View Full Version : virumonde, spysheriff, smitfraud
Hello,
This is a friend's computer, so I don't know the whole story, and they are not very computer literate, but I'll do my best to fill you in.
History:
The computer ran very slowly... It was scanned a month ago with SS&D which showed these 3 problems (or possibly remains of previous infections). SS&D was used to fix the problem. Virtumonde was difficult to remove and required several passes, but finally a clear scan was reached.
A month later they all appear to have returned. The same procedure with SS&D was used again to remove them, and show a clean scan. But the computer continues to act sluggishly. I may be able to provide some logs of some of this, but cannot guaranty they are all there.
Current situation:
It was in this condition that I began to try to speed up the system by removing years of junk installations, and old versions of things like flash, JRE, multiple wireless drivers, multiple Works and Office versions, etc... AVGfree 8.5 was installed, but appeared to be corrupt, so I have completely uninstalled it, and will reinstall once this is repaired. This has helped some.
CCleaner has been used on it a number of times, seemingly without causing any problems. No other tools have been used (ie ComboFix, etc...)
SS&D loads VERY slowly. The green bars run across the window, then it sits, sometimes for minutes before finally loading the main screen. It then seems to run normally. I used it to remove a lot of start-up junk, but things still run slow. I suspect virtudone may be at the root of the problem.
SS&D showed clear when I started, but that was the case when it was used a month ago, and then this month... then the infections returned. And Malwarebytes also picked up a couple things that were removed (Trojan.FakeAlert and ultra.PNF (Malware.Trace), I have the log file).
I know it is possible that a user is reinfecting, but they mainly use the computer for email and Facebook, no P2P, gaming, etc... There is no HOSTS file. Bluecoat K9 appears to be running w/o problems. I'm wondering is AVGfree was corrupted by the virus(es) since it seemed to help to remove it. But I want to make sure it has been completely cleaned out before proceeding.
HJT log follows.
Thanks, Pete
----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:28 AM, on 12/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 4374 bytes
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log
Thank you. I will be able to reply quickly to your instructions.
Pete
----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:39 PM, on 12/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKUS\S-1-5-21-1510816190-2732026810-2266215690-1006.bak\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User '?')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 4740 bytes
Since you uninstalled AVG 8.5 you'll need to replace it with another Anti-Virus. Here are a couple of free AV's to choose from:
1)Antivir PersonalEdition Classic (http://www.free-av.com/)
2)avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html)
Download and install only one!
Step # 1: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step # 2 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 3: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post.
I plan to reinstall AVG free 8.5 once the system is clean (unless you recommend one of the others over it). Since it seemed to be a major cause of slow down, I prefer to wait until the system is running as it should. Is this ok with you and do you have a recommendation between the 3 AV programs? Also, should remove the following entry, or does it matter?
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
Logs to follow.
-Pete
----
DDS (Ver_09-12-01.01) - NTFSx86
Run by tech support at 22:18:26.85 on Tue 12/29/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.51 [GMT -8:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\tech support\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mWindow Title =
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: System=csgbm.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: kaspersky.com\www
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\techsu~1\applic~1\mozilla\firefox\profiles\gmzgmacl.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-1-13 72992]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2008-11-21 1078560]
S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;c:\windows\system32\drivers\zpmodemnt.sys [2005-12-29 1792]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [2004-12-21 141990]
=============== Created Last 30 ================
2009-12-28 01:55:23 0 d-----w- c:\program files\Microsoft
2009-12-28 01:47:45 0 d-----w- c:\documents and settings\tech support\Tracing
2009-12-28 01:27:27 53248 ----a-r- c:\windows\system32\InstMed.exe
