View Full Version : BOT/Virus Warnings From DSL Provider
My first post so please bear with me. Over the last month I have been receiving warnings from my DSL provider that they are seeing indications of a virus on my home network(three computers, 2 wireless). I have run multiple scans using freeware(MS security essentials) without finding any infections.
After the last occurrence, I talked with the DSL providers tech support and was advised that I have Bots? I then installed AVG free 9.0 and Spybot S&D and rescanned. There were some finds but nothing I thought particularly malicious, just tracking cookies etc.
The ISP provider was insisting that I take my computers to a 'professional' to have them checked, before they would restore my internet connection. I was able to convince them to allow internet access for one week, while I pursued removal of the supposed 'bots' on my own.
Although it is possible that AVG and Spybot have removed the offending critters, I am not 100% sure. So, below is the HJT log from the computer(of the three) I would most suspect as being infected. It is the most used for internet surfing, and seems to be the slug of the group. Running Spybot on this machine takes 5-10min just to load, whereas the other computers load in less than 1 minute.
All computers use Firefox as their web browser.
I have read the 'before you post' thread and hope I have followed all the instructions.
Thanks for any help you can provide.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:47:44 PM, on 2/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/ifps/MapClick.php?MapType=3&site=MPX&CiTemplate=1&map.x=189&map.y=153
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Zoom\Adsl\dslagent.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247796145640
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 8189 bytes
shelf life
2010-02-28, 16:34
hi,
Your log is a few days old. If you still need help simply reply to my post.
My DSL provider is going to shut me down. Now I am not sure that the computer that I originally ran the HJT log for is the one with the problem.
I ran Kaspersky online scan on what I thought was the 'safe' computer and got this;
File name / Threat / Threats count
C:\Documents and Settings\Administrator\Desktop\zaZA_Setup_en.exe Infected: Packed.Win32.Krap.ai 1
C:\Documents and Settings\Administrator\Desktop\zlsSetup_70_483_000_en.exe Infected: Packed.Win32.Krap.ai 1
should I now get an HJT log for this machine? I ran AVG against those files above and recieved a no threat found message.
I have installed/run AVG, Spybot SD, and MS Security essentials, on all three computers and have not bee able to clear the problem.
So, based on the HJT log originally posted, and the Kaspersky finds above, which machine should I focus on and work first?
Thanks, Mark
Thanks a ton Shelflife,
So to summarize, I have three computers on a home network, which my DSL provider insists has a virus/bot infection.
None of my installed software; AVG, Spybot, or MS security essentials is finding a problem at this time(MS found a sinoval? infection a few weeks ago and cleaned it from the high risk machine) on any computer.
The DSL provider has allowed a 'last chance' effort to clean the network. So since I had not received a response on my first post in the 4 day window, but in the between time had disconnected one computer(the highest risk), I ran the Kaspersky scan and found a problem on my 'safe' computer. I posted the results of the scan here;
http://forums.spybot.info/showthread.php?t=55849
So the HJT log(the post you replied to) is from the high risk computer(which had the sinoval find a few weeks back), but the Kaspersky scan is from the computer I am using now(which I thought was safe). I did run the Malwarebytes app after the Kaspersky finds and it came back clean.
So I would like to try and make sure that this machine(the safe one but with the Kaspersky finds) is OK. Otherwise I am afraid I will lose DSL service from Qwest and then fixing anything is REALLY difficult.
shelf life
2010-03-03, 01:52
ok. We will get another download to use. Its called combofix. there is a guide to read first. Read through the guide, download combofix and follow the instructions in the guide and from the combofix prompts once you start running it.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
run it on the one you want to make sure is 'ok' and we will go from there. If your not sure about the other computers being clean or not you can take them off line so that there is no internet or local network connectivity.
My luck goes from bad to worse. My home phone is now inop, so internet access is down from home for a completely different reason!
Once the phone company resolves this new issue then I will run the combofix.
Thanks for your patience Shelf life.
shelf life
2010-03-05, 01:15
ok no problem. Read the guide, download and run it when you can. Just to be safe I would keep the machine(s) off line as much as possible. No internet connectivity, no "bot" activity, should keep your isp happy.
Combo fix log
ComboFix 10-03-05.05 - Administrator 03/06/2010 9:03.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2524 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_npf
((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.
2010-02-28 05:38 . 2010-02-28 05:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-28 05:38 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-28 05:38 . 2010-02-28 05:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-28 05:38 . 2010-02-28 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-28 05:38 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 05:11 . 2010-02-27 05:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 03:13 . 2010-02-24 03:42 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-23 17:52 . 2010-02-23 17:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2010-02-21 05:33 . 2010-02-21 05:33 -------- d-----w- C:\$AVG
2010-02-21 05:33 . 2010-02-21 05:33 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-02-21 05:33 . 2010-02-21 05:33 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-21 05:33 . 2010-02-21 05:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-21 05:33 . 2010-02-21 05:33 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-21 05:32 . 2010-02-21 05:32 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-21 05:32 . 2010-02-21 05:32 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-21 05:32 . 2010-03-06 14:50 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-21 05:32 . 2010-02-24 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-21 05:32 . 2010-02-21 05:32 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-21 05:32 . 2010-02-21 05:32 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-21 05:32 . 2010-02-21 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-21 05:00 . 2010-02-21 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-20 05:19 . 2010-02-23 02:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 05:19 . 2010-02-20 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-17 00:51 . 2010-01-14 17:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 23:59 . 2010-02-16 23:59 -------- d-s---w- c:\documents and settings\Administrator\UserData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 05:11 . 2008-05-30 02:17 -------- d-----w- c:\program files\Java
2010-02-27 05:11 . 2010-02-27 05:11 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-27 05:06 . 2010-02-27 05:06 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 05:32 . 2010-02-21 14:36 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-21 05:32 . 2010-02-21 14:36 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-21 05:32 . 2010-03-06 14:52 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-02-21 05:32 . 2010-03-06 14:52 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-02-21 05:32 . 2010-03-06 14:52 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-02-21 05:32 . 2010-03-06 14:52 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-02-21 05:32 . 2009-06-03 23:34 -------- d-----w- c:\program files\AVG
2010-02-15 19:28 . 2008-05-29 22:41 12988060 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-02-12 05:25 . 2008-01-06 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-16 02:24 . 2009-10-02 03:56 1885464 ----a-w- c:\windows\system32\AutoPartNt.exe
2009-12-31 16:50 . 2007-07-27 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2007-07-27 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2007-07-27 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43 . 2007-12-10 19:17 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2007-07-27 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2007-07-27 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-05-15 484904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-28 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-11-14 102400]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-11-15 1121016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-27 149280]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-10 1326080]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-10 904840]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-10 136472]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2007-12-15 987136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-21 05:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2/20/2010 11:33 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2/20/2010 11:33 PM 161800]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [5/20/2008 7:32 AM 15328]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/20/2010 11:32 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/20/2010 11:33 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/20/2010 11:32 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [2/20/2010 11:32 PM 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2/20/2010 11:32 PM 5832712]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [8/6/2008 10:34 AM 216032]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2/20/2010 11:32 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [2/20/2010 11:32 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [2/20/2010 11:32 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [2/20/2010 11:32 PM 25736]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [12/15/2007 7:07 PM 176128]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [12/15/2007 7:07 PM 13532]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2/20/2010 11:32 PM 30104]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [7/8/2008 11:39 AM 31712]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-05-15 23:08 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 21:42]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oet8pt3m.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.nws.noaa.gov/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 09:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1472)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(1528)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(4536)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-03-06 09:39:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 15:39
Pre-Run: 25,750,249,472 bytes free
Post-Run: 25,983,004,672 bytes free
- - End Of File - - 22D3DEC412A30F8AF6CB7A25EADE8D02
shelf life
2010-03-07, 02:05
thanks for the info. That combofix log looks good as far as malware goes. Pick another computer download DDS and combofix and post the logs. Use DDS first followed by combofix.
