Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

k9-webprotection-32.exe (Adware.AdRotator) infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 JoliSoli

JoliSoli

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:30 AM

Posted 11 May 2013 - 05:24 PM

Hi!  I was getting some slow browser behavior and some indecent ads while moderating groups on yahoo.  Went through guide for slow computer, and MalwareBytes found k9-webprotection-32.exe (Adware.AdRotator), and it was deleted/quarantined.

 

The ads came back, even after following a series of self-help instructions suggested here:

 

http://www.bleepingcomputer.com/forums/t/493783/obscene-ads-in-yahoo/

 

I need some professional help :scratchhead:

 

Malware Bytes anti-rootkit displayed the can't load DSS/reboot message. I rebooted etc. but it didn't find anything.

I don't think any of the original steps suggested (SecurityCheck, Farbar, MiniToolBox, AdwCleaner, Junkware Removal Tool) seemed to actually find an infection.

 

At some point I noticed my files with known extensions had their extensions hidden (never happened before).  I changed the setting back.

 

Was recommended to run RogueKiller.  This found a number of problematic registry entries; deleted them.  It also listed several sex.com-type sites in the host list and fixed the list just to localhost.

Then I ran a few of the previously-run tools again. This time adwcleaner also found 2 or 3 registry entries and deleted them.

 

I believe since running RogueKiller I'm seeing more frequent screen repaintings during which I never noticed before.

Whenever trying to run TDSSKiller it gives a message that version 17 is available but each time I click to download it and the newly-downloaded version still says I'm running 2.8.16.0 but 2.8.17.0 is available.

 

The extensions fell off the known files again, changed it back again.

 

I actually ran DDS before attempting these self-help suggestions, and ran it again now.  "attach" is the one before; "attach2" is the one after.  I'm pasting both logs below.  Thank you in advance for your help!

 

Here is before:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_39
Run by Ellen at 15:13:31 on 2013-05-07
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1992.475 [GMT 3:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
\??\C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
\??\C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\V0230Mon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\TurboTax\Deluxe 2011\32bit\TurboTax.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\WINDOWS\SYSTEM32\CALC.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cross-currents.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AIM Search: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - c:\program files\aim toolbar\AIMBar.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: SideStep: {83B28A74-640D-48F4-9F51-E80EED7CC7E0} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [UIWatcher] c:\program files\ashampoo\ashampoo uninstaller 3\UIWatcher.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\ellen\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {3E230861-5C87-11D3-A1C6-00105A1B41B8} - {83B28A74-640D-48F4-9F51-E80EED7CC7E0}
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://mn104.coolsavings.com/download/cscmv5X.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02a.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164665979734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540001} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 10.0.0.138
TCP: Interfaces\{192DEFC1-2C58-4D91-AB16-607F25632AEB} : DHCPNameServer = 10.0.0.138
TCP: Interfaces\{5C424994-CF2A-4D79-9A85-F6A0588EF977} : DHCPNameServer = 208.67.222.222 192.115.106.35
TCP: Interfaces\{CF8A06DE-8F48-4D04-9582-124E228F37F8} : DHCPNameServer = 192.117.235.237 62.219.186.7
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension - {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} -
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ellen\application data\mozilla\firefox\profiles\pimjkdpq.default\
FF - component: c:\documents and settings\ellen\application data\mozilla\firefox\profiles\pimjkdpq.default\extensions\{75364a75-0650-4ca5-8ad1-d525dc17a1e4}\components\agat.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\ellen\local settings\application data\citrix\plugins\94\npappdetector.dll
FF - plugin: c:\documents and settings\ellen\local settings\application data\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin101772.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - ExtSQL: 2013-04-15 14:24; fdm_ffext@freedownloadmanager.org; c:\program files\free download manager\firefox\Extension
FF - ExtSQL: !HIDDEN! 2009-11-22 03:01; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 250080]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 302368]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-11-2 5174392]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-7-18 45848]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 142176]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-6-6 167080]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 MailRoomServer;MailRoom Server;c:\windows\system32\mrservice.exe --> c:\windows\system32\MRService.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-6-6 1684736]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2010-6-6 32384]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2006-3-24 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2006-9-29 500480]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2013-04-11 00:18:40    302368    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2013-04-10 20:14:28    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-10 20:14:28    691592    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-04-04 11:50:32    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-04-02 14:09:52    4550656    ----a-w-    c:\windows\system32\GPhotos.scr
2013-03-08 08:36:22    293376    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-07 01:32:25    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31    916480    ----a-w-    c:\windows\system32\wininet.dll
2013-03-02 02:06:30    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-03-02 01:25:02    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-03-02 01:08:47    385024    ------w-    c:\windows\system32\html.iec
2013-02-27 07:56:51    2067456    ----a-w-    c:\windows\system32\mstscax.dll
2013-02-12 00:32:23    12928    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-02-12 00:32:23    12928    ------w-    c:\windows\system32\drivers\usb8023x.sys
.
============= FINISH: 15:14:37.25 ===============
 