2009-12-28 01:27:05 6812 ----a-w- c:\windows\system32\lvcoinst.ini
2009-12-28 01:27:05 22016 ----a-w- c:\windows\system32\drivers\LVUSBSta.sys
2009-12-28 01:27:05 211712 ----a-w- c:\windows\system32\drivers\LV561AV.SYS
2009-12-28 01:27:05 106496 ----a-w- c:\windows\system32\lvcoinst.dll
2009-12-28 01:27:04 372736 ----a-w- c:\windows\system32\LVUI2RC.dll
2009-12-28 01:27:03 204800 ----a-w- c:\windows\system32\LVUI2.dll
2009-12-28 01:27:03 204800 ----a-w- c:\windows\system32\lvcodec2.dll
2009-12-23 08:09:06 0 d-----w- c:\docume~1\techsu~1\applic~1\MSNInstaller
2009-12-23 08:06:46 0 d-----w- c:\windows\SxsCaPendDel
2009-12-22 09:33:59 0 d-----w- c:\docume~1\techsu~1\applic~1\Malwarebytes
2009-12-22 09:33:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 09:33:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-22 09:33:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 09:33:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 23:11:49 0 ----a-w- c:\windows\VGPLAYER.INI
2009-12-18 23:11:49 0 ----a-w- c:\windows\TRANSPRT.INI
2009-12-18 23:11:19 0 d-----w- c:\documents and settings\tech support\WINDOWS
==================== Find3M ====================
2009-10-29 19:08:22 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 05:38:22 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 05:38:22 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
============= FINISH: 22:19:24.53 ===============
----
ATTACH LOG
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/19/2005 5:06:52 PM
System Uptime: 12/27/2009 5:30:58 PM (53 hours ago)
Motherboard: Dell Computer Corp. | | 0F5949
Processor: Intel(R) Celeron(R) CPU 2.40GHz | Microprocessor | 2392/400mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 33 GiB total, 16.749 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP811: 12/11/2009 6:54:02 AM - Avg8 Update
RP812: 12/11/2009 9:16:26 AM - Avg8 Update
RP813: 12/12/2009 9:50:45 AM - System Checkpoint
RP814: 12/18/2009 3:39:43 PM - System Checkpoint
RP815: 12/19/2009 9:29:15 AM - Avg8 Update
RP816: 12/20/2009 9:57:03 AM - System Checkpoint
RP817: 12/21/2009 9:49:24 PM - Software Distribution Service 3.0
RP818: 12/21/2009 10:09:30 PM - Removed ABBYY FineReader 5.0 Sprint Plus
RP819: 12/21/2009 11:43:42 PM - Removed Jasc Paint Shop Photo Album 5
RP820: 12/21/2009 11:49:12 PM - Removed Jasc Paint Shop Pro Studio, Dell Editon
RP821: 12/22/2009 12:15:24 AM - Removed Photo Click
RP822: 12/22/2009 12:20:38 AM - Removed QuickBooks
RP823: 12/22/2009 12:28:35 AM - Removed Microsoft Plus! Digital Media Edition Installer
RP824: 12/22/2009 12:29:09 AM - Removed Microsoft Plus! Photo Story 2 LE
RP825: 12/22/2009 12:30:31 AM - Removed Microsoft Picture It! Premium 10
RP826: 12/22/2009 12:32:13 AM - Removed Microsoft Picture It! Library 10
RP827: 12/22/2009 12:36:18 AM - Removed Microsoft Works Suite Add-in for Microsoft Word
RP828: 12/22/2009 12:40:32 AM - Removed Works Upgrade
RP829: 12/22/2009 12:42:50 AM - Removed Microsoft Works
RP830: 12/22/2009 12:46:39 AM - Removed Microsoft Streets and Trips 2005
RP831: 12/22/2009 9:53:39 AM - Installed Java(TM) 6 Update 17
RP832: 12/22/2009 10:01:05 AM - Avg8 Update
RP833: 12/22/2009 11:59:35 PM - Removed Adobe Reader 6.0.1
RP834: 12/23/2009 12:03:54 AM - Removed Instant Wireless USB Adapter
RP835: 12/23/2009 12:04:46 AM - Removed Macromedia Flash Player
RP836: 12/23/2009 12:05:44 AM - Removed Microsoft Visual C++ 2005 Redistributable
RP837: 12/23/2009 12:07:28 AM - Removed Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
RP838: 12/23/2009 12:58:11 AM - Removed AVG Free 8.5
RP839: 12/23/2009 1:00:50 AM - Installed AVG Free 8.5
RP840: 12/27/2009 6:42:19 PM - System Checkpoint
RP841: 12/28/2009 7:35:16 PM - System Checkpoint
RP842: 12/29/2009 8:35:19 PM - System Checkpoint
==== Installed Programs ======================
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Belkin Wireless USB Utility
Blue Coat® K9 Web Protection 4.0.288
Broadcom Management Programs
CCleaner
Dell Driver Reset Tool
Dell Photo AIO Printer 922
Dell Picture Studio v3.0
Dell Support Center (Support Software)
Dell System Restore
DellSupport
G15A922EN
Google Earth
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
Java(TM) 6 Update 17
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Word 2002
Microsoft Works 2005 Setup Launcher
Modem Event Monitor
Mozilla Firefox (3.5.6)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch® Jukebox
OpenOffice.org 2.3
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Segoe UI
Shockwave
Spybot - Search & Destroy
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
==== Event Viewer Messages From Past Week ========
12/23/2009 12:55:26 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\AVG\AVG8\avglvex.dll. Reference error message: The operation completed successfully. .
