View Full Version : Antivirus Doctor, redirection and more
Hello,
Computer began indication there was a threat and directed to antispyware removal site. It also turned off windows firewall and caused strange messages from AVG. Browser was redirecting and was unable to control internet. Had many bogus warnings and poups appear.
After disabling some startup commands, was able to regain internet, ran MBAM and removed many infections.
Even so, computer is running very slowly and browser is still sometimes redirecting. Spybot does not finish scan, but crashes. I tried posting this to the forums but it wouldn't let me, so I am posting from another machine. I have run ERUNT and am posting DDS files.
Thank you for your assistance.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Richard at 22:39:45.54 on 03/05/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1883 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Richard\Desktop\dds.scr
C:\WINDOWS\system32\HPBPRO.EXE
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uDefault_Page_URL = hxxp://www.dell.ca/myway
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ConnectionManager] c:\program files\winsim\connectionmanager\Simply.SystemTrayIcon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\documents and settings\richard\start menu\programs\startup\Antimalware Doctor.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141915787625
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230399775572
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-27 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-27 108552]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-27 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-27 297752]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\connectionmanager\SimplyConnectionManager.exe [2009-4-7 16680]
S2 Norstart;Norstar TSP Launcher;Norstart.exe --> Norstart.exe [?]
S3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060308.007\NAVENG.sys [2006-3-9 77864]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060308.007\NAVEX15.sys [2006-3-9 750952]
S3 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
=============== Created Last 30 ================
2085-05-11 15:31:42 0 d-----w- c:\windows\pss
2040-05-10 15:26:49 63 ----a-w- c:\windows\SOFTERM.INI
2040-05-10 15:24:42 0 d-----w- c:\program files\Softronics
2040-05-10 15:24:21 0 d-----w- c:\documents and settings\richard\WINDOWS
2010-05-04 01:06:54 0 d-----w- c:\program files\ESET
2010-05-03 14:44:16 17664 ----a-w- c:\windows\system32\drivers\sermouse.sys
2010-05-03 14:44:16 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2010-04-30 19:21:53 0 d-----w- c:\docume~1\richard\applic~1\0C4F25E5B97220179BE6E847CBD2114D
2010-04-22 19:24:31 43264 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-04-22 18:53:00 0 d-----w- c:\program files\Nortel Networks
==================== Find3M ====================
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 16:07:45 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
1998-12-21 14:39:20 573386 ------w- c:\program files\100Install.pdf
============= FINISH: 22:41:17.98 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 09/03/2006 9:22:09 AM
System Uptime: 05/03/2010 10:19:07 PM (1416 hours ago)
Motherboard: Dell Inc. | | 0JC474
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 71 GiB total, 52.372 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 03/05/2010 7:25:12 PM - System Checkpoint
==== Installed Programs ======================
Active WebCam
Active WebCam Viewer
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Atomic Clock Sync
AVG 8.5
BDE Setup (Map Version)
Compatibility Pack for the 2007 Office system
Corel Photo Album 6
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell System Restore
DellSupport
Digital Content Portal
ERUNT 1.1j
ESET Online Scanner v3
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
hp LaserJet 1010 Series
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MapPoint North America 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSN
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MySQL Connector/ODBC 3.51
Norstar CTA 100 Driver
Norstar CTE Toolkit
Norstar Personal Call Manager
Norstar TSP Toolkit
Norton AntiVirus Corporate Edition
Octoshape add-in for Adobe Flash Player
PL-2303 USB-to-Serial
QuickTime
RealPlayer
Santa's Breakout Demo
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Simply Accounting by Sage 2009
Softerm Modular
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SpeedFan (remove only)
Spybot - Search & Destroy
Symantec pcAnywhere
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office 12
==== End Of File ===========================
I should note that I also tried to run GMER and the entire system crashed with the Blue Screen of Death. It stated Page Fault in Non_paged area in the following file: pwtdapod.sys.
Hi,
Please try to run GMER by having "sections" checked and other options unchecked.