Here is after (current state now):

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.21.2
Run by Ellen at 0:47:17 on 2013-05-12
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1992.1020 [GMT 3:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\V0230Mon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cross-currents.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: AIM Search: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - c:\program files\aim toolbar\AIMBar.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
EB: SideStep: {83B28A74-640D-48F4-9F51-E80EED7CC7E0} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [UIWatcher] c:\program files\ashampoo\ashampoo uninstaller 3\UIWatcher.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRunOnce: [Z1] cmd /c "c:\documents and settings\ellen\my documents\downloads\mbar-1.05.0.1001(1)\mbar\mbar.exe" /cleanup /s
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {3E230861-5C87-11D3-A1C6-00105A1B41B8} - {83B28A74-640D-48F4-9F51-E80EED7CC7E0}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://mn104.coolsavings.com/download/cscmv5X.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02a.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1367995179312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540001} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 10.0.0.138
TCP: Interfaces\{192DEFC1-2C58-4D91-AB16-607F25632AEB} : DHCPNameServer = 10.0.0.138
TCP: Interfaces\{5C424994-CF2A-4D79-9A85-F6A0588EF977} : DHCPNameServer = 208.67.222.222 192.115.106.35
TCP: Interfaces\{CF8A06DE-8F48-4D04-9582-124E228F37F8} : DHCPNameServer = 192.117.235.237 62.219.186.7
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension - {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} -
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ellen\application data\mozilla\firefox\profiles\ait7y8mr.default-1368138454968\
FF - plugin: c:\documents and settings\ellen\local settings\application data\citrix\plugins\94\npappdetector.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin101772.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1202122.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - ExtSQL: 2013-04-11 23:53; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-2-8 245048]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-2-8 96568]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-2-8 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-3-29 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-3-1 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-2-8 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-3-21 182072]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-4-25 4936752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-4-18 283136]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-7-18 45848]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-6-6 167080]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-5-12 35144]
R3 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-5-12 143688]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-2-8 60216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 MailRoomServer;MailRoom Server;c:\windows\system32\mrservice.exe --> c:\windows\system32\MRService.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-6-6 1684736]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2010-6-6 32384]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2006-3-24 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2006-9-29 500480]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2013-05-11 21:46:03    35144    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-05-11 21:46:03    143688    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-05-11 18:19:14    --------    d-----w-    c:\windows\system32\cache
2013-05-10 09:55:42    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-05-10 09:55:42    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-05-08 11:01:19    --------    d-----w-    c:\documents and settings\ellen\application data\AVG2013
2013-05-08 10:58:38    --------    d-----w-    c:\documents and settings\all users\application data\AVG2013
2013-05-08 03:13:34    --------    d-----w-    c:\documents and settings\ellen\application data\TuneUp Software
2013-05-07 19:34:54    --------    d-----w-    c:\documents and settings\ellen\local settings\application data\Sun
2013-05-07 19:32:47    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-05-07 19:16:30    --------    d-----w-    c:\windows\ERUNT
2013-05-07 19:16:26    --------    d-----w-    C:\JRT
2013-05-07 18:06:01    --------    d-----w-    c:\program files\mbrootkit
2013-05-02 09:18:40    --------    d-----w-    c:\program files\SourceGear
2013-04-23 17:44:10    --------    d-----w-    c:\documents and settings\ellen\local settings\application data\Intuit
2013-04-23 17:38:49    --------    d-----w-    c:\documents and settings\ellen\local settings\application data\IsolatedStorage
2013-04-23 17:37:29    --------    d-----w-    c:\program files\TurboTax
.
==================== Find3M  ====================
.
2013-05-09 19:52:30    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 19:52:30    691592    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-05-07 19:32:38    866720    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-05-07 19:32:38    788896    ----a-w-    c:\windows\system32\deployJava1.dll
2013-05-07 19:32:38    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-04-02 14:09:52    4550656    ----a-w-    c:\windows\system32\GPhotos.scr
2013-03-28 23:53:48    208184    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-03-21 00:08:24    182072    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2013-03-08 08:36:22    293376    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-07 01:32:25    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31    916480    ----a-w-    c:\windows\system32\wininet.dll
2013-03-02 02:06:30    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-03-02 01:25:02    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-03-02 01:08:47    385024    ------w-    c:\windows\system32\html.iec
2013-03-01 07:32:20    22328    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-02-27 07:56:51    2067456    ----a-w-    c:\windows\system32\mstscax.dll
2013-02-12 00:32:23    12928    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-02-12 00:32:23    12928    ------w-    c:\windows\system32\drivers\usb8023x.sys
.
============= FINISH:  0:47:51.70 ===============
 