12/23/2009 12:53:36 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\AVG\AVG8\avgtray.exe. Reference error message: The operation completed successfully. .
12/23/2009 12:52:14 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error message: The referenced assembly is not installed on your system. .
12/23/2009 12:52:14 AM, error: SideBySide [59] - Generate Activation Context failed for C:\PROGRA~1\AVG\AVG8\avgtray.exe. Reference error message: The operation completed successfully. .
12/23/2009 12:52:14 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
12/22/2009 2:36:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/22/2009 2:32:03 AM, error: NetBT [4321] - The name "HYSSOP :1d" could not be registered on the Interface with IP address 192.168.1.67. The machine with the IP address 192.168.1.119 did not allow the name to be claimed by this machine.
12/22/2009 12:55:23 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX bckd Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
12/22/2009 12:55:23 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2009 12:55:23 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2009 12:55:23 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2009 12:55:23 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2009 12:55:22 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/22/2009 12:55:13 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/22/2009 12:48:35 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
12/22/2009 12:03:09 AM, error: Service Control Manager [7000] - The ZPMODEMSYSNTDRVNT service failed to start due to the following error: The specified driver is invalid.
12/22/2009 10:39:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
==== End Of File ===========================
----
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-30 00:05:24
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TECHSU~1\LOCALS~1\Temp\uxroapoc.sys
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF9635760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF8091F80]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip bckd.sys
AttachedDevice \Driver\Tcpip \Device\Tcp bckd.sys
AttachedDevice \Driver\Tcpip \Device\Udp bckd.sys
AttachedDevice \Driver\Tcpip \Device\RawIp bckd.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}@
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}@
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InProcServer32@ %SystemRoot%\system32\SHELL32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\TypeLib@ {50a7e9b0-70ef-11d1-b75a-00a0c90564fe}
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\Program Files\Common Files\Microsoft Shared\Works Shared\aw.dll
---- EOF - GMER 1.0.15 ----
I plan to reinstall AVG free 8.5 once the system is clean (unless you recommend one of the others over it). Since it seemed to be a major cause of slow down, I prefer to wait until the system is running as it should. Is this ok with you and do you have a recommendation between the 3 AV programs?
I have no preference for one AV over the other. You can reinstall AVG if you wish to do so. You can look over the webpages for Avast and Avira and see how they compare to AVG and decide that way. You can also try one of the other ones and see if it is faster than AVG as well. Just giving you some options. :)
You really should have an AV installed at all times. But if you think it will severly hamper what we're doing, then it would be ok to hold off on one for now. But since you don't have an AV, be sure to keep the infected computer offline as much as possible.
Also, should remove the following entry, or does it matter?
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
Since AVG 8.5 is fully uninstalled you can go ahead and fix that line with HJT. After that is done, go ahead and delete the C:\Program Files\AVG folder, if found.
Step # 1: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
Thanks, I use Avast on systems for older OSs that can't handle AVG. I understand the risks of not having it installed and will reinstall it when we are done. Until then the computer will be off line except to access this forum and sites you designate.
----
ComboFix 09-12-29.06 - tech support 12/30/2009 14:08:13.4.1 - x86
Running from: c:\documents and settings\tech support\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\tmp.reg
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.
