Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Successfully blocked access...


  • This topic is locked This topic is locked
18 replies to this topic

#1 Tristar500

Tristar500

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 09 January 2012 - 04:34 PM

I malwarebytes and continually get popups that say "Successfully blocked access to a potentially malicious website and then give a code of outgoing.

Ran malwarebytes and it finds nothing, AVG, no luck either.

BC AdBot (Login to Remove)

 


#2 Tristar500

Tristar500
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 10 January 2012 - 07:35 PM

I malwarebytes and continually get popups that say "Successfully blocked access to a potentially malicious website and then give a code of outgoing ip addresses. Most seem to be going to Germany and Romania.

Ran malwarebytes and it finds nothing, AVG, no luck either. Upgraded to Malwarbytes pro (the paid version) and it finds nothing.


Running XP service pack 3

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 AM

Posted 12 January 2012 - 03:08 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Tristar500

Tristar500
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 12 January 2012 - 10:55 AM

Thank You!

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 7/18/2009 11:11:47 AM
System Uptime: 1/12/2012 10:44:31 AM (0 hours ago)
.
Motherboard: FOXCONN | | Napa
Processor: Intel® Pentium® Dual CPU E2220 @ 2.40GHz | Socket 775 | 2399/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 347.45 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F82&SUBSYS_000014F1&REV_00\4&AA3E8EE&0&0068
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F82&SUBSYS_000014F1&REV_00\4&AA3E8EE&0&0068
Service:
.
==== System Restore Points ===================
.
RP871: 10/14/2011 3:02:39 AM - System Checkpoint
RP872: 10/15/2011 3:14:39 AM - System Checkpoint
RP873: 10/16/2011 4:02:39 AM - System Checkpoint
RP874: 10/17/2011 4:14:39 AM - System Checkpoint
RP875: 10/18/2011 5:02:39 AM - System Checkpoint
RP876: 10/19/2011 5:14:39 AM - System Checkpoint
RP877: 10/20/2011 5:16:14 AM - System Checkpoint
RP878: 10/21/2011 6:02:49 AM - System Checkpoint
RP879: 10/22/2011 7:14:49 AM - System Checkpoint
RP880: 10/23/2011 8:14:49 AM - System Checkpoint
RP881: 10/24/2011 9:02:49 AM - System Checkpoint
RP882: 10/25/2011 9:14:49 AM - System Checkpoint
RP883: 10/26/2011 10:14:49 AM - System Checkpoint
RP884: 10/27/2011 12:00:57 PM - System Checkpoint
RP885: 10/28/2011 12:14:51 PM - System Checkpoint
RP886: 10/29/2011 12:57:30 PM - System Checkpoint
RP887: 10/30/2011 1:45:53 PM - System Checkpoint
RP888: 10/31/2011 1:57:30 PM - System Checkpoint
RP889: 11/6/2011 2:36:45 PM - System Checkpoint
RP890: 11/7/2011 3:23:42 PM - System Checkpoint
RP891: 11/8/2011 3:35:42 PM - System Checkpoint
RP892: 11/9/2011 3:00:13 AM - Software Distribution Service 3.0
RP893: 11/10/2011 3:35:43 AM - System Checkpoint
RP894: 11/11/2011 3:00:13 AM - Software Distribution Service 3.0
RP895: 11/12/2011 3:21:10 AM - System Checkpoint
RP896: 11/13/2011 3:51:16 AM - System Checkpoint
RP897: 11/14/2011 3:53:47 AM - System Checkpoint
RP898: 11/15/2011 4:51:17 AM - System Checkpoint
RP899: 11/16/2011 4:52:47 AM - System Checkpoint
RP900: 11/17/2011 5:21:16 AM - System Checkpoint
RP901: 11/18/2011 6:22:16 AM - System Checkpoint
RP902: 11/19/2011 6:33:46 AM - System Checkpoint
RP903: 11/20/2011 6:34:46 AM - System Checkpoint
RP904: 11/21/2011 7:35:16 AM - System Checkpoint
RP905: 11/22/2011 8:48:46 AM - System Checkpoint
RP906: 11/23/2011 9:21:16 AM - System Checkpoint
RP907: 11/23/2011 4:05:52 PM - Installed Bidnapper Homelink
RP908: 11/24/2011 8:09:35 PM - System Checkpoint
RP909: 11/26/2011 10:41:36 AM - System Checkpoint
RP910: 11/27/2011 11:06:12 AM - System Checkpoint
RP911: 11/28/2011 3:01:23 PM - System Checkpoint
RP912: 11/29/2011 3:30:01 PM - System Checkpoint
RP913: 11/30/2011 3:42:55 PM - System Checkpoint
RP914: 12/1/2011 4:08:16 PM - System Checkpoint
RP915: 12/2/2011 4:43:56 PM - System Checkpoint
RP916: 12/3/2011 8:30:23 PM - System Checkpoint
RP917: 12/5/2011 11:22:58 AM - System Checkpoint
RP918: 12/6/2011 3:45:18 PM - System Checkpoint
RP919: 12/7/2011 11:48:05 PM - System Checkpoint
RP920: 12/8/2011 1:01:34 PM - Installed ACDSee for PENTAX
RP921: 12/9/2011 1:47:45 PM - System Checkpoint
RP922: 12/10/2011 2:50:37 PM - System Checkpoint
RP923: 12/11/2011 5:01:34 PM - System Checkpoint
RP924: 12/12/2011 8:42:07 PM - System Checkpoint