 

TIA,

Ellen

Attached Files


Edited by JoliSoli, 12 May 2013 - 08:12 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 14 May 2013 - 10:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 JoliSoli

JoliSoli
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:30 AM

Posted 14 May 2013 - 10:38 AM

Thank you for the reply I appreciate it!

I'm going offline for a day, will get right on this when I'm back.

One question - do you think there's a chance that my internet/wireless router could also be affected?  I'm having some very recent trouble there also.


Edited by JoliSoli, 14 May 2013 - 10:41 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 14 May 2013 - 12:41 PM

That could very well be.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

#5 JoliSoli

JoliSoli
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:30 AM

Posted 15 May 2013 - 02:30 PM

Um... when you write "Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer."  - was I supposed to do anything additional besides running the programs listed afterward?

 

Here are the logs (and meanwhile I reset my router)

 

# AdwCleaner v2.300 - Logfile created 05/15/2013 at 21:37:20

# Updated 28/04/2013 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Ellen - MACABI25

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Ellen\My Documents\downloads\adwcleaner(1).exe

# Option [Search]

 

 

***** [Services] *****

 

 

***** [Files / Folders] *****

 

 

***** [Registry] *****

 

 

***** [Internet Browsers] *****

 

-\\ Internet Explorer v8.0.6001.18702

 

[OK] Registry is clean.

 

-\\ Mozilla Firefox v20.0.1 (en-US)

 

File : C:\Documents and Settings\Ellen\Application Data\Mozilla\Firefox\Profiles\ait7y8mr.default-1368138454968\prefs.js

 

[OK] File is clean.

 

-\\ Google Chrome v [Unable to get version]

 

File : C:\Documents and Settings\Ellen\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

 

[OK] File is clean.

 

*************************

 

AdwCleaner[R1].txt - [1527 octets] - [11/05/2013 21:58:11]

AdwCleaner[R2].txt - [1227 octets] - [13/05/2013 23:03:38]

AdwCleaner[R3].txt - [1042 octets] - [15/05/2013 21:37:20]

AdwCleaner[S1].txt - [4293 octets] - [07/05/2013 21:54:36]

AdwCleaner[S2].txt - [1597 octets] - [11/05/2013 21:59:01]

AdwCleaner[S3].txt - [1288 octets] - [13/05/2013 23:04:05]

 

########## EOF - C:\AdwCleaner[R3].txt - [1282 octets] ##########

 

# AdwCleaner v2.300 - Logfile created 05/15/2013 at 21:37:57

# Updated 28/04/2013 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Ellen - MACABI25

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Ellen\My Documents\downloads\adwcleaner(1).exe

# Option [Delete]

 

 

***** [Services] *****

 

 

***** [Files / Folders] *****

 

 

***** [Registry] *****

 

 

***** [Internet Browsers] *****

 

-\\ Internet Explorer v8.0.6001.18702

 

[OK] Registry is clean.