2009-12-28 19:21 . 2009-12-28 19:21 -------- d-----w- c:\documents and settings\becki2\Local Settings\Application Data\Mozilla
2009-12-28 19:18 . 2009-12-28 19:37 -------- d-----w- c:\documents and settings\becki2\Tracing
2009-12-28 01:55 . 2009-12-28 01:55 -------- d-----w- c:\program files\Microsoft
2009-12-28 01:47 . 2009-12-28 02:01 -------- d-----w- c:\documents and settings\tech support\Tracing
2009-12-28 01:27 . 2004-10-08 20:46 53248 ----a-r- c:\windows\system32\InstMed.exe
2009-12-28 01:27 . 2004-10-08 12:01 211712 ----a-w- c:\windows\system32\drivers\LV561AV.SYS
2009-12-28 01:27 . 2004-10-08 11:57 22016 ----a-w- c:\windows\system32\drivers\LVUSBSta.sys
2009-12-28 01:27 . 2004-10-08 11:52 106496 ----a-w- c:\windows\system32\lvcoinst.dll
2009-12-28 01:27 . 2004-10-08 12:00 372736 ----a-w- c:\windows\system32\LVUI2RC.dll
2009-12-28 01:27 . 2004-10-08 11:56 204800 ----a-w- c:\windows\system32\LVUI2.dll
2009-12-28 01:27 . 2004-10-08 11:55 204800 ----a-w- c:\windows\system32\lvcodec2.dll
2009-12-23 08:09 . 2009-12-23 08:09 -------- d-----w- c:\documents and settings\tech support\Application Data\MSNInstaller
2009-12-23 08:06 . 2009-12-23 08:34 -------- d-----w- c:\windows\SxsCaPendDel
2009-12-22 17:31 . 2009-12-22 17:31 152576 ----a-w- c:\documents and settings\tech support\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-22 17:25 . 2009-12-22 17:25 79488 ----a-w- c:\documents and settings\tech support\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-22 09:33 . 2009-12-22 09:33 -------- d-----w- c:\documents and settings\tech support\Application Data\Malwarebytes
2009-12-22 09:33 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 09:33 . 2009-12-22 09:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-22 09:33 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 09:33 . 2009-12-22 09:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 23:11 . 2009-12-18 23:11 -------- d-----w- c:\documents and settings\tech support\WINDOWS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 19:15 . 2009-12-28 19:15 -------- d--h--w- c:\documents and settings\becki2\Application Data\GTek
2009-12-28 01:32 . 2009-01-30 23:30 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2009-12-28 01:26 . 2005-09-12 03:09 -------- d-----w- c:\program files\Common Files\Logitech
2009-12-23 09:00 . 2009-01-17 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-23 08:44 . 2007-09-23 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-23 08:04 . 2005-04-14 19:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-22 17:55 . 2007-09-29 18:21 -------- d-----w- c:\program files\Java
2009-12-22 08:27 . 2007-06-06 04:08 -------- d-----w- c:\program files\Textbook Edition
2009-12-22 08:25 . 2005-04-14 19:33 -------- d-----w- c:\program files\Common Files\Intuit
2009-12-01 01:24 . 2005-04-22 23:52 -------- d-----w- c:\program files\Dl_cats
2009-11-15 02:35 . 2005-05-07 20:32 -------- d-----w- c:\program files\Greetings Workshop
2009-11-15 02:35 . 2005-09-10 04:50 -------- d-----w- c:\program files\Google
2009-11-15 02:34 . 2008-02-02 01:42 -------- d-----w- c:\program files\Inspiration 7.6 Trial
2009-11-13 03:35 . 2007-09-23 21:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-29 05:38 . 2004-08-04 10:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 10:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 12:17 . 2008-12-14 21:19 411368 ----a-w- c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-10 69632]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2006-11-3 1585152]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 17:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 17:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 15:59 126976 ----a-w- c:\windows\SYSTEM32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 15:59 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSCD_Creator]
2004-10-31 10:21 408576 ----a-w- c:\dell\PREODM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-04-14 19:31 98304 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-04-14 19:31 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R1 bckd;bckd;c:\windows\SYSTEM32\DRIVERS\bckd.sys [1/13/2009 3:39 PM 72992]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [11/21/2008 2:09 PM 1078560]
S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;c:\windows\SYSTEM32\DRIVERS\zpmodemnt.sys [12/29/2005 1:44 AM 1792]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\SYSTEM32\DRIVERS\m4301A.sys [12/21/2004 3:16 PM 141990]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - UXROAPOC
*Deregistered* - uxroapoc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mWindow Title =
mSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: kaspersky.com\www
FF - ProfilePath - c:\documents and settings\tech support\Application Data\Mozilla\Firefox\Profiles\gmzgmacl.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 14:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
- - - - - - - > 'winlogon.exe'(3300)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-12-30 14:36:02
ComboFix-quarantined-files.txt 2009-12-30 22:35
ComboFix2.txt 2007-10-03 18:21
Pre-Run: 17,974,788,096 bytes free
Post-Run: 18,223,640,576 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 9B924E30B4778D6EA53E29BB4D04EFB2
Step # 1 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 2 Run Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
In your next post/reply, I need to see the following:
1. MalwareBytes' Log
2. A fresh DDS Log
Ran CCleaner.