Thanks again Shelf Life,
So the Kaspersky warnings below are OK to ignore? Or did combofix take care of this?(inquiring minds and all, thanks)
C:\Documents and Settings\Administrator\Desktop\zaZA_Setup_en.exe Infected: Packed.Win32.Krap.ai 1
C:\Documents and Settings\Administrator\Desktop\zlsSetup_70_483_000_en.exe Infected: Packed.Win32.Krap.ai 1
OK, now sorry to be an idiot, but what is DDS (that I did first before!!). Can I attempt to run combofix off-line, ie copy the download from the now clean machine and load to an off-line machine via a CD?
I am just trying to keep my on-line activity to a minimum with the remaining machines that may have a problem.
Alot of pressure here on the homefront, with the current restriction on internet access given the indeterminate status of the other machines.
shelf life
2010-03-09, 00:43
i wouldnt ignore it. I assumed kaspersky took care of them by deleting or quarantine the files?
If not you can delete them off the desktop for now.
this one;
zaZA_Setup_en.exe
Is that Zone Alarm (firewall) setup.exe?
As far as I can tell this machine looks ok. you can get two more downloads (Defogger and Gmer) as a check for root kits which can hide from traditional malware/AV scanners. Not seeing much of anything to be concerned about on this computer with traditional scanning. Maybe Gmer will dig something up.
DDS is really just a diagnostic tool to see what might be on board your machine.
Combofix is updated every few days and I dont think it will run at all after 10 days since the last up date. I think its safe to connect this machine to the internet, get gmer to run on this machine and grab a new copy of combofix to run on the next computer.
For using and downloading defogger and Gmer you can visit this (http://www.bleepingcomputer.com/forums/topic34773.html) link. Follow steps 6 and 8.
You can also go ahead and run DDS, Defogger, Gmer and Combofix on the next machine. and post the Gmer log for the current machine and the logs for the new machine.
Thanks Shelf life.
I believe both the files were related to Zone Alarm, which I no longer have installed. So I have deleted them.
I tried to run GMER last evening(on the apparent safe machine) but it never seemed to finish and the computer would then hang. I let it run overnight the last time but had the same result. I had not yet run Defogger, so are the two apps separate, or do I need to run Defogger before running GMER? Or should I try GMER in Safe Mode?
Last question (for now!), is it safe to copy the logs generated on the next suspect computer to a thumb drive so that I can post them using the 'safe' machine. Or is using a CD as the transfer media safer? I don't know how 'communicable' these bugs are.
Thanks again for all your help.
shelf life
2010-03-10, 01:20
Actually you would have run defogger before Gmer. Forget defogger and try running Gmer in safe mode. A cd would be safer than a usb flash drive for transfer. If the gmer log looks ok then I would say we are done with the current machine.
Here it is after running in safe mode. No hangs until I tried to restart the computer after finishing GMER then nothing would happen. I had to hard shutdown.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-09 19:28:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uxtdapow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
---- EOF - GMER 1.0.15 ----
Since I was not sure that GMER was running OK, I ran DDS
DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Administrator at 20:08:22.84 on Tue 03/09/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2991 [GMT -6:00]
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DMXLauncher] "c:\program files\roxio\media experience\DMXLauncher.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\adobe photoshop lightroom 1.4\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuswi~1.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\oet8pt3m.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.nws.noaa.gov/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-2-20 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-2-20 52872]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-20 216200]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-20 29512]
S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-20 242696]
S2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-6 308064]
S2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-3-6 2325816]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-3-6 5888008]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2008-8-6 216032]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-2-20 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-2-20 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-2-20 122376]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-2-20 30216]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-2-20 26120]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2008-7-8 31712]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-12-15 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2007-12-15 13532]
=============== Created Last 30 ================
2010-03-06 16:03:57 0 d-----w- c:\docume~1\admini~1\applic~1\AVG9
2010-03-06 15:56:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-06 15:02:37 98816 ----a-w- c:\windows\sed.exe
2010-03-06 15:02:37 77312 ----a-w- c:\windows\MBR.exe
2010-03-06 15:02:37 261632 ----a-w- c:\windows\PEV.exe
2010-03-06 15:02:37 161792 ----a-w- c:\windows\SWREG.exe
2010-03-06 15:02:25 0 d-----w- C:\ComboFix
2010-02-28 05:38:14 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-02-28 05:38:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-28 05:38:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 05:38:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-28 05:38:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-27 05:11:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 05:33:03 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-21 05:33:03 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-02-21 05:33:02 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-21 05:32:59 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-21 05:32:54 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-21 05:32:52 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-02-21 05:32:04 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-21 05:32:04 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-21 05:32:00 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-20 05:19:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 05:19:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-17 00:51:02 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 23:59:25 0 d-s---w- c:\documents and settings\administrator\UserData
==================== Find3M ====================
2010-01-16 02:24:28 1885464 ----a-w- c:\windows\system32\AutoPartNt.exe
2009-12-22 05:21:05 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
============= FINISH: 20:08:29.53 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/10/2007 1:22:39 PM
System Uptime: 3/9/2010 6:56:06 PM (2 hours ago)
Motherboard: ASUSTeK Computer INC. | | P5K-E
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | LGA775 | 2405/266mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 101 GiB total, 24.116 GiB free.
D: is FIXED (NTFS) - 205 GiB total, 126.53 GiB free.
E: is FIXED (NTFS) - 161 GiB total, 160.492 GiB free.
F: is CDROM ()
G: is Removable
H: is Removable
==== Disabled Device Manager Items =============
Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Description: HID Non-User Input Data Filter (KB 911895)
Device ID: HID\VID_045E&PID_00F9&MI_01&COL01\7&21BF5F6&0&0000
Manufacturer: Microsoft
Name: HID Non-User Input Data Filter (KB 911895)
PNP Device ID: HID\VID_045E&PID_00F9&MI_01&COL01\7&21BF5F6&0&0000
Service: NuidFltr
Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Description: HID Non-User Input Data Filter (KB 911895)
Device ID: HID\VID_045E&PID_00F9&MI_01&COL03\7&21BF5F6&0&0002
Manufacturer: Microsoft
Name: HID Non-User Input Data Filter (KB 911895)
PNP Device ID: HID\VID_045E&PID_00F9&MI_01&COL03\7&21BF5F6&0&0002
Service: NuidFltr
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&B6AFFD&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&B6AFFD&0
Service: i8042prt
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_82771043&REV_02\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_82771043&REV_02\3&11583659&0&FB
Service:
==== System Restore Points ===================
RP436: 12/8/2009 7:15:05 PM - System Checkpoint
RP437: 12/15/2009 3:02:21 PM - System Checkpoint
RP438: 12/15/2009 3:46:53 PM - Software Distribution Service 3.0
RP439: 12/16/2009 8:49:01 PM - System Checkpoint
RP440: 12/17/2009 8:55:45 PM - System Checkpoint
RP441: 12/18/2009 10:13:20 PM - System Checkpoint
RP442: 12/25/2009 9:22:41 PM - System Checkpoint
RP443: 12/31/2009 6:03:18 PM - System Checkpoint
RP444: 1/1/2010 6:06:17 PM - System Checkpoint
RP445: 1/2/2010 7:02:09 PM - System Checkpoint