RP925: 12/14/2011 12:06:51 AM - System Checkpoint
RP926: 12/15/2011 12:54:00 AM - System Checkpoint
RP927: 12/15/2011 3:00:13 AM - Software Distribution Service 3.0
RP928: 12/16/2011 11:49:15 AM - System Checkpoint
RP929: 12/17/2011 2:46:26 PM - System Checkpoint
RP930: 12/18/2011 3:40:21 PM - System Checkpoint
RP931: 12/19/2011 8:44:58 PM - System Checkpoint
RP932: 12/20/2011 8:50:45 PM - System Checkpoint
RP933: 12/22/2011 12:00:13 AM - System Checkpoint
RP934: 12/23/2011 6:22:17 AM - System Checkpoint
RP935: 12/24/2011 11:18:57 AM - System Checkpoint
RP936: 12/25/2011 5:26:04 PM - System Checkpoint
RP937: 12/26/2011 6:27:57 PM - System Checkpoint
RP938: 12/27/2011 1:36:04 PM - Installed Garmin MapSource
RP939: 12/27/2011 1:39:35 PM - Installed Garmin MapSource
RP940: 1/1/2012 9:50:14 PM - System Checkpoint
RP941: 1/2/2012 10:19:55 PM - System Checkpoint
RP942: 1/4/2012 12:37:03 AM - System Checkpoint
RP943: 1/4/2012 11:11:07 AM - Installed Microsoft Office 2000 Professional
RP944: 1/4/2012 11:33:41 AM - Printer Driver Amyuni Document Converter 400 Installed
RP945: 1/4/2012 12:22:57 PM - Removed HiJackThis
RP946: 1/4/2012 12:23:42 PM - Removed Quicken 2011.
RP947: 1/5/2012 12:56:36 PM - System Checkpoint
RP948: 1/6/2012 1:42:36 PM - System Checkpoint
RP949: 1/8/2012 12:55:37 PM - System Checkpoint
RP950: 1/9/2012 3:33:46 PM - System Checkpoint
RP951: 1/10/2012 3:41:06 PM - System Checkpoint
RP952: 1/10/2012 7:50:53 PM - Software Distribution Service 3.0
RP953: 1/11/2012 11:38:32 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
µTorrent
A9CAD
ACDSee for PENTAX
Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop 5.5
Adobe Photoshop CS3
Adobe Photoshop v4.0
Adobe Reader X (10.1.2)
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advertising Center
AnswerWorks 5.0 English Runtime
Auction Sentry
AVG 2012
AVG PC Tuneup 2011
Bidnapper Homelink
BobCAD-CAM V21
BobCAD-CAM V23
Brother HL-3040CN
Canon CanoScan Toolbox 4.5
Canon EOS D60 WIA Driver
CorelDRAW Graphics Suite 12
Emergency Undelete
ESET Online Scanner v3
Eudora
ffdshow [rev 2527] [2008-12-19]
FLAC 1.2.1b (remove only)
Garmin Communicator Plugin
Garmin MapSource
Garmin USB Drivers
Garmin WebUpdater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2633952)
HP Update
Image Resizer Powertoy for Windows XP
Java Auto Updater
Java™ 6 Update 27
Mach3
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2000 Professional
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 8.0 Support DLLs
Microsoft Works Setup Launcher
MozBackup 1.4.9
Mozilla Firefox 9.0.1 (x86 en-US)
Mozilla Thunderbird (3.1.15)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9 Essentials
Nero ControlCenter
Nero Installer
Nero Online Upgrade
Nero StartSmart
Nero StartSmart OEM
neroxml
Notepad++
NVIDIA Drivers
Octoshape add-in for Adobe Flash Player
PDF Settings
QuickTime
Realtek High Definition Audio Driver
Rhinoceros 4.0 Evaluation
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
SolidWorks 2006 SP0
Spybot - Search & Destroy
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
WebFldrs XP
Winamp
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wisdom-soft Set up ScreenHunter 5.1 Free
WModem Driver Installer
Yahoo! SiteBuilder
.
==== Event Viewer Messages From Past Week ========
.
1/9/2012 3:53:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
1/9/2012 3:53:01 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2012 3:53:01 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2012 3:53:01 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2012 3:53:01 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2012 3:53:01 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/9/2012 3:51:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/9/2012 3:51:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/9/2012 2:07:34 PM, error: System Error [1003] - Error code 10000050, parameter1 9d247000, parameter2 00000001, parameter3 8053a6d8, parameter4 00000000.
1/8/2012 11:19:10 AM, error: Rasman [20035] - Remote Access Connection Manager failed to start because it could not create buffers. Restart the computer. Access is denied.
1/8/2012 11:18:10 AM, error: Service Control Manager [7023] - The Remote Access Connection Manager service terminated with the following error: Access is denied.
1/11/2012 9:36:53 AM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
1/10/2012 12:25:43 PM, error: Service Control Manager [7022] - The WebClient service hung on starting.
.
==== End Of File ===========================