All went normally.
Ran Malwarebytes scan.
Two items found, moved, and required reboot to complete. I rebooted immediately, before
anything else was done. The items were connected with user nora, but I had run a MWB
complete system scan on 12/29 and it was completely clean. Before that, on 12/22 I had run
a quick scan and it had removed Ultra frmo user becki. I am the only person using this
computer during this time. I have logged in as both of those uers, as well a a third
account, doing work on it, but have not been on the internet from any of the accounts
except to deal with this problem. If I am to assume that the nora infection of ultra did
not exist until one or two days ago, then it must be reinfecting... do you have an idea
where to look? I will do some reseach from a protected computer on that particualr
infection. I will also install one of the AV packages today. In case that will help.
Ran DDS.
Reports attched...
----
DDS (Ver_09-12-01.01) - NTFSx86
Run by tech support at 9:34:44.20 on Thu 12/31/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.78 [GMT -8:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\tech support\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mWindow Title =
mSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program
files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program
files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program
files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program
files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DLBTCATS] rundll32
c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program
files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} -
c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -
c:\windows\system32\Shdocvw.dll
Trusted Zone: kaspersky.com\www
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} -
hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -
hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common
files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
================= FIREFOX ===================
FF - ProfilePath -
c:\docume~1\techsu~1\applic~1\mozilla\firefox\profiles\gmzgmacl.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla
firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-1-13 72992]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web
protection\k9filter.exe [2008-11-21 1078560]
S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;c:\windows\system32\drivers\zpmodemnt.sys
[2005-12-29 1792]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0
Driver;c:\windows\system32\drivers\m4301A.sys [2004-12-21 141990]
=============== Created Last 30 ================
2009-12-30 22:04:24 0 d-sha-r- C:\cmdcons
2009-12-30 21:56:20 77312 ----a-w- c:\windows\MBR.exe
2009-12-30 21:56:19 98816 ----a-w- c:\windows\sed.exe
2009-12-30 21:56:19 261632 ----a-w- c:\windows\PEV.exe
2009-12-30 21:56:19 161792 ----a-w- c:\windows\SWREG.exe
2009-12-28 01:55:23 0 d-----w- c:\program files\Microsoft
2009-12-28 01:47:45 0 d-----w- c:\documents and settings\tech
support\Tracing
2009-12-28 01:31:57 1206272 ----a-w- c:\windows\system32\drivers\lvsvf2.sys
2009-12-28 01:27:27 53248 ----a-r- c:\windows\system32\InstMed.exe
2009-12-28 01:27:05 6812 ----a-w- c:\windows\system32\lvcoinst.ini
2009-12-28 01:27:05 22016 ----a-w- c:\windows\system32\drivers\LVUSBSta.sys
2009-12-28 01:27:05 211712 ----a-w- c:\windows\system32\drivers\LV561AV.SYS
2009-12-28 01:27:05 106496 ----a-w- c:\windows\system32\lvcoinst.dll
2009-12-28 01:27:04 372736 ----a-w- c:\windows\system32\LVUI2RC.dll
2009-12-28 01:27:03 204800 ----a-w- c:\windows\system32\LVUI2.dll
2009-12-28 01:27:03 204800 ----a-w- c:\windows\system32\lvcodec2.dll
2009-12-23 08:09:06 0 d-----w- c:\docume~1\techsu~1\applic~1\MSNInstaller
2009-12-23 08:06:46 0 d-----w- c:\windows\SxsCaPendDel
2009-12-22 09:33:59 0 d-----w- c:\docume~1\techsu~1\applic~1\Malwarebytes