 

-\\ Mozilla Firefox v20.0.1 (en-US)

 

File : C:\Documents and Settings\Ellen\Application Data\Mozilla\Firefox\Profiles\ait7y8mr.default-1368138454968\prefs.js

 

[OK] File is clean.

 

-\\ Google Chrome v [Unable to get version]

 

File : C:\Documents and Settings\Ellen\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

 

[OK] File is clean.

 

*************************

 

AdwCleaner[R1].txt - [1527 octets] - [11/05/2013 21:58:11]

AdwCleaner[R2].txt - [1227 octets] - [13/05/2013 23:03:38]

AdwCleaner[R3].txt - [1351 octets] - [15/05/2013 21:37:20]

AdwCleaner[S1].txt - [4293 octets] - [07/05/2013 21:54:36]

AdwCleaner[S2].txt - [1597 octets] - [11/05/2013 21:59:01]

AdwCleaner[S3].txt - [1288 octets] - [13/05/2013 23:04:05]

AdwCleaner[S4].txt - [1282 octets] - [15/05/2013 21:37:57]

 

########## EOF - C:\AdwCleaner[S4].txt - [1342 octets] ##########

 

ComboFix 13-05-15.01 - Ellen 05/15/2013  21:56:18.1.2 - x86

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1992.1212 [GMT 3:00]

Running from: c:\documents and settings\Ellen\My Documents\Downloads\ComboFix.exe

AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe

c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll

c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe

c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe

c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini

c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll

c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns

c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe

c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini

c:\documents and settings\Ellen\g2mdlhlpx.exe

c:\documents and settings\Ellen\System

c:\documents and settings\Ellen\System\win_qs8.jqx

c:\documents and settings\Ellen\WINDOWS

c:\documents and settings\Ellen\WINDOWS\system\ICCVID.DLL

C:\install.exe

c:\windows\desktop

c:\windows\desktop\Instal~1.lnk

c:\windows\Fonts\usps4cb.TTF

c:\windows\system\VI30AUT.DLL

c:\windows\system32\Cache

c:\windows\system32\Cache\009ac04969e0cdda.fb

c:\windows\system32\Cache\075884af680ff6dc.fb

c:\windows\system32\Cache\227113dfa1ca894d.fb

c:\windows\system32\Cache\49fbbc5a8678d502.fb

c:\windows\system32\Cache\5c54eb1a1655b076.fb

c:\windows\system32\Cache\613e8ce7ab7106af.fb

c:\windows\system32\Cache\633a76311867bd11.fb

c:\windows\system32\Cache\691f14230153a9e1.fb

c:\windows\system32\Cache\6cb409d7ac73d9f1.fb

c:\windows\system32\Cache\7614bd6cfa99e546.fb

c:\windows\system32\Cache\77664b6ccc36be9f.fb

c:\windows\system32\Cache\881b3593316772f0.fb

c:\windows\system32\Cache\98657d0579ae1930.fb

c:\windows\system32\Cache\c4e10d1be905349b.fb

c:\windows\system32\Cache\d5c0f4e7bbe35bf3.fb

c:\windows\system32\Cache\d9ca663388d21ec0.fb

c:\windows\system32\Cache\f2cda51fd108941f.fb

c:\windows\system32\Cache\f34d8db84131d925.fb

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\FUSION.DLL

c:\windows\system32\URTTemp\MSCOREE.DLL

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\MSCORSN.DLL

c:\windows\system32\URTTemp\MSCORWKS.DLL

c:\windows\system32\URTTemp\MSVCR71.DLL

c:\windows\system32\URTTemp\REGTLIB.EXE

c:\windows\wininit.ini

.

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_PASSWORD

.

.

(((((((((((((((((((((((((   Files Created from 2013-04-15 to 2013-05-15  )))))))))))))))))))))))))))))))

.

.

