometime today and will reply with results. Sorry for my delay.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:43 AM

Posted 02 January 2012 - 12:39 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:43 AM

Posted 04 January 2012 - 11:26 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:43 AM

Posted 08 January 2012 - 01:52 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users