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
Run by ir at 10:49:59 on 2012-01-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3197.2501 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bidnapper\Bidnapper Homelink\BidnapperHomelink.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Bidnapper Homelink] c:\program files\bidnapper\bidnapper homelink\BidnapperHomelink.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [VMM Mode Selection] c:\program files\htc\modeselection\VMMModeSelection.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Camera Detector] c:\progra~1\acdsys~1\devdet~1\DEVDET~1.EXE -autorun
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{10549DF2-A8CF-4DE4-9E9B-62B7CF9A83FF} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ir\application data\mozilla\firefox\profiles\bh28dqd3.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20111123&q=
FF - plugin: c:\documents and settings\ir\application data\mozilla\firefox\profiles\bh28dqd3.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-7-11 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-9 652872]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
R3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\Mach3.sys [2007-5-9 107648]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-9 20464]
S0 hhunk;hhunk;c:\windows\system32\drivers\ttjxcbo.sys --> c:\windows\system32\drivers\ttjxcbo.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-7-18 1025352]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\genericmount.sys --> c:\windows\system32\drivers\GenericMount.sys [?]
.
=============== Created Last 30 ================
.
2012-01-10 15:40:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-09 18:59:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-09 18:59:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-04 16:33:48 -------- d-----w- c:\program files\common files\AnswerWorks 5.0
2012-01-04 16:33:11 -------- d-----w- c:\documents and settings\ir\application data\Intuit
2012-01-04 16:32:13 -------- d-----w- c:\documents and settings\all users\application data\Intuit
2012-01-04 16:11:41 -------- d-----w- c:\windows\ShellNew
2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-01-03 05:02:48 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-03 05:02:48 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-03 05:02:48 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-03 05:02:48 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2011-12-27 18:40:40 -------- d-----w- c:\documents and settings\all users\application data\GARMIN
2011-12-27 18:39:35 -------- d-----w- C:\MapSource
2011-12-27 17:12:43 -------- d-----w- C:\Garmin
.
==================== Find3M ====================
.
2011-12-14 02:24:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDP725050GLA360 rev.GM4OA57A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ADAF49F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8adb6738]; MOV EAX, [0x8adb68ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AE2EAB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006c[0x8ADA6F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AE31940]
\Driver\atapi[0x8AE2C298] -> IRP_MJ_CREATE -> 0x8ADAF49F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8ADAF2C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:53:08.14 ===============

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 AM

Posted 12 January 2012 - 02:12 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Tristar500

Tristar500
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 12 January 2012 - 02:48 PM

Thank You again..

After running combofix I restated Malwarebytes and once again it's giving me the message that it successfully blocked access to a potentially dangerous web site then the IP.

ComboFix 12-01-12.04 - ir 01/12/2012 14:31:24.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3197.1892 [GMT -5:00]
Running from: c:\documents and settings\ir\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\ir\Application Data\Mozilla\Firefox\Profiles\bh28dqd3.default\searchplugins\bing-zugo.xml
c:\documents and settings\ir\Application Data\Remote
c:\documents and settings\ir\Application Data\Remote\ffcd
c:\documents and settings\ir\Application Data\Remote\mxd1.txt
c:\documents and settings\ir\Application Data\Remote\ppkk.dat
c:\documents and settings\ir\Application Data\Remote\rlrszi
c:\documents and settings\ir\Application Data\Remote\uuoo.dat
c:\documents and settings\ir\Application Data\Remote\xnhrr.dat
c:\documents and settings\ir\Application Data\Remote\yzzc14_shrd
c:\documents and settings\ir\WINDOWS
c:\documents and settings\LocalService\Application Data\Remote
c:\documents and settings\LocalService\Application Data\Remote\yzzc14_shrd
c:\documents and settings\NetworkService\Application Data\Remote
c:\documents and settings\NetworkService\Application Data\Remote\yzzc14_shrd
c:\windows\system32\c_16402.nl_
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\PowerToyReadme.htm
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-10 15:40 . 2012-01-10 15:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-09 20:51 . 2012-01-09 20:51 -------- d-----w- c:\documents and settings\Administrator
2012-01-09 18:59 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-09 18:59 . 2012-01-09 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 13:17 . 2012-01-07 13:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2012-01-07 13:17 . 2012-01-07 13:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-01-07 12:31 . 2012-01-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Thunderbird
2012-01-07 12:31 . 2012-01-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\Thunderbird
2012-01-04 16:33 . 2012-01-04 16:33 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2012-01-04 16:33 . 2012-01-04 16:33 -------- d-----w- c:\documents and settings\ir\Application Data\Intuit
2012-01-04 16:32 . 2012-01-04 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2012-01-04 16:11 . 2012-01-04 16:11 -------- d-----w- c:\windows\ShellNew
2012-01-04 16:11 . 2012-01-04 16:11 -------- d-----w- c:\documents and settings\ir\Application Data\Microsoft Web Folders
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-01-03 05:02 . 2012-01-03 05:02 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-03 05:02 . 2012-01-03 05:02 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-03 05:02 . 2012-01-03 05:02 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-03 05:02 . 2012-01-03 05:02 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-27 18:40 . 2011-12-27 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2011-12-27 18:39 . 2011-12-27 18:39 -------- d-----w- C:\MapSource
2011-12-27 17:12 . 2011-12-27 21:25 -------- d-----w- C:\Garmin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-14 02:24 . 2011-05-20 13:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2004-08-04 06:17 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-04 07:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2004-08-04 07:56 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 07:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 07:56 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 07:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-04 06:18 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 07:56 186880 ----a-w- c:\windows\system32\encdec.dll
2012-01-03 05:02 . 2011-05-07 20:12 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Bidnapper Homelink"="c:\program files\Bidnapper\Bidnapper Homelink\BidnapperHomelink.exe" [2010-04-21 236544]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2003-09-09 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Auction Sentry\\AuctionSentry.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\ir\\My Documents\\Downloads\\sdsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SSUpdate.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 12:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/11/2011 12:13 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 12:13 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 12:14 AM 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/9/2012 1:59 PM 652872]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 12:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 12:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [7/11/2011 12:14 AM 16720]
R3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\Mach3.sys [5/9/2007 9:26 PM 107648]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/9/2012 1:59 PM 20464]
S0 hhunk;hhunk;c:\windows\system32\drivers\ttjxcbo.sys --> c:\windows\system32\drivers\ttjxcbo.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [7/18/2011 8:10 AM 1025352]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itnetsvc REG_MULTI_SZ itlperf
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\ir\Application Data\Mozilla\Firefox\Profiles\bh28dqd3.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20111123&q=
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\ir\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-12 14:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDP725050GLA360 rev.GM4OA57A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8ADAF2C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\WININET.dll
.
Completion time: 2012-01-12 14:44:11
ComboFix-quarantined-files.txt 2012-01-12 19:44
.
Pre-Run: 373,778,890,752 bytes free
Post-Run: 374,173,880,320 bytes free
.
- - End Of File - - 2DB1A0A48AA390EF5F2A13D946261200