2009-12-22 09:33:31 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 09:33:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-22 09:33:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 09:33:25 0 d-----w- c:\program files\Malwarebytes'
Anti-Malware
2009-12-18 23:11:49 0 ----a-w- c:\windows\VGPLAYER.INI
2009-12-18 23:11:49 0 ----a-w- c:\windows\TRANSPRT.INI
2009-12-18 23:11:19 0 d-----w- c:\documents and settings\tech
support\WINDOWS
==================== Find3M ====================
2009-10-29 19:08:22 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\wininet.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 05:38:22 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 05:38:22 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
============= FINISH: 9:35:29.70 ===============
----
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/19/2005 5:06:52 PM
System Uptime: 12/31/2009 9:21:41 AM (0 hours ago)
Motherboard: Dell Computer Corp. | | 0F5949
Processor: Intel(R) Celeron(R) CPU 2.40GHz | Microprocessor | 2392/400mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 33 GiB total, 17.854 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP823: 12/22/2009 12:28:35 AM - Removed Microsoft Plus! Digital Media Edition Installer
RP824: 12/22/2009 12:29:09 AM - Removed Microsoft Plus! Photo Story 2 LE
RP825: 12/22/2009 12:30:31 AM - Removed Microsoft Picture It! Premium 10
RP826: 12/22/2009 12:32:13 AM - Removed Microsoft Picture It! Library 10
RP827: 12/22/2009 12:36:18 AM - Removed Microsoft Works Suite Add-in for Microsoft Word
RP828: 12/22/2009 12:40:32 AM - Removed Works Upgrade
RP829: 12/22/2009 12:42:50 AM - Removed Microsoft Works
RP830: 12/22/2009 12:46:39 AM - Removed Microsoft Streets and Trips 2005
RP831: 12/22/2009 9:53:39 AM - Installed Java(TM) 6 Update 17
RP832: 12/22/2009 10:01:05 AM - Avg8 Update
RP833: 12/22/2009 11:59:35 PM - Removed Adobe Reader 6.0.1
RP834: 12/23/2009 12:03:54 AM - Removed Instant Wireless USB Adapter
RP835: 12/23/2009 12:04:46 AM - Removed Macromedia Flash Player
RP836: 12/23/2009 12:05:44 AM - Removed Microsoft Visual C++ 2005 Redistributable
RP837: 12/23/2009 12:07:28 AM - Removed Microsoft Visual C++ 2005 ATL Update kb973923 -
x86 8.0.50727.4053
RP838: 12/23/2009 12:58:11 AM - Removed AVG Free 8.5
RP839: 12/23/2009 1:00:50 AM - Installed AVG Free 8.5
RP840: 12/27/2009 6:42:19 PM - System Checkpoint
RP841: 12/28/2009 7:35:16 PM - System Checkpoint
RP842: 12/29/2009 8:35:19 PM - System Checkpoint
RP843: 12/31/2009 4:06:20 AM - System Checkpoint
==== Installed Programs ======================
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Belkin Wireless USB Utility
Blue Coat® K9 Web Protection 4.0.288
Broadcom Management Programs
CCleaner
Dell Driver Reset Tool
Dell Photo AIO Printer 922
Dell Picture Studio v3.0
Dell Support Center (Support Software)
Dell System Restore
DellSupport
G15A922EN
Google Earth
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
Java(TM) 6 Update 17
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Word 2002
Microsoft Works 2005 Setup Launcher
Modem Event Monitor
Mozilla Firefox (3.5.6)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch® Jukebox
OpenOffice.org 2.3
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Segoe UI
Shockwave
Spybot - Search & Destroy
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
==== Event Viewer Messages From Past Week ========
12/31/2009 9:23:01 AM, error: Service Control Manager [7026] - The following boot-start
or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2
aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray
dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt
ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp
ViaIde
12/27/2009 5:31:37 PM, error: Service Control Manager [7000] - The ZPMODEMSYSNTDRVNT
service failed to start due to the following error: The specified driver is invalid.