RP446: 1/4/2010 10:35:57 PM - System Checkpoint
RP447: 1/12/2010 8:36:55 PM - System Checkpoint
RP448: 1/12/2010 8:56:43 PM - Software Distribution Service 3.0
RP449: 1/19/2010 7:18:37 PM - System Checkpoint
RP450: 1/20/2010 7:35:12 PM - System Checkpoint
RP451: 1/22/2010 9:45:43 AM - Software Distribution Service 3.0
RP452: 1/31/2010 5:24:20 PM - System Checkpoint
RP453: 2/1/2010 7:12:14 PM - System Checkpoint
RP454: 2/11/2010 6:33:02 PM - System Checkpoint
RP455: 2/11/2010 11:24:30 PM - Software Distribution Service 3.0
RP456: 2/16/2010 6:20:05 PM - System Checkpoint
RP457: 2/16/2010 6:50:57 PM - Software Distribution Service 3.0
RP458: 2/16/2010 10:00:27 PM - Software Distribution Service 3.0
RP459: 2/19/2010 6:14:03 PM - Software Distribution Service 3.0
RP460: 2/20/2010 12:27:48 PM - Software Distribution Service 3.0
RP461: 2/20/2010 6:07:25 PM - Software Distribution Service 3.0
RP462: 2/20/2010 10:56:28 PM - Installed AVG 9.0
RP463: 2/20/2010 11:23:29 PM - Removed AVG Free 8.5
RP464: 2/20/2010 11:24:08 PM - Installed AVG Free 8.5
RP465: 2/20/2010 11:32:00 PM - Installed AVG 9.0
RP466: 2/21/2010 8:36:41 AM - Avg8 Update
RP467: 2/22/2010 8:38:58 PM - System Checkpoint
RP468: 2/23/2010 6:37:36 PM - Software Distribution Service 3.0
RP469: 2/26/2010 11:00:12 PM - Avg8 Update
RP470: 2/26/2010 11:11:32 PM - Installed Java(TM) 6 Update 17
RP471: 2/28/2010 12:34:14 AM - System Checkpoint
RP472: 3/1/2010 1:18:08 AM - System Checkpoint
RP473: 3/2/2010 2:00:48 AM - System Checkpoint
RP474: 3/6/2010 8:52:24 AM - Avg8 Update
RP475: 3/6/2010 9:56:52 AM - Avg Update
RP476: 3/7/2010 9:36:47 PM - System Checkpoint
RP477: 3/8/2010 7:02:14 PM - Avg Update
==== Installed Programs ======================
Acronis*True*Image*WD*Edition
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Common File Installer
Adobe Flash Player Plugin
Adobe Photoshop Elements 6.0
Adobe Photoshop Lightroom 2.5
Adobe Premiere Elements 4.0
Adobe Premiere Elements 4.0 Templates
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
AnswerWorks 4.0 Runtime - English
Apple Software Update
ASUS WiFi-AP Solo
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
AutoUpdate
AVG 9.0
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon EOS-1D Mark II N WIA Driver
Canon EOS-1Ds Mark II WIA Driver
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon My Printer
Canon Pro9000
Canon Pro9000 User Registration
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Setup Utility 2.1
Canon Utilities Digital Photo Professional 3.1
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint Pro
Canon Utilities EOS Utility
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Critical Update for Windows Media Player 11 (KB959772)
DivX
Easy-WebPrint
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Java(TM) 6 Update 17
Java(TM) 6 Update 6
JMB36X Raid Configurer
Lightroom
LightScribe 1.6.45.1
Macrium Reflect - Free Edition
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.1
Microsoft IntelliType Pro 6.1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
MyDVD-VR Recorder
Nero 7 Essentials
neroxml
OGA Notifier 2.0.0048.0
OTB
PE Builder 3.1.10a
QuickTime
Roxio Drag-to-Disc
Roxio Easy Media Creator 9 Suite
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SightSpeed (remove only)
Skins
Sonic MyDVD-VR
SoundMAX
Spybot - Search & Destroy
TaxCut Basic + Efile 2008
TurboTax Deluxe 2007
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977719)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
VC 9.0 Runtime
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Xingtone Ringtone Maker
==== Event Viewer Messages From Past Week ========
3/9/2010 7:28:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/9/2010 6:58:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips i8042prt intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
3/9/2010 6:58:06 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/9/2010 6:58:06 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/9/2010 6:58:06 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/9/2010 6:58:06 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/9/2010 6:57:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/9/2010 6:57:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/6/2010 9:09:29 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
==== End Of File ===========================
Hi Shelf life,
So the above logs are for the 'safe' computer. What follows are the Combofix, GMER and DDS logs for the next 'less safe' machine.
Thank you very much for sticking with this. I appreciate your patience.
ComboFix 10-03-09.04 - D 03/09/2010 19:22:29.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.372 [GMT -6:00]
Running from: c:\documents and settings\D\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-1414112411-1330998596-107729866-1003
.
((((((((((((((((((((((((( Files Created from 2010-02-10 to 2010-03-10 )))))))))))))))))))))))))))))))
.
2010-03-09 01:38 . 2010-02-20 18:28 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2010-03-09 01:34 . 2010-03-09 01:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-03-09 01:33 . 2010-03-09 01:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-27 05:37 . 2010-02-27 05:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-27 04:00 . 2010-02-27 04:00 -------- d-----w- c:\program files\ESET
2010-02-26 01:09 . 2010-02-26 01:09 -------- d-----w- c:\windows\Sun
2010-02-26 00:59 . 2009-09-02 17:58 1107200 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-02-24 02:39 . 2010-02-24 02:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-02-23 23:28 . 2010-02-20 18:28 693016 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcsrvx.exe
2010-02-23 23:28 . 2010-02-20 18:28 390424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgclitx.dll
2010-02-23 23:28 . 2010-02-20 18:28 418072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcclix.dll
2010-02-23 23:28 . 2010-02-20 18:28 70424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcrlpx.dll
2010-02-23 23:28 . 2010-02-20 18:28 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2010-02-23 23:28 . 2010-02-20 18:28 2308888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2010-02-23 23:26 . 2010-02-20 18:28 423424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2010-02-23 23:10 . 2010-02-20 18:28 1142552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2010-02-23 23:10 . 2010-02-20 18:28 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2010-02-23 23:10 . 2010-02-20 18:28 1475352 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2010-02-23 23:10 . 2010-02-20 18:28 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2010-02-21 04:08 . 2010-03-09 01:51 -------- d-----w- C:\$AVG8.VAULT$
2010-02-20 18:28 . 2010-02-20 18:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-20 18:28 . 2010-02-20 18:28 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-20 18:28 . 2010-02-20 18:28 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-20 18:28 . 2010-03-09 01:39 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-20 18:28 . 2010-02-26 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-20 18:28 . 2010-02-20 18:28 -------- d-----w- c:\program files\AVG
2010-02-20 18:28 . 2010-02-20 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-20 05:28 . 2010-02-23 23:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 05:28 . 2010-02-20 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-20 00:18 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-20 00:18 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-17 02:39 . 2010-02-24 15:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 02:01 . 2010-02-17 02:01 -------- d-----w- c:\program files\Microsoft Security Essentials
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 01:10 . 2008-11-13 02:06 -------- d-----w- c:\documents and settings\D\Application Data\U3
2010-02-27 05:36 . 2005-11-08 22:26 -------- d-----w- c:\program files\Google
2010-02-20 09:32 . 2009-08-11 21:03 34288 ----a-w- c:\documents and settings\D\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-20 09:02 . 2005-12-02 04:32 -------- d-----w- c:\program files\Microsoft Works
2010-02-06 03:07 . 2005-11-05 02:40 77607 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-05 10:00 . 2005-11-05 01:17 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-11-05 01:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-11-05 01:16 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2005-11-05 01:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2005-11-05 02:37 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-11-05 01:16 33280 ----a-w- c:\windows\system32\csrsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 17:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-07-09 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-10 15473664]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-24 352256]