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 AM

Posted 12 January 2012 - 02:54 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Tristar500

Tristar500
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 12 January 2012 - 03:47 PM

Malwarebytes is still giving me the same warning messages.



15:41:34.0687 3940 TDSS rootkit removing tool 2.7.0.0 Jan 10 2012 09:14:26
15:41:35.0031 3940 ============================================================
15:41:35.0031 3940 Current date / time: 2012/01/12 15:41:35.0031
15:41:35.0031 3940 SystemInfo:
15:41:35.0031 3940
15:41:35.0031 3940 OS Version: 5.1.2600 ServicePack: 3.0
15:41:35.0031 3940 Product type: Workstation
15:41:35.0031 3940 ComputerName: IR-BD61548BF697
15:41:35.0031 3940 UserName: ir
15:41:35.0031 3940 Windows directory: C:\WINDOWS
15:41:35.0031 3940 System windows directory: C:\WINDOWS
15:41:35.0031 3940 Processor architecture: Intel x86
15:41:35.0031 3940 Number of processors: 2
15:41:35.0031 3940 Page size: 0x1000
15:41:35.0031 3940 Boot type: Normal boot
15:41:35.0031 3940 ============================================================
15:41:37.0343 3940 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000, SectorSize: 0x200, Cylinders: 0xFC59, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K', Flags 0x00000054
15:41:37.0421 3940 Initialize success
15:41:41.0156 0540 ============================================================
15:41:41.0156 0540 Scan started
15:41:41.0156 0540 Mode: Manual;
15:41:41.0156 0540 ============================================================
15:41:42.0703 0540 Abiosdsk - ok
15:41:42.0703 0540 abp480n5 - ok
15:41:42.0750 0540 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:41:42.0750 0540 ACPI - ok
15:41:42.0796 0540 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:41:42.0796 0540 ACPIEC - ok
15:41:42.0796 0540 adpu160m - ok
15:41:42.0843 0540 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:41:42.0843 0540 aec - ok
15:41:42.0875 0540 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:41:42.0890 0540 AFD - ok
15:41:42.0906 0540 Aha154x - ok
15:41:42.0921 0540 aic78u2 - ok
15:41:42.0921 0540 aic78xx - ok
15:41:42.0937 0540 AliIde - ok
15:41:42.0953 0540 amsint - ok
15:41:42.0984 0540 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:41:42.0984 0540 Arp1394 - ok
15:41:43.0015 0540 asc - ok
15:41:43.0031 0540 asc3350p - ok
15:41:43.0031 0540 asc3550 - ok
15:41:43.0078 0540 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:41:43.0078 0540 AsyncMac - ok
15:41:43.0109 0540 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:41:43.0109 0540 atapi - ok
15:41:43.0171 0540 Atdisk - ok
15:41:43.0187 0540 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:41:43.0203 0540 Atmarpc - ok
15:41:43.0250 0540 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:41:43.0250 0540 audstub - ok
15:41:43.0296 0540 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
15:41:43.0296 0540 AVGIDSDriver - ok
15:41:43.0312 0540 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
15:41:43.0312 0540 AVGIDSEH - ok
15:41:43.0328 0540 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
15:41:43.0328 0540 AVGIDSFilter - ok
15:41:43.0359 0540 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
15:41:43.0359 0540 AVGIDSShim - ok
15:41:43.0453 0540 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
15:41:43.0453 0540 Avgldx86 - ok
15:41:43.0515 0540 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
15:41:43.0515 0540 Avgmfx86 - ok
15:41:43.0546 0540 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
15:41:43.0546 0540 Avgrkx86 - ok
15:41:43.0578 0540 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
15:41:43.0578 0540 Avgtdix - ok
15:41:43.0625 0540 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:41:43.0625 0540 Beep - ok
15:41:43.0718 0540 catchme - ok
15:41:43.0765 0540 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:41:43.0765 0540 cbidf2k - ok
15:41:43.0796 0540 cd20xrnt - ok
15:41:43.0796 0540 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:41:43.0812 0540 Cdaudio - ok
15:41:43.0843 0540 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:41:43.0843 0540 Cdfs - ok
15:41:43.0859 0540 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:41:43.0859 0540 Cdrom - ok
15:41:43.0875 0540 Changer - ok
15:41:43.0906 0540 CmdIde - ok
15:41:43.0921 0540 Cpqarray - ok
15:41:43.0937 0540 dac2w2k - ok
15:41:43.0937 0540 dac960nt - ok
15:41:43.0953 0540 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:41:43.0953 0540 Disk - ok
15:41:44.0015 0540 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:41:44.0015 0540 dmboot - ok
15:41:44.0031 0540 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:41:44.0031 0540 dmio - ok
15:41:44.0062 0540 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:41:44.0062 0540 dmload - ok
15:41:44.0093 0540 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:41:44.0093 0540 DMusic - ok
15:41:44.0125 0540 dpti2o - ok
15:41:44.0203 0540 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:41:44.0203 0540 drmkaud - ok
15:41:44.0250 0540 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:41:44.0250 0540 Fastfat - ok
15:41:44.0312 0540 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
15:41:44.0312 0540 Fdc - ok
15:41:44.0312 0540 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:41:44.0312 0540 Fips - ok
15:41:44.0328 0540 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
15:41:44.0328 0540 Flpydisk - ok
15:41:44.0359 0540 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
15:41:44.0375 0540 FltMgr - ok
15:41:44.0406 0540 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:41:44.0406 0540 Fs_Rec - ok
15:41:44.0406 0540 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:41:44.0406 0540 Ftdisk - ok
15:41:44.0437 0540 GenericMount - ok
15:41:44.0453 0540 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:41:44.0453 0540 Gpc - ok
15:41:44.0500 0540 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:41:44.0500 0540 HDAudBus - ok
15:41:44.0531 0540 hhunk - ok
15:41:44.0562 0540 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:41:44.0562 0540 hidusb - ok