2013-05-11 21:46 . 2013-05-11 21:46            35144  ----a-w-           c:\windows\system32\drivers\mbamchameleon.sys

2013-05-10 09:55 . 2013-05-10 09:55            --------            d-----w-          c:\program files\Malwarebytes' Anti-Malware

2013-05-10 09:55 . 2013-04-04 11:50            22856  ----a-w-           c:\windows\system32\drivers\mbam.sys

2013-05-08 11:01 . 2013-05-08 11:01            --------            d-----w-          c:\documents and settings\Ellen\Application Data\AVG2013

2013-05-08 10:58 . 2013-05-11 21:33            --------            d-----w-          c:\documents and settings\All Users\Application Data\AVG2013

2013-05-08 06:27 . 2013-05-08 06:27            --------            d-----w-          c:\documents and settings\Ellen\Application Data\Oracle

2013-05-08 03:13 . 2013-05-08 03:13            --------            d-----w-          c:\documents and settings\Ellen\Application Data\TuneUp Software

2013-05-07 19:34 . 2013-05-07 19:34            --------            d-----w-          c:\documents and settings\Ellen\Local Settings\Application Data\Sun

2013-05-07 19:32 . 2013-05-07 19:32            94112  ----a-w-           c:\windows\system32\WindowsAccessBridge.dll

2013-05-07 19:16 . 2013-05-07 19:16            --------            d-----w-          c:\windows\ERUNT

2013-05-07 19:16 . 2013-05-11 21:25            --------            d-----w-          C:\JRT

2013-05-07 18:06 . 2013-05-07 18:06            --------            d-----w-          c:\program files\mbrootkit

2013-05-02 09:18 . 2013-05-02 09:18            --------            d-----w-          c:\program files\SourceGear

2013-04-23 17:44 . 2013-04-23 17:44            --------            d-----w-          c:\documents and settings\Ellen\Local Settings\Application Data\Intuit

2013-04-23 17:38 . 2013-04-23 17:38            --------            d-----w-          c:\documents and settings\Ellen\Local Settings\Application Data\IsolatedStorage

2013-04-23 17:37 . 2013-04-23 17:37            --------            d-----w-          c:\program files\TurboTax

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-09 19:52 . 2012-03-31 17:03            691592            ----a-w-           c:\windows\system32\FlashPlayerApp.exe

2013-05-09 19:52 . 2011-05-28 18:52            71048  ----a-w-           c:\windows\system32\FlashPlayerCPLApp.cpl

2013-05-07 19:32 . 2012-10-18 21:22            866720            ----a-w-           c:\windows\system32\npdeployJava1.dll

2013-05-07 19:32 . 2012-10-18 21:22            144896            ----a-w-           c:\windows\system32\javacpl.cpl

2013-05-07 19:32 . 2010-07-10 18:40            788896            ----a-w-           c:\windows\system32\deployJava1.dll

2013-04-02 14:09 . 2013-04-02 14:09            4550656          ----a-w-           c:\windows\system32\GPhotos.scr

2013-03-28 23:53 . 2013-03-28 23:53            208184            ----a-w-            c:\windows\system32\drivers\avgidsdriverx.sys

2013-03-21 00:08 . 2013-03-21 00:08            182072            ----a-w-           c:\windows\system32\drivers\avgtdix.sys

2013-03-08 08:36 . 2004-08-04 10:00            293376            ----a-w-           c:\windows\system32\winsrv.dll

2013-03-07 01:32 . 2004-08-04 10:00            2149888          ----a-w-           c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50 . 2004-08-04 10:00            2028544          ----a-w-           c:\windows\system32\ntkrnlpa.exe

2013-03-02 02:06 . 2004-08-04 10:00            916480            ----a-w-           c:\windows\system32\wininet.dll

2013-03-02 02:06 . 2004-08-04 10:00            43520  ------w-           c:\windows\system32\licmgr10.dll

2013-03-02 02:06 . 2004-08-04 10:00            1469440          ------w-           c:\windows\system32\inetcpl.cpl

2013-03-02 01:25 . 2004-08-04 10:00            1867264          ----a-w-           c:\windows\system32\win32k.sys

2013-03-02 01:08 . 2004-08-04 10:00            385024            ------w-           c:\windows\system32\html.iec