"NDSTray.exe"="NDSTray.exe" [BU]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-15 761947]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-02-23 2043160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2005-11-29 329472]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-4 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-20 18:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 06:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131164868\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/20/2010 12:28 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/20/2010 12:28 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2/20/2010 12:28 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/20/2010 12:28 PM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2010 11:37 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 05:36]
2010-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 05:36]
2010-03-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 23:36]
2010-03-10 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\D\Application Data\Mozilla\Firefox\Profiles\9choub2n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nws.noaa.gov/
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 19:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1000)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2010-03-09 19:28:31
ComboFix-quarantined-files.txt 2010-03-10 01:28
Pre-Run: 78,827,655,168 bytes free
Post-Run: 78,820,188,160 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 0CC27F34F1AD7A752F7AAB2AE5BFAB7E
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-09 21:12:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\D\LOCALS~1\Temp\uwldapow.sys
---- System - GMER 1.0.15 ----
Code \??\C:\DOCUME~1\D\LOCALS~1\Temp\catchme.sys pIofCallDriver
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\Temp\TMP00000AE52BCC62A3379BAE82 524288 bytes
---- EOF - GMER 1.0.15 ----
DDS (Ver_09-12-01.01) - NTFSx86
Run by D at 21:13:31.06 on Tue 03/09/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.492 [GMT -6:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\WINDOWS\system32\RAMASST.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\D\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\metama~1.lnk - c:\program files\metamail inc\metamail tray\Metamail Trust Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\d\applic~1\mozilla\firefox\profiles\9choub2n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nws.noaa.gov/
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-20 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-19 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-20 108552]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2010-2-20 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-2-20 297752]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-11-4 126976]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-11-4 121344]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-11-4 114464]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-26 135664]
S2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-11-4 221184]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-11-4 245760]
=============== Created Last 30 ================
2010-03-10 01:21:23 0 d-sha-r- C:\cmdcons
2010-03-10 01:17:29 77312 ----a-w- c:\windows\MBR.exe
2010-03-10 01:17:28 98816 ----a-w- c:\windows\sed.exe
2010-03-10 01:17:28 261632 ----a-w- c:\windows\PEV.exe
2010-03-10 01:17:28 161792 ----a-w- c:\windows\SWREG.exe
2010-03-10 01:17:04 0 d-----w- C:\ComboFix
2010-02-27 04:00:41 0 d-----w- c:\program files\ESET
2010-02-21 04:08:03 0 d-----w- C:\$AVG8.VAULT$
2010-02-20 18:28:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-20 18:28:57 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-20 18:28:55 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-20 18:28:47 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-20 18:28:44 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-02-20 18:28:08 0 d-----w- c:\program files\AVG
2010-02-20 18:28:08 0 d-----w- c:\docume~1\alluse~1\applic~1\avg8
2010-02-20 05:28:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 05:28:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-20 00:18:28 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-20 00:18:28 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-20 00:18:28 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-02-17 02:39:37 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 02:01:03 0 d-----w- c:\program files\Microsoft Security Essentials
==================== Find3M ====================
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
============= FINISH: 21:14:06.29 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/19/2008 9:53:46 PM
System Uptime: 3/9/2010 7:01:14 PM (2 hours ago)
Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) M processor 1.73GHz | mFCPGA | 1729/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 93 GiB total, 73.428 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP41: 12/9/2009 2:20:09 PM - Software Distribution Service 3.0
RP42: 12/20/2009 10:07:34 AM - Software Distribution Service 3.0
RP43: 12/26/2009 11:30:32 AM - Software Distribution Service 3.0
RP44: 12/26/2009 1:17:39 PM - Software Distribution Service 3.0
RP45: 1/4/2010 9:32:38 PM - Software Distribution Service 3.0
RP46: 1/27/2010 8:15:37 PM - System Checkpoint
RP47: 1/27/2010 8:59:05 PM - Software Distribution Service 3.0
RP48: 2/5/2010 8:34:24 PM - Software Distribution Service 3.0
RP49: 2/16/2010 8:39:27 PM - Software Distribution Service 3.0
RP50: 2/19/2010 6:30:20 PM - Software Distribution Service 3.0
RP51: 2/20/2010 3:00:27 AM - Software Distribution Service 3.0
RP52: 2/20/2010 12:27:51 PM - Installed AVG Free 8.5
RP53: 2/21/2010 2:18:50 AM - Software Distribution Service 3.0
RP54: 2/21/2010 3:00:45 AM - Software Distribution Service 3.0
RP55: 2/23/2010 5:10:28 PM - Avg8 Update
RP56: 2/23/2010 5:24:44 PM - Software Distribution Service 3.0
RP57: 2/23/2010 6:39:06 PM - Software Distribution Service 3.0
RP58: 2/24/2010 6:59:37 PM - Software Distribution Service 3.0
RP59: 2/25/2010 7:42:32 PM - Software Distribution Service 3.0
RP60: 2/26/2010 7:02:13 PM - Software Distribution Service 3.0
RP61: 3/8/2010 7:38:03 PM - Avg8 Update
RP62: 3/8/2010 7:45:52 PM - Software Distribution Service 3.0
==== Installed Programs ======================
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Spyware Protection
AOL You've Got Pictures Screensaver
ArcSoft Software Suite
AVG Free 8.5
Bluetooth Stack for Windows by Toshiba
CD/DVD Drive Acoustic Silencer
DVD-RAM Driver
ESET Online Scanner v3
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB888111
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 4
Macromedia Flash Player 8
McAfee SecurityCenter
McAfee VirusScan
mCore
mDrWiFi
Metamail (Toshiba Registration Utility)
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIWA
mIWCA
mLogView
mMHouse
Mozilla Firefox (3.0.15)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
MyConnect Special Offer
mZConfig
Office 2003 Trial Assistant
Pure Networks Port Magic
Quicken 2005
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
SD Secure Module
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sonic DLA
Sonic RecordNow!
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21/x515
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Q4 Retail Demo ScreenSaver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Xvid 1.1.3 final uninstall
Yahoo! Music Engine
==== Event Viewer Messages From Past Week ========
3/9/2010 8:47:48 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/9/2010 7:47:41 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/9/2010 7:27:34 PM, error: Service Control Manager [7034] - The McAfee.com McShield service terminated unexpectedly. It has done this 1 time(s).
3/9/2010 7:23:05 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the McShield service.
3/9/2010 7:22:20 PM, error: Service Control Manager [7034] - The Swupdtmr service terminated unexpectedly. It has done this 1 time(s).
3/9/2010 7:17:39 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/9/2010 7:02:36 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
==== End Of File ===========================
shelf life
2010-03-10, 23:45
the good news is I dont see anything malware related in those logs either.
Hi Shelf life,
So the GMER log, post#14, is complete? Just want to triple check as this log is from the original safe one and is the most important machine.
The second machine is a laptop (whose logs are above), and I expected it to be relatively clean but not 100% sure.
Well then, on to the last, and most suspect machine. It went for a long time without any virus/malware protection due to a really strange problem with the version of Zone Alarm I had installed.
I will post those logs next.
Thanks again.
I think it has a problem!!
ComboFix 10-03-09.04 - Mark MacKinnon 03/10/2010 20:45:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.361 [GMT -6:00]
Running from: c:\documents and settings\Mark MacKinnon\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2010-02-11 to 2010-03-11 )))))))))))))))))))))))))))))))
.