15:41:44.0578 0540 hpn - ok
15:41:44.0640 0540 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:41:44.0640 0540 HTTP - ok
15:41:44.0656 0540 i2omgmt - ok
15:41:44.0671 0540 i2omp - ok
15:41:44.0687 0540 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:41:44.0687 0540 i8042prt - ok
15:41:44.0703 0540 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:41:44.0703 0540 Imapi - ok
15:41:44.0718 0540 ini910u - ok
15:41:44.0843 0540 IntcAzAudAddService (14b48553be78472d2bd3a518658a1710) C:\WINDOWS\system32\drivers\RtkHDAud.sys
15:41:44.0906 0540 IntcAzAudAddService - ok
15:41:44.0953 0540 IntelIde - ok
15:41:45.0000 0540 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:41:45.0000 0540 intelppm - ok
15:41:45.0031 0540 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
15:41:45.0031 0540 Ip6Fw - ok
15:41:45.0046 0540 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:41:45.0062 0540 IpFilterDriver - ok
15:41:45.0078 0540 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:41:45.0078 0540 IpInIp - ok
15:41:45.0109 0540 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:41:45.0125 0540 IpNat - ok
15:41:45.0125 0540 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:41:45.0125 0540 IPSec - ok
15:41:45.0140 0540 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:41:45.0140 0540 IRENUM - ok
15:41:45.0156 0540 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:41:45.0156 0540 isapnp - ok
15:41:45.0156 0540 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:41:45.0156 0540 Kbdclass - ok
15:41:45.0187 0540 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:41:45.0203 0540 kbdhid - ok
15:41:45.0265 0540 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:41:45.0265 0540 kmixer - ok
15:41:45.0296 0540 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:41:45.0296 0540 KSecDD - ok
15:41:45.0312 0540 lbrtfdc - ok
15:41:45.0375 0540 Mach3 (9e94282590e6712513f39dce52081712) C:\WINDOWS\system32\Drivers\Mach3.sys
15:41:45.0375 0540 Mach3 - ok
15:41:45.0390 0540 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
15:41:45.0390 0540 MBAMProtector - ok
15:41:45.0437 0540 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:41:45.0437 0540 mnmdd - ok
15:41:45.0484 0540 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:41:45.0484 0540 Modem - ok
15:41:45.0500 0540 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:41:45.0500 0540 Mouclass - ok
15:41:45.0562 0540 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:41:45.0578 0540 MountMgr - ok
15:41:45.0578 0540 mraid35x - ok
15:41:45.0593 0540 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:41:45.0593 0540 MRxDAV - ok
15:41:45.0640 0540 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:41:45.0656 0540 MRxSmb - ok
15:41:45.0656 0540 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:41:45.0656 0540 Msfs - ok
15:41:45.0703 0540 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:41:45.0703 0540 MSKSSRV - ok
15:41:45.0703 0540 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:41:45.0703 0540 MSPCLOCK - ok
15:41:45.0718 0540 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:41:45.0718 0540 MSPQM - ok
15:41:45.0750 0540 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:41:45.0765 0540 mssmbios - ok
15:41:45.0796 0540 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:41:45.0796 0540 Mup - ok
15:41:45.0859 0540 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:41:45.0859 0540 NDIS - ok
15:41:45.0890 0540 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:41:45.0890 0540 NdisTapi - ok
15:41:45.0906 0540 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:41:45.0906 0540 Ndisuio - ok
15:41:45.0921 0540 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:41:45.0921 0540 NdisWan - ok
15:41:45.0953 0540 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:41:45.0953 0540 NDProxy - ok
15:41:45.0984 0540 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:41:45.0984 0540 NetBIOS - ok
15:41:46.0062 0540 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:41:46.0093 0540 NetBT - ok
15:41:46.0156 0540 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:41:46.0156 0540 NIC1394 - ok
15:41:46.0171 0540 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:41:46.0171 0540 Npfs - ok
15:41:46.0187 0540 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:41:46.0234 0540 Ntfs - ok
15:41:46.0281 0540 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:41:46.0281 0540 Null - ok
15:41:46.0500 0540 nv (9f4384aa43548ddd438f7b7825d11699) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:41:46.0578 0540 nv - ok
15:41:46.0671 0540 NVENETFD (0258d664f93b4b01ddd621b8c084f322) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
15:41:46.0671 0540 NVENETFD - ok
15:41:46.0687 0540 nvnetbus (56ec9207906435ef1bf02f5c68e3ffec) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
15:41:46.0687 0540 nvnetbus - ok
15:41:46.0718 0540 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:41:46.0734 0540 NwlnkFlt - ok
15:41:46.0734 0540 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:41:46.0734 0540 NwlnkFwd - ok
15:41:46.0765 0540 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:41:46.0781 0540 ohci1394 - ok
15:41:46.0796 0540 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
15:41:46.0796 0540 Parport - ok
15:41:46.0796 0540 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:41:46.0796 0540 PartMgr - ok
15:41:46.0828 0540 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:41:46.0828 0540 ParVdm - ok
15:41:46.0828 0540 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:41:46.0828 0540 PCI - ok
15:41:46.0843 0540 PCIDump - ok
15:41:46.0859 0540 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:41:46.0859 0540 PCIIde - ok
15:41:46.0921 0540 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:41:46.0921 0540 Pcmcia - ok
15:41:46.0953 0540 PDCOMP - ok
15:41:46.0968 0540 PDFRAME - ok
15:41:46.0968 0540 PDRELI - ok
15:41:46.0984 0540 PDRFRAME - ok
15:41:46.0984 0540 perc2 - ok
15:41:47.0000 0540 perc2hib - ok
15:41:47.0031 0540 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:41:47.0031 0540 PptpMiniport - ok