==== End Of File ===========================
Forgot the MWB log, sorry..
Malwarebytes' Anti-Malware 1.43
Database version: 3462
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
12/31/2009 9:17:55 AM
mbam-log-2009-12-31 (09-17-54).txt
Scan type: Quick Scan
Objects scanned: 160155
Time elapsed: 2 hour(s), 11 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\nora\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\nora\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
Your reply in Post #9 of the thread was spaced out, making it hard to read. Make sure you have Word Wrap off when posting from Notepad/Wordpad etc. Thanks. :)
If I am to assume that the nora infection of ultra did not exist until one or two days ago, then it must be reinfecting... do you have an idea where to look?
I did some research into Ultra and found this:
http://www.threatexpert.com/report.aspx?uid=1102797a-5b72-49ec-9c33-a793c7e92376
It looks to be part of a program called Ultra Soft. I didn't see it in the Add/Remove Programs list in the Attach.txt. Does it sound familiar to you at all? Did you run into it while cleaning the computer prior to coming to Safer Networking?
We'll do a registry search for Ultra soft in this post. The reason why Malware Bytes' Anti-Malware didn't find it with Nora at first is that something may have been blocking MBAM from finding it. It looks like ComboFix took care of the problem, allowing MalwareBytes' to remove the Ultra folder. :)
I will also install one of the AV packages today.
Sounds good. :) Good ahead and do a scan with that AV and let me know if it finds anything.
Run Registry Search by Bobbi Flekman
Download Bobbi Flekman's RegSearch from
http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip
Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.
Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:
Ultra soft
then hit Ok
After completion Notepad will be opened with all the found instances of the strings. The resulting file is saved in the same location as RegSearch.exe.
Post the results of RegSearch.txt.
Thanks for the info.
I have installed Antivir. The initial scan it does was clean. I will do a full scan and
let you know if it finds anything. I doub tit will at this point, so let's continue on.
FYI: I have also removed and reinstalled the Belkin wireless adaptor driver/software, as
it never operated correctly. Possibly part of the install was blocke by malware. It also
instal Abode Reader 7.0 (I will check for updates on that). I had previousl y removed
several Adobe readers and planned to download the most recent when needed.
As for Ultra Soft... I *might* remember uninstalling it, since it was unknown to me.
Further, it *might* have been one of the uninstalls that failed, and then I manualy
removed the refernce to it. But, MWB *did* detect it for user becki, just not nora. You
are probably right about ComboFix allowing it by fixing something with user nora.
I have also installed Skype to make sure it will work well with the AV software. Looks
fine. :)
Registry appears claen of Ultra Soft entries:
----
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 12/31/2009 12:03:46 PM for strings:
; 'ultra soft'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
; End Of The Log...
Antivir full system scan found 2 issues. Both files are in system restore, so I am not concerned.
Everything seems well now. If you don't have anything more to check I would think it's time to clear out the restore points and be done.