2010-03-11 02:44 . 2010-03-11 02:44 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-02-23 02:33 . 2010-02-23 02:33 -------- d-----w- c:\program files\ERUNT
2010-02-23 01:33 . 2010-02-23 01:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-23 01:30 . 2010-02-23 01:30 152576 ----a-w- c:\documents and settings\Mark MacKinnon\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-23 01:25 . 2010-02-23 01:25 79488 ----a-w- c:\documents and settings\Mark MacKinnon\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-22 14:24 . 2010-02-21 20:44 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-22 14:24 . 2010-02-21 20:44 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-22 01:21 . 2010-02-22 01:21 -------- d-----w- c:\documents and settings\Mark MacKinnon\Local Settings\Application Data\AVG Security Toolbar
2010-02-21 20:46 . 2010-02-21 20:46 -------- d-----w- C:\$AVG
2010-02-21 20:45 . 2010-02-21 20:45 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-02-21 20:45 . 2010-02-21 20:45 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-21 20:45 . 2010-02-21 20:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-21 20:45 . 2010-02-21 20:45 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-21 20:45 . 2010-02-21 20:45 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-21 20:45 . 2010-02-21 20:45 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-21 20:45 . 2010-02-27 01:05 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-21 20:44 . 2010-02-24 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-21 18:34 . 2010-02-21 18:34 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-21 18:34 . 2010-02-21 18:34 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-21 18:34 . 2010-02-21 18:34 -------- d-----w- c:\program files\AVG
2010-02-21 18:33 . 2010-02-21 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 02:40 . 2007-02-19 03:20 -------- d-----w- c:\documents and settings\Mark MacKinnon\Application Data\U3
2010-02-27 01:15 . 2010-02-27 01:15 -------- d-----w- c:\program files\ESET
2010-02-25 02:49 . 2010-02-25 02:49 -------- d-----w- c:\program files\Panda Security
2010-02-24 03:34 . 2010-02-24 00:56 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-23 02:46 . 2010-02-23 02:46 388096 ----a-r- c:\documents and settings\Mark MacKinnon\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-23 02:46 . 2010-02-23 02:46 -------- d-----w- c:\program files\TrendMicro
2010-02-23 01:32 . 2007-07-26 23:09 -------- d-----w- c:\program files\Java
2010-02-20 03:46 . 2007-01-29 02:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-14 17:12 . 2009-09-02 00:01 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00 . 2001-08-23 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-05 02:31 . 2010-01-05 02:31 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2010-01-01 18:02 . 2006-05-13 22:01 1087 ----a-w- c:\windows\checkip.dat
2010-01-01 17:58 . 2006-05-13 22:00 1074 ----a-w- c:\windows\ipconfig.dat
2009-12-31 16:50 . 2001-08-23 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2007-04-15 18:37 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-23 149280]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-28 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-11-14 102400]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-11-15 1121016]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]
c:\documents and settings\Mark MacKinnon\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-21 20:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3429:TCP"= 3429:TCP:Services
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2/21/2010 2:45 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2/21/2010 2:45 PM 161800]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/24/2010 8:53 PM 28552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/21/2010 2:45 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/21/2010 2:45 PM 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2/21/2010 2:44 PM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/21/2010 2:44 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [2/21/2010 2:44 PM 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2/21/2010 2:44 PM 5832712]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2/21/2010 12:34 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [2/21/2010 2:44 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [2/21/2010 2:44 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [2/21/2010 2:44 PM 25736]
R3 STDRIVER;USB Bulk Out Driver for STM;c:\windows\system32\drivers\STDriver.sys [2/12/2006 1:53 PM 15930]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2/21/2010 12:34 PM 30104]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 iadusb;Zoom USB Network Adapter;c:\windows\system32\drivers\glauiad.sys [7/7/2008 8:09 AM 30371]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.crh.noaa.gov/ifps/MapClick.php?MapType=3&site=MPX&CiTemplate=1&map.x=189&map.y=153
FF - ProfilePath - c:\documents and settings\Mark MacKinnon\Application Data\Mozilla\Firefox\Profiles\nhmtv5mp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.simhq.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-DSLAGENTEXE - c:\program files\Zoom\Adsl\dslagent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-10 20:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x832E40E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7633f28
\Driver\ACPI -> 0x832e40e0
\Driver\atapi -> atapi.sys @ 0xf755e852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x82d10690
PacketIndicateHandler -> NDIS.sys @ 0xf7442a0d
SendHandler -> NDIS.sys @ 0xf7456b40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0E4F8121
malicious code @ sector 0x0E4F8124 !
PE file found in sector at 0x0E4F813A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(192)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-10 21:01:10
ComboFix-quarantined-files.txt 2010-03-11 03:01
Pre-Run: 40,440,467,456 bytes free
Post-Run: 40,596,123,648 bytes free
- - End Of File - - 85355CE31989624041B5842EC59002CD
DDS (Ver_09-12-01.01) - NTFSx86
Run by Mark MacKinnon at 21:32:58.12 on Wed 03/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.338 [GMT -6:00]
AV: AVG Internet Security *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mark MacKinnon\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.crh.noaa.gov/ifps/MapClick.php?MapType=3&site=MPX&CiTemplate=1&map.x=189&map.y=153
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DMXLauncher] "c:\program files\roxio\media experience\DMXLauncher.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
StartupFolder: c:\docume~1\markma~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {00000162-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/B/B/0BB06A5C-8611-4840-86B3-54DDDD0344B9/wma9dmo.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247796145640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\markma~1\applic~1\mozilla\firefox\profiles\nhmtv5mp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.simhq.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-2-21 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-2-21 161800]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-2-24 28552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-21 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-21 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-21 360584]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-2-21 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-21 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-2-21 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-2-21 5832712]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-2-21 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-2-21 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-2-21 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-2-21 25736]
R3 STDRIVER;USB Bulk Out Driver for STM;c:\windows\system32\drivers\STDriver.sys [2006-2-12 15930]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-2-21 30104]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 iadusb;Zoom USB Network Adapter;c:\windows\system32\drivers\glauiad.sys [2008-7-7 30371]
=============== Created Last 30 ================
2010-03-11 02:44:54 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-03-11 02:43:23 98816 ----a-w- c:\windows\sed.exe
2010-03-11 02:43:23 77312 ----a-w- c:\windows\MBR.exe
2010-03-11 02:43:23 261632 ----a-w- c:\windows\PEV.exe
2010-03-11 02:43:23 161792 ----a-w- c:\windows\SWREG.exe
2010-02-27 01:15:55 0 d-----w- c:\program files\ESET
2010-02-25 02:53:00 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-25 02:49:28 0 d-----w- c:\program files\Panda Security
2010-02-23 02:46:15 0 d-----w- c:\program files\TrendMicro
2010-02-23 01:33:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 20:46:12 0 d-----w- C:\$AVG
2010-02-21 20:45:42 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-02-21 20:45:42 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-21 20:45:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-21 20:45:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-21 20:45:29 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-21 20:45:16 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-21 20:44:50 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-02-21 18:34:15 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-21 18:34:15 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-21 18:34:10 0 d-----w- c:\program files\AVG
2010-02-21 18:33:56 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
==================== Find3M ====================
2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
============= FINISH: 21:33:33.18 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/15/2007 12:46:32 PM
System Uptime: 3/10/2010 8:34:07 PM (1 hours ago)
Motherboard: | | SiS-741
Processor: AMD Athlon(tm) XP 2000+ | Socket A | 1666/133mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 114 GiB total, 37.832 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: PCI\VEN_1039&DEV_7002&SUBSYS_70021039&REV_00\3&61AAA01&0&1A
Manufacturer:
Name:
PNP Device ID: PCI\VEN_1039&DEV_7002&SUBSYS_70021039&REV_00\3&61AAA01&0&1A
Service:
==== System Restore Points ===================
RP700: 12/8/2009 6:24:45 PM - Software Distribution Service 3.0
RP701: 12/9/2009 3:00:14 AM - Software Distribution Service 3.0
RP702: 12/10/2009 6:35:31 PM - Software Distribution Service 3.0
RP703: 12/11/2009 8:48:43 PM - System Checkpoint
RP704: 12/12/2009 9:41:08 PM - System Checkpoint
RP705: 12/16/2009 8:29:31 PM - Software Distribution Service 3.0
RP706: 12/17/2009 6:24:43 PM - Software Distribution Service 3.0
RP707: 12/22/2009 6:27:53 PM - Software Distribution Service 3.0
RP708: 12/23/2009 6:57:33 PM - System Checkpoint
RP709: 12/24/2009 3:03:32 PM - Software Distribution Service 3.0
RP710: 12/26/2009 9:44:37 AM - System Checkpoint
RP711: 12/26/2009 4:29:21 PM - Installed Windows NLSDownlevelMapping.
RP712: 12/26/2009 4:30:12 PM - Installed Windows IDNMitigationAPIs.