15:41:47.0046 0540 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:41:47.0046 0540 PSched - ok
15:41:47.0046 0540 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:41:47.0046 0540 Ptilink - ok
15:41:47.0078 0540 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
15:41:47.0078 0540 PxHelp20 - ok
15:41:47.0109 0540 ql1080 - ok
15:41:47.0109 0540 Ql10wnt - ok
15:41:47.0125 0540 ql12160 - ok
15:41:47.0125 0540 ql1240 - ok
15:41:47.0140 0540 ql1280 - ok
15:41:47.0187 0540 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:41:47.0187 0540 RasAcd - ok
15:41:47.0203 0540 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:41:47.0203 0540 Rasl2tp - ok
15:41:47.0218 0540 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:41:47.0218 0540 RasPppoe - ok
15:41:47.0234 0540 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:41:47.0234 0540 Raspti - ok
15:41:47.0265 0540 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:41:47.0265 0540 Rdbss - ok
15:41:47.0296 0540 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:41:47.0296 0540 RDPCDD - ok
15:41:47.0359 0540 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
15:41:47.0359 0540 RDPWD - ok
15:41:47.0437 0540 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:41:47.0437 0540 redbook - ok
15:41:47.0500 0540 RimUsb (616eac1b0e48b236a5a9b8ae07fdb81c) C:\WINDOWS\system32\Drivers\RimUsb.sys
15:41:47.0500 0540 RimUsb - ok
15:41:47.0593 0540 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
15:41:47.0593 0540 SASDIFSV - ok
15:41:47.0609 0540 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
15:41:47.0609 0540 SASKUTIL - ok
15:41:47.0640 0540 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:41:47.0640 0540 Secdrv - ok
15:41:47.0687 0540 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
15:41:47.0687 0540 Serial - ok
15:41:47.0703 0540 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:41:47.0703 0540 Sfloppy - ok
15:41:47.0734 0540 Simbad - ok
15:41:47.0734 0540 Sparrow - ok
15:41:47.0796 0540 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:41:47.0796 0540 splitter - ok
15:41:47.0828 0540 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:41:47.0828 0540 sr - ok
15:41:47.0859 0540 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:41:47.0859 0540 Srv - ok
15:41:47.0890 0540 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:41:47.0890 0540 swenum - ok
15:41:47.0906 0540 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:41:47.0906 0540 swmidi - ok
15:41:47.0921 0540 symc810 - ok
15:41:47.0921 0540 symc8xx - ok
15:41:47.0937 0540 sym_hi - ok
15:41:47.0937 0540 sym_u3 - ok
15:41:47.0953 0540 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:41:47.0953 0540 sysaudio - ok
15:41:48.0015 0540 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:41:48.0031 0540 Tcpip - ok
15:41:48.0078 0540 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:41:48.0093 0540 TDPIPE - ok
15:41:48.0109 0540 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:41:48.0109 0540 TDTCP - ok
15:41:48.0125 0540 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:41:48.0125 0540 TermDD - ok
15:41:48.0140 0540 TosIde - ok
15:41:48.0171 0540 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:41:48.0171 0540 Udfs - ok
15:41:48.0187 0540 ultra - ok
15:41:48.0281 0540 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:41:48.0281 0540 Update - ok
15:41:48.0328 0540 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:41:48.0328 0540 usbccgp - ok
15:41:48.0375 0540 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:41:48.0375 0540 usbehci - ok
15:41:48.0390 0540 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:41:48.0390 0540 usbhub - ok
15:41:48.0390 0540 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
15:41:48.0390 0540 usbohci - ok
15:41:48.0437 0540 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:41:48.0437 0540 usbprint - ok
15:41:48.0593 0540 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:41:48.0593 0540 usbscan - ok
15:41:48.0625 0540 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:41:48.0625 0540 usbstor - ok
15:41:48.0640 0540 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:41:48.0640 0540 VgaSave - ok
15:41:48.0640 0540 ViaIde - ok
15:41:48.0703 0540 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:41:48.0703 0540 VolSnap - ok
15:41:48.0718 0540 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:41:48.0734 0540 Wanarp - ok
15:41:48.0921 0540 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
15:41:48.0953 0540 Wdf01000 - ok
15:41:48.0968 0540 WDICA - ok
15:41:49.0015 0540 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:41:49.0015 0540 wdmaud - ok
15:41:49.0062 0540 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
15:41:49.0062 0540 WmiAcpi - ok
15:41:49.0109 0540 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
15:41:49.0109 0540 WpdUsb - ok
15:41:49.0187 0540 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:41:49.0187 0540 WS2IFSL - ok
15:41:49.0218 0540 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:41:49.0218 0540 WudfPf - ok
15:41:49.0281 0540 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:41:49.0281 0540 WudfRd - ok
15:41:49.0296 0540 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
15:41:49.0328 0540 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
15:41:49.0328 0540 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
15:41:49.0328 0540 Boot (0x1200) (70f4a35ef6e9076676f4c65233f30bc1) \Device\Harddisk0\DR0\Partition0
15:41:49.0328 0540 \Device\Harddisk0\DR0\Partition0 - ok
15:41:49.0343 0540 ============================================================
15:41:49.0343 0540 Scan finished
15:41:49.0343 0540 ============================================================
15:41:49.0343 3316 Detected object count: 1
15:41:49.0343 3316 Actual detected object count: 1
15:42:00.0812 3316 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
15:42:00.0828 3316 \Device\Harddisk0\DR0 - ok
15:42:00.0828 3316 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
15:42:10.0328 0788 Deinitialize success