2013-03-01 07:32 . 2013-03-01 07:32            22328  ----a-w-           c:\windows\system32\drivers\avgidsshimx.sys

2013-02-27 07:56 . 2004-08-04 10:00            2067456          ----a-w-           c:\windows\system32\mstscax.dll

2013-04-10 06:58 . 2013-05-08 08:18            263064            ----a-w-           c:\program files\mozilla firefox\components\browsercomps.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-06 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-06 174616]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-06 145432]

"RTHDCPL"="RTHDCPL.EXE" [2009-10-16 18782720]

"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-06 32768]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]

"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-04-28 4408368]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute     REG_MULTI_SZ        autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=

"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"26208:UDP"= 26208:UDP:UDP 26208

"16915:TCP"= 16915:TCP:TCP 16915

.

R0 AVGIDSHX;AVGIDSHX;c:\windows\SYSTEM32\DRIVERS\avgidshx.sys [2/8/2013 4:37 AM 60216]

R0 Avglogx;AVG Logging Driver;c:\windows\SYSTEM32\DRIVERS\avglogx.sys [2/8/2013 4:37 AM 245048]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [2/8/2013 4:37 AM 39224]

R1 AVGIDSDriver;AVGIDSDriver;c:\windows\SYSTEM32\DRIVERS\avgidsdriverx.sys [3/29/2013 2:53 AM 208184]

R1 AVGIDSShim;AVGIDSShim;c:\windows\SYSTEM32\DRIVERS\avgidsshimx.sys [3/1/2013 10:32 AM 22328]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2/8/2013 4:37 AM 170808]

R1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/21/2013 3:08 AM 182072]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [4/18/2013 4:34 AM 283136]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [4/25/2013 1:41 PM 4936752]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

S2 MailRoomServer;MailRoom Server;c:\windows\system32\MRService.exe --> c:\windows\system32\MRService.exe [?]

S3 Ambfilt;Ambfilt;c:\windows\SYSTEM32\DRIVERS\Ambfilt.sys [6/6/2010 7:00 PM 1684736]

S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\SYSTEM32\DRIVERS\e1k5132.sys [6/6/2010 6:55 PM 167080]

S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\usb101et.sys [6/6/2010 11:24 PM 32384]

S3 mbamchameleon;mbamchameleon;c:\windows\SYSTEM32\DRIVERS\mbamchameleon.sys [5/12/2013 12:46 AM 35144]

S3 V0230Vfx;V0230Vfx;c:\windows\SYSTEM32\DRIVERS\V0230Vfx.sys [3/24/2006 1:00 AM 6272]

S3 V0230VID;Live! Cam Video IM Pro;c:\windows\SYSTEM32\DRIVERS\V0230VID.sys [9/29/2006 1:01 AM 500480]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-14 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 09:35]

.

2013-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 20:11]

.

2013-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 20:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cross-currents.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: adiho.com\sy

Trusted Zone: aol.com\free

Trusted Zone: consumerreports.org\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: noodlebugs.com

Trusted Zone: noodlebugs.com\www

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://www.sidestep.com/get/k00719/sb02a.cab

FF - ProfilePath - c:\documents and settings\Ellen\Application Data\Mozilla\Firefox\Profiles\ait7y8mr.default-1368138454968\

FF - ExtSQL: 2013-04-11 23:53; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Toolbar-Locked - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKCU-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe

HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe

HKCU-Run-UIWatcher - c:\program files\Ashampoo\Ashampoo UnInstaller 3\UIWatcher.exe

HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe

ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\Qualcomm\Eudora\EuShlExt.dll

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-05-15 22:02

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ... 

.

scanning hidden autostart entries ...

.

scanning hidden files ... 

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2468)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mslbui.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2013-05-15  22:06:19 - machine was rebooted

ComboFix-quarantined-files.txt  2013-05-15 19:06

.

Pre-Run: 155,664,674,816 bytes free

Post-Run: 155,702,624,256 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

  • - End Of File - - 145E1F1948254BD1AB628853E0009F9F

 

Results of screen317's Security Check version 0.99.63 

 Windows XP Service Pack 3 x86  

 Internet Explorer 8 

``````````````Antivirus/Firewall Check:``````````````

 Windows Firewall Enabled! 

AVG AntiVirus Free Edition 2013  

 Antivirus up to date! 