RP713: 12/26/2009 4:30:29 PM - Installed Windows Internet Explorer 7.
RP714: 12/26/2009 4:30:55 PM - Software Distribution Service 3.0
RP715: 12/27/2009 3:00:18 AM - Software Distribution Service 3.0
RP716: 12/30/2009 8:57:37 AM - Software Distribution Service 3.0
RP717: 12/30/2009 9:00:26 AM - Software Distribution Service 3.0
RP718: 12/31/2009 2:09:40 PM - System Checkpoint
RP719: 1/1/2010 2:57:12 PM - System Checkpoint
RP720: 1/1/2010 4:52:24 PM - Software Distribution Service 3.0
RP721: 1/2/2010 5:24:45 PM - Unsigned driver install
RP722: 1/4/2010 7:18:02 PM - Software Distribution Service 3.0
RP723: 1/5/2010 7:40:11 PM - System Checkpoint
RP724: 1/6/2010 7:50:59 PM - System Checkpoint
RP725: 1/7/2010 6:24:23 PM - Software Distribution Service 3.0
RP726: 1/8/2010 6:45:46 PM - System Checkpoint
RP727: 1/9/2010 7:25:10 PM - System Checkpoint
RP728: 1/10/2010 7:57:50 PM - System Checkpoint
RP729: 1/11/2010 5:05:03 PM - Software Distribution Service 3.0
RP730: 1/12/2010 5:45:43 PM - Software Distribution Service 3.0
RP731: 1/13/2010 6:03:29 PM - System Checkpoint
RP732: 1/13/2010 7:42:14 PM - Software Distribution Service 3.0
RP733: 1/14/2010 6:16:42 PM - Software Distribution Service 3.0
RP734: 1/15/2010 8:01:19 PM - System Checkpoint
RP735: 1/16/2010 8:35:17 PM - System Checkpoint
RP736: 1/19/2010 6:18:45 PM - Software Distribution Service 3.0
RP737: 1/20/2010 7:14:38 PM - System Checkpoint
RP738: 1/21/2010 5:36:23 PM - Software Distribution Service 3.0
RP739: 1/22/2010 3:00:15 AM - Software Distribution Service 3.0
RP740: 1/23/2010 5:33:57 PM - System Checkpoint
RP741: 1/24/2010 6:22:22 PM - System Checkpoint
RP742: 1/26/2010 2:07:56 PM - Software Distribution Service 3.0
RP743: 1/26/2010 5:41:44 PM - Microsoft Antimalware Checkpoint
RP744: 1/27/2010 6:19:32 PM - Software Distribution Service 3.0
RP745: 1/27/2010 6:23:30 PM - Software Distribution Service 3.0
RP746: 1/27/2010 10:55:33 PM - Software Distribution Service 3.0
RP747: 1/28/2010 6:30:17 PM - Software Distribution Service 3.0
RP748: 1/28/2010 6:38:03 PM - Software Distribution Service 3.0
RP749: 1/30/2010 9:16:43 AM - Software Distribution Service 3.0
RP750: 1/30/2010 6:57:33 PM - Software Distribution Service 3.0
RP751: 1/31/2010 1:08:55 PM - Software Distribution Service 3.0
RP752: 1/31/2010 6:41:15 PM - Software Distribution Service 3.0
RP753: 2/1/2010 6:38:08 PM - Software Distribution Service 3.0
RP754: 2/1/2010 6:55:00 PM - Software Distribution Service 3.0
RP755: 2/3/2010 5:23:53 PM - Software Distribution Service 3.0
RP756: 2/5/2010 6:02:50 PM - Software Distribution Service 3.0
RP757: 2/5/2010 6:09:10 PM - Software Distribution Service 3.0
RP758: 2/6/2010 8:10:01 PM - Software Distribution Service 3.0
RP759: 2/7/2010 8:10:11 PM - Software Distribution Service 3.0
RP760: 2/9/2010 5:53:53 PM - Software Distribution Service 3.0
RP761: 2/9/2010 5:57:36 PM - Software Distribution Service 3.0
RP762: 2/9/2010 6:00:26 PM - Software Distribution Service 3.0
RP763: 2/10/2010 3:39:02 AM - Software Distribution Service 3.0
RP764: 2/11/2010 6:08:31 PM - Software Distribution Service 3.0
RP765: 2/11/2010 6:16:04 PM - Software Distribution Service 3.0
RP766: 2/12/2010 2:51:09 PM - Software Distribution Service 3.0
RP767: 2/15/2010 9:53:23 PM - System Checkpoint
RP768: 2/17/2010 6:55:22 PM - System Checkpoint
RP769: 2/17/2010 8:52:57 PM - Software Distribution Service 3.0
RP770: 2/18/2010 8:48:00 PM - Software Distribution Service 3.0
RP771: 2/18/2010 8:48:54 PM - Software Distribution Service 3.0
RP772: 2/19/2010 5:55:34 PM - Software Distribution Service 3.0
RP773: 2/21/2010 12:33:54 PM - Installed AVG 9.0
RP774: 2/21/2010 2:43:49 PM - Configured AVG 9.0
RP775: 2/22/2010 8:24:54 AM - Avg8 Update
RP776: 2/22/2010 7:32:13 PM - Installed Java(TM) 6 Update 17
RP777: 2/22/2010 8:46:14 PM - Installed HiJackThis
RP778: 2/23/2010 8:26:42 PM - Software Distribution Service 3.0
RP779: 2/24/2010 6:39:32 PM - Avg8 Update
RP780: 2/25/2010 7:06:18 PM - System Checkpoint
RP781: 2/26/2010 7:47:38 PM - System Checkpoint
RP782: 3/4/2010 6:03:05 PM - System Checkpoint
RP783: 3/5/2010 7:00:09 PM - System Checkpoint
RP784: 3/6/2010 7:18:03 PM - System Checkpoint
RP785: 3/10/2010 8:43:41 PM - ComboFix created restore point
==== Installed Programs ======================
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
AutoUpdate
AVG 9.0
Call of Duty
Call of Duty - United Offensive
DivX Codec
DivX Version Checker
ERUNT 1.1j
ESET Online Scanner v3
HiJackThis
HOTAS Cougar
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
IL-2 Sturmovik: Forgotten Battles
IL-2 Sturmovik: Forgotten Battles AEP
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyDVD-VR Recorder
Network Magic
NVIDIA Drivers
Panda ActiveScan 2.0
PF+FB+AEP
PowerDVD
Pure Networks Platform
Realtek AC'97 Audio
Roxio Drag-to-Disc
Roxio Easy Media Creator 9 Suite
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 Series (KB969878)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SightSpeed (remove only)
SiS 900 PCI Fast Ethernet Adapter Driver
Sonic MyDVD-VR
Sound Blaster Live!
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SuperUtilities
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
WebEx Support Manager for Internet Explorer
WebFldrs XP
WinAce Archiver
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Zoom ADSL Modem
Zoom ADSL Modem Status
==== Event Viewer Messages From Past Week ========
3/10/2010 8:36:08 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
==== End Of File ===========================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-10 22:34:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MARKMA~1\LOCALS~1\Temp\pxtdypoc.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xF79E0470]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xF79E0520]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xF79E05C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xF79E0660]
Code \??\C:\DOCUME~1\MARKMA~1\LOCALS~1\Temp\catchme.sys pIofCallDriver
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\ACPI \Device\00000050 832E40E0
Device \Driver\ACPI \Device\00000051 832E40E0
Device \Driver\ACPI \Device\00000052 832E40E0
Device \Driver\ACPI \Device\00000060 832E40E0
Device \Driver\ACPI \Device\00000061 832E40E0
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\ACPI \Device\00000062 832E40E0
Device \Driver\ACPI \Device\00000057 832E40E0
Device \Driver\ACPI \Device\00000064 832E40E0
Device \Driver\ACPI \Device\00000068 832E40E0
Device \Driver\ACPI \Device\00000069 832E40E0
Device \Driver\ACPI \Device\0000004c 832E40E0
Device \Driver\ACPI \Device\0000005a 832E40E0
Device \Driver\ACPI \Device\0000004d 832E40E0
Device \Driver\ACPI \Device\0000005b 832E40E0
Device \Driver\ACPI \Device\0000005c 832E40E0
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\ACPI \Device\0000005d 832E40E0
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\ACPI \Device\0000005e 832E40E0
Device \Driver\ACPI \Device\0000006a 832E40E0
Device \Driver\ACPI \Device\0000006b 832E40E0
Device \Driver\ACPI \Device\0000006c 832E40E0
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- EOF - GMER 1.0.15 ----
shelf life
2010-03-12, 04:08
ok for this 'risky machine' as you called it we will get two more downloads. One is MBR.exe from GMER. the other from Kapsersky.