Here's the Antivir log:
----
Avira AntiVir Personal
Report file date: Thursday, December 31, 2009 15:08
Scanning for 1492539 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : DGYMK871
Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 19:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 18:30:35
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 18:30:36
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 18:30:36
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 18:30:36
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 18:30:36
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 18:30:37
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 18:30:37
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 18:30:37
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 18:30:37
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 18:30:37
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 18:30:38
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 18:30:38
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 18:30:41
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 18:30:44
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 18:30:47
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 18:30:50
VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 18:30:53
VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 18:30:56
VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 18:30:59
VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 18:31:02
VBASE021.VDF : 7.10.2.94 2048 Bytes 12/29/2009 18:31:02
VBASE022.VDF : 7.10.2.95 2048 Bytes 12/29/2009 18:31:02
VBASE023.VDF : 7.10.2.96 2048 Bytes 12/29/2009 18:31:03
VBASE024.VDF : 7.10.2.97 2048 Bytes 12/29/2009 18:31:03
VBASE025.VDF : 7.10.2.98 2048 Bytes 12/29/2009 18:31:03
VBASE026.VDF : 7.10.2.99 2048 Bytes 12/29/2009 18:31:03
VBASE027.VDF : 7.10.2.100 2048 Bytes 12/29/2009 18:31:03
VBASE028.VDF : 7.10.2.101 2048 Bytes 12/29/2009 18:31:04
VBASE029.VDF : 7.10.2.102 2048 Bytes 12/29/2009 18:31:04
VBASE030.VDF : 7.10.2.103 2048 Bytes 12/29/2009 18:31:04
VBASE031.VDF : 7.10.2.110 77312 Bytes 12/31/2009 18:31:05
Engineversion : 8.2.1.122
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 15:38:52
AESCRIPT.DLL : 8.1.3.4 586105 Bytes 12/31/2009 18:31:34
AESCN.DLL : 8.1.3.0 127348 Bytes 12/31/2009 18:31:31
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 15:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 12/31/2009 18:31:30
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 15:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 15:38:38
AEHEUR.DLL : 8.1.0.189 2195833 Bytes 12/31/2009 18:31:26
AEHELP.DLL : 8.1.9.0 237943 Bytes 12/31/2009 18:31:12
AEGEN.DLL : 8.1.1.82 369014 Bytes 12/31/2009 18:31:10
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 15:38:26
AECORE.DLL : 8.1.9.1 180598 Bytes 12/31/2009 18:31:07
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 15:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 23:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 20:25:47
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,
Start of the scan: Thursday, December 31, 2009 15:08
Starting search for hidden objects.
'47335' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'LVCOMSX.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'fxssvc.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'k9filter.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '54' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP832\A0066830.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP842\A0069576.exe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.3 application
Beginning disinfection:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP832\A0066830.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
[NOTE] The file was moved to '4b6d3e03.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP842\A0069576.exe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.3 application
[NOTE] The file was moved to '4a196c7c.qua'!
End of the scan: Thursday, December 31, 2009 16:12
Used time: 52:35 Minute(s)
The scan has been done completely.
7285 Scanned directories
239683 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
239679 Files not concerned
9517 Archives were scanned
2 Warnings
4 Notes
47335 Objects were scanned with rootkit scan
0 Hidden objects were found
Everything seems well now. If you don't have anything more to check I would think it's time to clear out the restore points and be done.
Good to hear that everything seems to be running well. :) I'd like for you to do one final scan before we finish up.
It also instal Abode Reader 7.0 (I will check for updates on that). I had previously removed several Adobe readers and planned to download the most recent when needed.
The latest version of Adobe Reader is 9.2.0
Step # 1 Update Adobe Acrobat Reader
There is a newer version of Adobe Acrobat Reader available. (See Note below)
First, go to Add/Remove Programs and uninstall Abode Reader 7.0.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Note: Adobe 9.2.0 is a large program and if you prefer a smaller program you can get Foxit 3.1.4 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
If you decide to install Foxit 3.1.4 instead of Adobe, do the following during Foxit's Setup/Installation process:
Uncheck the following boxes:
I accept the License Terms and want to install Foxit Toolbar
Make Ask.com my default search
Create desktop, quick launch and start menu icon to eBay
Step # 2: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
I already updated to Adobe 9.2.0 but thanks for making sure.
KAV was clean. :) log to follow. (And I was THRILLED to see that KAV doesn't require IE anymore!)
I will remove previous system restore points and set one for today.
I think we a good to go now. Thanks so much KM!
-Pete
----
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, January 1, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, January 01, 2010 22:24:11
Records in database: 3400162
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
Scan statistics:
Objects scanned: 56706
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:52:13
No threats found. Scanned area is clean.
Selected area has been scanned.
Since there are no more problems, you are good to go. :)
The computer has a really old version of IE installed. You should upgrade IE to at least IE 7.
You can delete the following off of the computer:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
RegSearch.zip
The C:\RegSearch folder
The RegSearch Log
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
Thank you very much!
EI is not used, but I will take care of it.
Removed all you recommended. The only difference is that ComboFix was on the desktop not the root of C:. I noticed some ComboFix log files in C:\, so I moved the EXE to the C:\ and ran uninstall from there. It said it was removed. The log files remained, so I deleted them also. Let me know if there is a problem. Otherwise feel free to close the thread, with my thanks!
Pete
There's no problem. :)
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!