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 AM

Posted 12 January 2012 - 04:13 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Tristar500

Tristar500
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 12 January 2012 - 04:55 PM

Thanks again, hope we are getting closer.

ComboFix 12-01-12.04 - ir 01/12/2012 16:44:25.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3197.2602 [GMT -5:00]
Running from: c:\documents and settings\ir\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ir\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-10 15:40 . 2012-01-10 15:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-09 20:51 . 2012-01-09 20:51 -------- d-----w- c:\documents and settings\Administrator
2012-01-09 18:59 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-09 18:59 . 2012-01-09 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 13:17 . 2012-01-07 13:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2012-01-07 13:17 . 2012-01-07 13:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-01-07 12:31 . 2012-01-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Thunderbird
2012-01-07 12:31 . 2012-01-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\Thunderbird
2012-01-04 16:33 . 2012-01-04 16:33 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2012-01-04 16:33 . 2012-01-04 16:33 -------- d-----w- c:\documents and settings\ir\Application Data\Intuit
2012-01-04 16:32 . 2012-01-04 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2012-01-04 16:11 . 2012-01-04 16:11 -------- d-----w- c:\windows\ShellNew
2012-01-04 16:11 . 2012-01-04 16:11 -------- d-----w- c:\documents and settings\ir\Application Data\Microsoft Web Folders
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-01-03 05:02 . 2012-01-03 05:02 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-03 05:02 . 2012-01-03 05:02 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-03 05:02 . 2012-01-03 05:02 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-03 05:02 . 2012-01-03 05:02 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-27 18:40 . 2011-12-27 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2011-12-27 18:39 . 2011-12-27 18:39 -------- d-----w- C:\MapSource
2011-12-27 17:12 . 2011-12-27 21:25 -------- d-----w- C:\Garmin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-14 02:24 . 2011-05-20 13:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2004-08-04 06:17 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-04 07:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2004-08-04 07:56 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 07:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 07:56 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 07:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-04 06:18 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 07:56 186880 ----a-w- c:\windows\system32\encdec.dll
2012-01-03 05:02 . 2011-05-07 20:12 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-12_19.40.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-12 21:41 . 2012-01-12 21:41 16384 c:\windows\Temp\Perflib_Perfdata_2ac.dat
+ 2001-08-18 12:00 . 2012-01-12 21:45 71700 c:\windows\system32\perfc009.dat
- 2001-08-18 12:00 . 2012-01-12 19:22 71700 c:\windows\system32\perfc009.dat
- 2012-01-11 15:29 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\aed4d56139363b579c1082a39bd5dcdd\update\spcustom.dll
- 2012-01-11 15:29 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\aed4d56139363b579c1082a39bd5dcdd\spmsg.dll
- 2012-01-11 15:30 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501\update\spcustom.dll
- 2012-01-11 15:30 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501\spmsg.dll
- 2012-01-11 15:30 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2\update\spcustom.dll
- 2012-01-11 15:30 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2\spmsg.dll
- 2012-01-11 15:30 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\0a47b0a335f7de65c0ff4dcc7f2debf1\update\spcustom.dll
- 2012-01-11 15:30 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\0a47b0a335f7de65c0ff4dcc7f2debf1\spmsg.dll
+ 2001-08-18 12:00 . 2012-01-12 21:45 441890 c:\windows\system32\perfh009.dat
- 2001-08-18 12:00 . 2012-01-12 19:22 441890 c:\windows\system32\perfh009.dat
- 2012-01-11 15:29 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\aed4d56139363b579c1082a39bd5dcdd\update\updspapi.dll
- 2012-01-11 15:29 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\aed4d56139363b579c1082a39bd5dcdd\update\update.exe
- 2012-01-11 15:29 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\aed4d56139363b579c1082a39bd5dcdd\spuninst.exe
- 2012-01-11 15:30 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501\update\updspapi.dll
- 2012-01-11 15:30 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501\update\update.exe