Use the Gmer exe first:
Please download MBR.exe from here. (http://www2.gmer.net/mbr/mbr.exe)
Save the file to your desktop and double click on it.
A new text file will appear on your desktop after running the utility. Copy/paste in the text file results in your reply.
Next:
Please download TDSS Killer.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your desktop
Extract the zip file to your desktop
double click the TDSSkiller.exe to run
a window will open,
When its finished press any key to continue.
If prompted please reboot your computer
Please post the report.txt that will be generated in your root C: (Local Disk)
it will be named TDSkiller.2.2.8_11.03.10 (version followed by date ran)
post the txt file in reply please.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x832ef240
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x82d12690
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0E4F8121
malicious code @ sector 0x0E4F8124 !
PE file found in sector at 0x0E4F813A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
23:19:09:390 2528 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
23:19:09:390 2528 ================================================================================
23:19:09:406 2528 SystemInfo:
23:19:09:406 2528 OS Version: 5.1.2600 ServicePack: 3.0
23:19:09:406 2528 Product type: Workstation
23:19:09:406 2528 ComputerName: MARK
23:19:09:406 2528 UserName: Mark MacKinnon
23:19:09:406 2528 Windows directory: C:\WINDOWS
23:19:09:406 2528 Processor architecture: Intel x86
23:19:09:406 2528 Number of processors: 1
23:19:09:406 2528 Page size: 0x1000
23:19:09:406 2528 Boot type: Normal boot
23:19:09:406 2528 ================================================================================
23:19:09:421 2528 UnloadDriverW: NtUnloadDriver error 2
23:19:09:421 2528 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:19:09:515 2528 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:19:09:515 2528 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:19:09:515 2528 wfopen_ex: Trying to KLMD file open
23:19:09:515 2528 wfopen_ex: File opened ok (Flags 2)
23:19:09:531 2528 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:19:09:531 2528 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:19:09:531 2528 wfopen_ex: Trying to KLMD file open
23:19:09:531 2528 wfopen_ex: File opened ok (Flags 2)
23:19:09:531 2528 Initialize success
23:19:09:531 2528
23:19:09:531 2528 Scanning Services ...
23:19:09:640 2528 GetAdvancedServicesInfo: Raw services enum returned 349 services
23:19:09:640 2528
23:19:09:640 2528 Scanning Kernel memory ...
23:19:09:640 2528 Devices to scan: 2
23:19:09:640 2528
23:19:09:640 2528 Driver Name: Disk
23:19:09:640 2528 IRP_MJ_CREATE : F7635BB0
23:19:09:640 2528 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
23:19:09:640 2528 IRP_MJ_CLOSE : F7635BB0
23:19:09:640 2528 IRP_MJ_READ : F762FD1F
23:19:09:656 2528 IRP_MJ_WRITE : F762FD1F
23:19:09:656 2528 IRP_MJ_QUERY_INFORMATION : 804FA88E
23:19:09:656 2528 IRP_MJ_SET_INFORMATION : 804FA88E
23:19:09:656 2528 IRP_MJ_QUERY_EA : 804FA88E
23:19:09:656 2528 IRP_MJ_SET_EA : 804FA88E
23:19:09:656 2528 IRP_MJ_FLUSH_BUFFERS : F76302E2
23:19:09:656 2528 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
23:19:09:656 2528 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
23:19:09:656 2528 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
23:19:09:656 2528 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
23:19:09:656 2528 IRP_MJ_DEVICE_CONTROL : F76303BB
23:19:09:656 2528 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7633F28
23:19:09:656 2528 IRP_MJ_SHUTDOWN : F76302E2
23:19:09:656 2528 IRP_MJ_LOCK_CONTROL : 804FA88E
23:19:09:656 2528 IRP_MJ_CLEANUP : 804FA88E
23:19:09:656 2528 IRP_MJ_CREATE_MAILSLOT : 804FA88E
23:19:09:656 2528 IRP_MJ_QUERY_SECURITY : 804FA88E
23:19:09:656 2528 IRP_MJ_SET_SECURITY : 804FA88E
23:19:09:656 2528 IRP_MJ_POWER : F7631C82
23:19:09:656 2528 IRP_MJ_SYSTEM_CONTROL : F763699E
23:19:09:656 2528 IRP_MJ_DEVICE_CHANGE : 804FA88E
23:19:09:656 2528 IRP_MJ_QUERY_QUOTA : 804FA88E
23:19:09:656 2528 IRP_MJ_SET_QUOTA : 804FA88E
23:19:09:687 2528 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:19:09:687 2528
23:19:09:687 2528 Driver Name: atapi
23:19:09:687 2528 IRP_MJ_CREATE : F75626F2
23:19:09:687 2528 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
23:19:09:687 2528 IRP_MJ_CLOSE : F75626F2
23:19:09:703 2528 IRP_MJ_READ : 804FA88E
23:19:09:703 2528 IRP_MJ_WRITE : 804FA88E
23:19:09:703 2528 IRP_MJ_QUERY_INFORMATION : 804FA88E
23:19:09:703 2528 IRP_MJ_SET_INFORMATION : 804FA88E
23:19:09:703 2528 IRP_MJ_QUERY_EA : 804FA88E
23:19:09:703 2528 IRP_MJ_SET_EA : 804FA88E
23:19:09:703 2528 IRP_MJ_FLUSH_BUFFERS : 804FA88E
23:19:09:703 2528 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
23:19:09:703 2528 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
23:19:09:703 2528 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
23:19:09:703 2528 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
23:19:09:703 2528 IRP_MJ_DEVICE_CONTROL : F7562712
23:19:09:703 2528 IRP_MJ_INTERNAL_DEVICE_CONTROL : F755E852
23:19:09:703 2528 IRP_MJ_SHUTDOWN : 804FA88E
23:19:09:703 2528 IRP_MJ_LOCK_CONTROL : 804FA88E
23:19:09:703 2528 IRP_MJ_CLEANUP : 804FA88E
23:19:09:703 2528 IRP_MJ_CREATE_MAILSLOT : 804FA88E
23:19:09:703 2528 IRP_MJ_QUERY_SECURITY : 804FA88E
23:19:09:703 2528 IRP_MJ_SET_SECURITY : 804FA88E
23:19:09:703 2528 IRP_MJ_POWER : F756273C
23:19:09:703 2528 IRP_MJ_SYSTEM_CONTROL : F7569336
23:19:09:703 2528 IRP_MJ_DEVICE_CHANGE : 804FA88E
23:19:09:703 2528 IRP_MJ_QUERY_QUOTA : 804FA88E
23:19:09:703 2528 IRP_MJ_SET_QUOTA : 804FA88E
23:19:09:718 2528 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
23:19:09:718 2528
23:19:09:718 2528 Completed
23:19:09:718 2528
23:19:09:718 2528 Results:
23:19:09:718 2528 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:19:09:718 2528 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:19:09:718 2528 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:19:09:718 2528
23:19:09:718 2528 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:19:09:718 2528 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:19:09:718 2528 KLMD(ARK) unloaded successfully
shelf life
2010-03-14, 02:11
on this last machine we will get yet another download. Its another tool for rootkits. link and directions:
Please download: RootRepeal
http://ad13.geekstogo.com/RootRepeal.exe
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan
May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
Here is the RootRepeal report;
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/13 20:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF536E000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B5B000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB943E000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!