`````````Anti-malware/Other Utilities Check:`````````

 Malwarebytes Anti-Malware version 1.75.0.1300 

 Java 7 Update 21 

 Java™ 6 Update 7 

 Java 2 Runtime Environment, SE v1.4.2_06

 Adobe Flash Player     11.7.700.169 

 Adobe Reader XI 

 Mozilla Firefox (20.0.1)

````````Process Check: objlist.exe by Laurent```````` 

 AVG avgwdsvc.exe

 AVG avgrsx.exe

 AVG avgnsx.exe

 AVG avgemc.exe

`````````````````System Health check`````````````````

 Total Fragmentation on Drive C:: 8%

````````````````````End of Log``````````````````````

 

 

As far as computer behavior, I haven't seen any symptoms for 3-4 days.  No yucky yahoo ads, and the anti-malware search programs I've been running didn't turn anything up.  The only other thing that comes to mind was Farbar would report "Attempt to access Yahoo IP returned error. Yahoo IP is offline" every time I ran it - was that normal or possibly part of the ad-hijacking and if so should I run it again to see?

Thanks!
Ellen



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 16 May 2013 - 06:55 AM

Delete the File/folder in bold.
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}


Delete these old versions of Java, using the Add/Remove Programs list.
Java 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_06

 

The only other thing that comes to mind was Farbar would report "Attempt to access Yahoo IP returned error. Yahoo IP is offline" every time I ran it - was that normal or possibly part of the ad-hijacking and if so should I run it again to see?

Nothing to worry about unless you have a problem running Yahoo!.
===

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!
===

#7 JoliSoli

JoliSoli
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:30 AM

Posted 16 May 2013 - 10:09 AM

Deleted the file in mozilla extensions.

 

Re Java (1) Java 6 isn't listed in my programs and (2) when I try to delete the Java 2 module the Add/Remove programs returns an error that the resource "http://java.sun.com/webapps/download/GetFile/1.4.2_06-b03/windows-i586/" is not available.

 

(Interesting: until now, using sun's uninstall applet on IE (but not Firefox) told me I have a too-old version of IE to run it (I didn't) - now it ran and found nothing old).

 

Anything else I should try, to clean up Java?



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 16 May 2013 - 12:29 PM

See what you can remove with this tool.

Download Revo Uninstaller and remove any programs you are having difficulties in completing the removal using the Add/Remove Programs list.

http://majorgeeks.com/Revo_Uninstaller_d5706.html

===

Then run this as well.

Please download JavaRa

If you get this message:
Problems with the download? Please use this direct link or try another mirror.

Select the Direct link download unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.
In Vista and Windows 7 right click the JavaRa.exe and select run as Administrator.

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

#9 JoliSoli

JoliSoli
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:30 AM

Posted 16 May 2013 - 02:08 PM

Please help - my taskbar and icons have disappeared.

 

I did not yet do any of the housekeeping steps you listed in the post above this one.

 

I downloaded Revo Uninstaller and removed all the indicated registry keys for Java 6 update 7.  Then I started on Java 2 etcetc and it hung for a long time (20 minutes) with a little popup window that I think said "preparing installer"  at which point I brought it down and restarted the computer.  (I was thinking it was probably frozen because - like the control panel tool - it couldn't find the sun installer for it.)

 

Now the computer rebooted but - there is just the background and a mouse prompt.  I can bring up Task Manager, and from there I can run programs (if they're in the path or perhaps if I know their path).

 

Do I do a system restore?  (How?)

 

Thanks.... (and sorry for all the edits!)


Edited by JoliSoli, 16 May 2013 - 02:40 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 17 May 2013 - 08:23 AM

Select : How to use System Restore to restore Windows XP to a previous state on this Microsoft page.
http://support.microsoft.com/kb/306084

#11 JoliSoli

JoliSoli
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:30 AM

Posted 19 May 2013 - 06:44 AM

Since I don't have a toolbar, how else can I launch Control Panel?