- 2012-01-11 15:30 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501\spuninst.exe
- 2012-01-11 15:30 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2\update\updspapi.dll
- 2012-01-11 15:30 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2\update\update.exe
- 2012-01-11 15:30 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2\spuninst.exe
- 2012-01-11 15:30 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\0a47b0a335f7de65c0ff4dcc7f2debf1\update\updspapi.dll
- 2012-01-11 15:30 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\0a47b0a335f7de65c0ff4dcc7f2debf1\update\update.exe
- 2012-01-11 15:30 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\0a47b0a335f7de65c0ff4dcc7f2debf1\spuninst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Bidnapper Homelink"="c:\program files\Bidnapper\Bidnapper Homelink\BidnapperHomelink.exe" [2010-04-21 236544]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2003-09-09 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Auction Sentry\\AuctionSentry.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\ir\\My Documents\\Downloads\\sdsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SSUpdate.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 12:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/11/2011 12:13 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 12:13 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 12:14 AM 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/9/2012 1:59 PM 652872]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 12:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 12:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [7/11/2011 12:14 AM 16720]
R3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\Mach3.sys [5/9/2007 9:26 PM 107648]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/9/2012 1:59 PM 20464]
S0 hhunk;hhunk;c:\windows\system32\drivers\ttjxcbo.sys --> c:\windows\system32\drivers\ttjxcbo.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [7/18/2011 8:10 AM 1025352]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itnetsvc REG_MULTI_SZ itlperf
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\ir\Application Data\Mozilla\Firefox\Profiles\bh28dqd3.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20111123&q=
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-12 16:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1900)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-12 16:53:47
ComboFix-quarantined-files.txt 2012-01-12 21:53
ComboFix2.txt 2012-01-12 19:44
.
Pre-Run: 374,122,139,648 bytes free
Post-Run: 374,249,623,552 bytes free
.
- - End Of File - - 28FD4EB600D4E800B6F6277F6A075E09

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 AM

Posted 12 January 2012 - 05:05 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

µTorrent
Advertising Center
Java™ 6 Update 27


and click on remove


Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Tristar500

Tristar500
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 13 January 2012 - 09:47 AM

TFC froze the machine.

Ran Malwarebytes..

Malwarebytes Anti-Malware (PRO) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.13.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
ir :: IR-BD61548BF697 [administrator]

Protection: Enabled

1/13/2012 9:43:59 AM
mbam-log-2012-01-13 (09-43-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 179466
Time elapsed: 1 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#13 Tristar500

Tristar500
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 13 January 2012 - 09:52 AM

Log from Hijackthis..


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:51:39 AM, on 1/13/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6234 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 AM

Posted 13 January 2012 - 10:40 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Tristar500

Tristar500
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 13 January 2012 - 12:01 PM

From the Eset scanner..

Curious, would eset have been any help at all if I had run it before we started this? Malwarebytes, Super antispyware and AVG didn't seem to think there was anything wrong with my computer except for MBAM telling about blocking the outgoing....


C:\Documents and Settings\ir\My Documents\Downloads\cnet_setupscreenhunterfree_exe.exe a variant of Win32/InstallCore.D application
C:\System Volume Information\_restore{EBFB8537-319C-40A4-975F-691E5D614950}\RP946\A0066802.exe Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{EBFB8537-319C-40A4-975F-691E5D614950}\RP946\A0066803.dll a variant of Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{EBFB8537-319C-40A4-975F-691E5D614950}\RP946\A0066804.exe a variant of Win32/Toolbar.Zugo application




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users