SSDT
-------------------
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf78a0470
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf78a0520
#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf78a05c0
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf78a0660
Stealth Objects
-------------------
Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x830c1850 Size: 1968
==EOF==
Thanks for your help Shelf life!http://forums.spybot.info/images/smilies/bigthumb.gif
shelf life
2010-03-14, 19:45
ok both say MBR rootkits. How do you feel about reinstalling windows on this machine? Another solution would be to re-write a new MBR from the recovery console. Do you have the original installation (Windows) media? Keep this machine off your local network and the internet.
Some somewhat old info about rootkits. the first one dosnt mention them as root kits, but it all still applies.
http://technet.microsoft.com/en-us/library/cc512587.aspx
http://technet.microsoft.com/en-us/library/cc512642.aspx
Thanks Shelf life.
I do have the original XP Home install disk, and based on the first link it would appear that a complete wipe and reinstall is the only 100% safe way to eradicate the rootkit?
I would prefer a less drastic method, as my original disk is about 5-6yrs old, so there is a ton of patching/updates to go through, and then reinstalling software.
Rewriting the MBR via the recovery console would appear to be a less painful fix, but would the vulnerabilities (hidden backdoors, etc) discussed in the first link still be present?
If the first option, reformat and reinstall XP, is the way to go, are there any scanners that can check individual files for malware so that I can copy some files off the machine to avoid losing them?
I have kept this machine off the local network and off the internet since we started this process and have had no more warnings from the DSL provider so it is pretty clear this one is the bad apple.
shelf life
2010-03-16, 01:01
thanks for all the info.
this one is the bad apple
based on the gmer and root repeal log yes, another tip was all the open ports in the combofix log.
Yes a reformat/reinstall would be the safest in the case of root kits.
Your right just to get all the Windows updates would be a massive download.
A rewrite of the MBR would be pretty easy and quick to do.
but would the vulnerabilities (hidden backdoors, etc) discussed in the first link still be present?
Yes it is possible.
scanners that can check individual files for malware so that I can copy some files off the machine to avoid losing them?
Yes most scanners can. if you use a usb drive or external drive then before you move them to another machine you should disable auto run first before plugging it in. some malware can get transferred via these drives form one computer to another. the default is to read the autorun.ini file on the device which will execute any malware;
autorun.ini
autorun=
virus.exe
Not saying you have malware that can do this, its just a precaution.
I have kept this machine off the local network and off the internet since we startedgood, good and more good.
Let me know what you want to do and we will proceed.
disable autorun (http://research.pandasecurity.com/Panda-USB-and-AutoRun-Vaccine/)
Thanks much for the feedback Shelf life,
I am inferring from your reply that, in most cases, rewriting the MBR poses a minimal risk to reinfection, but not zero risk?
My concern here, and please educate me if I am missing something as I have next to zero knowledge of these issues, is that my 'infection' is fairly sophisticated and the possible exposure to some of the less likely (hidden backdoors for one) undesireable outcomes of a MBR rewrite is higher than one would normally expect. I am basing this on a couple of observations;
1. Prior to being alerted by my DSL provider, I had no indication of anything wrong. No strange popups or mysterious website redirects. And no blocking of sites such as spybot, etc. and the computer, though slow on occasion, did not show any really strange behaviours
2. The DSL provider indicated that the malicious activity was being reported by other users(?), indicating some level of sophistication in what was done to my computer and what the real intent was?
I am by no means asking for a guarantee that the MBR rewrite has very little risk, I just am curious as to whether my info/condition and results indicate that what infected this computer is more than the 'common cold' in the world of malware.
Last question;
If I use a CD/DVD to move the files I wish to save (if I choose the wipe and reinstall XP option), then I should run the Panda vaccination on the machine that will be 'receiving' the questionable files, in order to avoid a hidden transfer of malware? If I use a USB pen drive, then I would run the Panda vaccine onto the USB drive?
And again, very heartfelt thanks for your time and patience with me and my problems. I am now off the precipice of losing internet access, and have learned a great deal on how many perils exist on the internet.
shelf life
2010-03-18, 02:47
hi,
Its a good thing that most malware is rather "noisy", this is one way that people can notice somethings wrong. Root kits can be 'stealthy' going undetected by traditional antivirus/malware scanners. They are also rather new to the Windows OS and are on the increase so yes i would consider root kits more serious/sophisticated than the usual malware one can get. More than a common cold anyway.
Normally when one has a root kit there is also other malware on board. I dont recognize any other malware in this case. Both Gmer and Root Repeal flagged a mbr root kit which is good enough evidence although any is capable of false positives.
Not sure what your isp meant by 'other users' maybe you were sending out spam.
We can get one more tool from Gmer:
Please download MBR.exe from:
http://www2.gmer.net/mbr/mbr.exe
Save the file to your desktop and double click on it.
A new text file will appear on your desktop, created by the tool. Copy and paste that file in your reply.
We can also use the tool to rewrite a new MBR.
rewriting the MBR poses a minimal risk to reinfection, but not zero risk
Its not zero risk because there is no guarantee that everything was removed or that other OS files etc are not modified. Lets see what this new gmer tool yields.
you would put the Panda tool on the computer that will receive the usb drive and it should run automatically when you insert the usb drive.
your welcome, no problem.
Thanks Shelf life,
I tried to run that gmer tool last night, but I am thinking it was not working correctly. When I 2Xclicked, a window popped up and closed so fast I could not read it, and there is no log/window that either stays up or comes up later??
I will try it again tonight in safe mode, unless you recommend otherwise.
Thanks
Hi Shelf life,
I guess the gmer tool did run correctly, I just did not see the results log. So here it is;
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x832ef240
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x82d12690
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0E4F8121
malicious code @ sector 0x0E4F8124 !
PE file found in sector at 0x0E4F813A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
shelf life
2010-03-20, 17:47
I would still pull off any content you dont want to lose- before continuing. Even though writing a new MBR shouldnt cause any problems, its a just in case really.
ok to write a new MBR using the Windows installation media:
Insert the CD or DVD into the drive and restart your computer.
if upon restart it boots back in Windows then you will have to change the device boot order in the BIOS.
If it boots off the CD:
Setup will load. From the options chose:
Repair using recovery console, Press R
forget that look here (http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/) instead.
Hi Shelf life,
I will attempt the rewrite of the MBR, but I am going to leave the infected machine off the network until I finish my taxes.
From my online research, again thanks for links you have provided, it would appear that I was infected due to some deficiency in my total protection system. I had all the XP updates installed, along with updated Firefox browser, and the XP firewall active, so I am not sure what happened. Also it would appear that none of the current mainstream anti-virus/anti-malware programs would have stopped it. (Neither AVG or spybot could find anything, yet my ISP provider was reporting malicious activity)
Could an old non updated Java version have allowed the rootkit in??
What I am after is not only cleaning the machine but any sort of 'CSI' clues that would indicate which 'weakness' that allowed this to happen. Lacking this info, I am hesitant to put the machine back into the network, less the same infection occur again.
Any insight is much appreciated.
Thanks
shelf life
2010-03-22, 04:00
A single trojan could fetch a rootkit. Standard antimalware software could remove common malware and miss the rootkit. Malware is either user installed (unknowingly) or installed via a vulnerability in your OS, browser or software. The user installed ways, social engineering tricks are limitless.
an old non updated Java version have allowed the rootkit in
its possible, any outdated software that interacts with a web site could be vulnerable, Adobe products are popular targets.
See link (http://www.virusvault.us/ways.html)
I will try to find some interesting links for you to read.