Also, what is the name of the exe to launch the folder explorer?

Thanks!



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 19 May 2013 - 08:26 AM

Since I don't have a toolbar

If you mean the blue bar at the botton of the screen it's actually the Taskbar.

If you hover with your mouse at the bottom of the screen and see a NORTH/SOUTH arrow click it and expand the bar towards the top.
===

There could be a restriction in the registry lets check it out.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :regfind
    NoToolbarsOnTaskbar
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===

Safe mode will give you the option to use the last good configuration.

http://www.computerhope.com/issues/chsafe.htm#03

===

Also, what is the name of the exe to launch the folder explorer?

The folder I do not know but the exe is explorer.exe for Internet explorer its iexplore.exe ( no r after explore)

Keep me posted.

#13 JoliSoli

JoliSoli
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:30 AM

Posted 22 May 2013 - 02:38 AM

Hi sorry for not being in contact sooner.  I had tried rebooting to clear the taskbar/icons problem but it didn't work, but then I powered down my machine for a day and suddenly everything was back.

 

I haven't run SystemLook yet because in the meantime a VOIP box was failing.  I hard-reset that and my router (again), left my computer disconnected from the internet, and AVG found and removed some trojans (can't find a log). Then I ran RogueKiller - every couple of days it seems to find more registry keys to delete:

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Ellen [Admin rights]
Mode : Remove -- Date : 05/21/2013 10:40:55
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD322HJ +++++
--- User ---
[MBR] 1b2626c62e6ec5481746f1b0049a3b82
[BSP] 3a896900dde4d700a1052a1a1fc89e5f : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 301610 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 617795640 | Size: 3584 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[10]_D_05212013_02d1040.txt >>
RKreport[10]_D_05212013_02d1040.txt ; RKreport[1]_S_05182013_02d2142.txt ; RKreport[2]_D_05182013_02d2150.txt ; RKreport[3]_S_05182013_02d2201.txt ; RKreport[4]_S_05182013_02d2220.txt ;
RKreport[5]_S_05182013_02d2227.txt ; RKreport[6]_S_05212013_02d0744.txt ; RKreport[7]_D_05212013_02d0744.txt ; RKreport[8]_S_05212013_02d0937.txt ; RKreport[9]_S_05212013_02d1012.txt


 

I meanwhile finished cleaning up the old Java versions with JavaRa.

Should I go ahead with SystemLook, or re-run anything I did above (DDS, ComboFix, AdweCleaner, SecurityCheck)?

 

The yahoo ads haven't returned.  But because RogueKiller keeps turning up a couple of items to delete (plus AVG - first time in maybe a year it caught something), I'm not confident my machine is clean.

 

Thank you.


Edited by JoliSoli, 22 May 2013 - 02:40 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:30 AM

Posted 22 May 2013 - 07:58 AM

Lets look with this.

Please scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#15 JoliSoli

JoliSoli
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:30 AM

Posted 22 May 2013 - 02:56 PM

scan results:

 

C:\Documents and Settings\Ellen\My Documents\downloads\cbsidlm-tr1_13-K9_Web_Protection-ORG-10487710.exe    Win32/DownloadAdmin.G application    cleaned by deleting - quarantined
C:\Documents and Settings\Ellen\My Documents\downloads\cnet2_Tile3D_51_Setup_en_exe.exe    a variant of Win32/InstallCore.D application    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.02.2012_14.15.37\mbr0000\tdlfs0000\tsk0006.dta    Win64/Olmasco.W trojan    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.02.2012_14.15.37\mbr0000\tdlfs0000\tsk0007.dta    Win32/Olmasco.O trojan    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.02.2012_14.15.37\mbr0000\tdlfs0000\tsk0008.dta    Win64/Olmasco.X trojan    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.02.2012_14.15.37\mbr0000\tdlfs0000\tsk0009.dta    Win32/Olmasco.O trojan    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.02.2012_14.15.37\mbr0000\tdlfs0000\tsk0010.dta    Win64/Olmasco.R trojan    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.02.2012_14.15.37\mbr0000\tdlfs0000\tsk0012.dta    Win64/Olmasco.X trojan    cleaned by deleting - quarantined
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users