Here is the GMER log. I was able to run it with all checked but "FILES". The longer the computer is on, the slower it gets.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 20:47:52
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Richard\LOCALS~1\Temp\pwtdapod.sys
---- User code sections - GMER 1.0.15 ----
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[204] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 07262862
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[204] WS2_32.dll!send 71AB4C27 5 Bytes JMP 072626EE
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[204] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 072627E0
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[204] WS2_32.dll!recv 71AB676F 5 Bytes JMP 07262726
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[204] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0726275E
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[280] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FA2862
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[280] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FA26EE
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[280] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FA27E0
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[280] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FA2726
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[280] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FA275E
.text C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe[928] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012A2862
.text C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe[928] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012A26EE
.text C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe[928] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012A27E0
.text C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe[928] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012A2726
.text C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe[928] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012A275E
.text C:\WINDOWS\System32\svchost.exe[1104] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1104] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1104] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1104] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F0000A
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1712] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F72862
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1712] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F726EE
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1712] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F727E0
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1712] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F72726
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1712] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F7275E
.text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1940] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D62862
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1940] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D626EE
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1940] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D627E0
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1940] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D62726
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1940] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D6275E
.text C:\Program Files\Symantec\pcAnywhere\awhost32.exe[1960] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01DA2862
.text C:\Program Files\Symantec\pcAnywhere\awhost32.exe[1960] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01DA26EE
.text C:\Program Files\Symantec\pcAnywhere\awhost32.exe[1960] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01DA27E0
.text C:\Program Files\Symantec\pcAnywhere\awhost32.exe[1960] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01DA2726
.text C:\Program Files\Symantec\pcAnywhere\awhost32.exe[1960] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01DA275E
.text C:\Program Files\NavNT\defwatch.exe[2044] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01072862
.text C:\Program Files\NavNT\defwatch.exe[2044] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010726EE
.text C:\Program Files\NavNT\defwatch.exe[2044] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010727E0
.text C:\Program Files\NavNT\defwatch.exe[2044] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01072726
.text C:\Program Files\NavNT\defwatch.exe[2044] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0107275E
.text C:\WINDOWS\system32\wuauclt.exe[2332] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\wuauclt.exe[2332] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\wuauclt.exe[2332] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[2564] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E72862
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[2564] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E726EE
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[2564] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E727E0
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[2564] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E72726
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[2564] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E7275E
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2624] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EB2862
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EB26EE
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2624] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EB27E0
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2624] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EB2726
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2624] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EB275E
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2760] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 009A2862
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2760] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009A26EE
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2760] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 009A27E0
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2760] WS2_32.dll!recv 71AB676F 5 Bytes JMP 009A2726
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2760] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 009A275E
.text C:\WINDOWS\system32\igfxpers.exe[2768] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 013B2862
.text C:\WINDOWS\system32\igfxpers.exe[2768] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013B26EE
.text C:\WINDOWS\system32\igfxpers.exe[2768] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013B27E0
.text C:\WINDOWS\system32\igfxpers.exe[2768] WS2_32.dll!recv 71AB676F 5 Bytes JMP 013B2726
.text C:\WINDOWS\system32\igfxpers.exe[2768] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013B275E
.text C:\WINDOWS\system32\hkcmd.exe[2788] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B82862
.text C:\WINDOWS\system32\hkcmd.exe[2788] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B826EE
.text C:\WINDOWS\system32\hkcmd.exe[2788] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B827E0
.text C:\WINDOWS\system32\hkcmd.exe[2788] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B82726
.text C:\WINDOWS\system32\hkcmd.exe[2788] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B8275E
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2832] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010F2862
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2832] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010F26EE
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2832] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010F27E0
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2832] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010F2726
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2832] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010F275E
.text C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe[2928] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03B02862
.text C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe[2928] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03B026EE
.text C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe[2928] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03B027E0
.text C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe[2928] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03B02726
.text C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe[2928] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03B0275E
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3112] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DE2862
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3112] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DE26EE
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3112] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DE27E0
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3112] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DE2726
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[3112] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DE275E
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3216] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 090E2862
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3216] WS2_32.dll!send 71AB4C27 5 Bytes JMP 090E26EE
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3216] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 090E27E0
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3216] WS2_32.dll!recv 71AB676F 5 Bytes JMP 090E2726
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3216] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 090E275E
.text C:\WINDOWS\system32\ctfmon.exe[3416] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DF2862
.text C:\WINDOWS\system32\ctfmon.exe[3416] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DF26EE
.text C:\WINDOWS\system32\ctfmon.exe[3416] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DF27E0
.text C:\WINDOWS\system32\ctfmon.exe[3416] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DF2726
.text C:\WINDOWS\system32\ctfmon.exe[3416] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DF275E
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3492] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01272862
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3492] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012726EE
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3492] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012727E0
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3492] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01272726
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3492] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0127275E
.text C:\Documents and Settings\Richard\Desktop\gmer.exe[3500] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01112862
.text C:\Documents and Settings\Richard\Desktop\gmer.exe[3500] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011126EE
.text C:\Documents and Settings\Richard\Desktop\gmer.exe[3500] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011127E0
.text C:\Documents and Settings\Richard\Desktop\gmer.exe[3500] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01112726
.text C:\Documents and Settings\Richard\Desktop\gmer.exe[3500] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0111275E
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[3548] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01052862
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[3548] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010526EE
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[3548] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010527E0
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[3548] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01052726
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[3548] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0105275E
.text C:\WINDOWS\System32\alg.exe[3988] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DF2862
.text C:\WINDOWS\System32\alg.exe[3988] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DF26EE
.text C:\WINDOWS\System32\alg.exe[3988] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DF27E0
.text C:\WINDOWS\System32\alg.exe[3988] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DF2726
.text C:\WINDOWS\System32\alg.exe[3988] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DF275E
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\Fastfat \Fat 9CC5ED20
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A954EE4
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3D9800
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Thank you.
Hi again,
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New DDS log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Hello, I ran the scans and the machine is running much better already. Here are the logs. Thank you.
ComboFix 10-05-10.05 - Richard 11/05/2010 19:20:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.2065 [GMT -4:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Richard\Application Data\0C4F25E5B97220179BE6E847CBD2114D
c:\documents and settings\Richard\Application Data\0C4F25E5B97220179BE6E847CBD2114D\enemies-names.txt
c:\documents and settings\Richard\Application Data\0C4F25E5B97220179BE6E847CBD2114D\lsrslt.ini
c:\documents and settings\Richard\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Richard\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Richard\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.
2085-05-10 19:21 . 2085-05-10 19:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2040-05-10 15:24 . 2040-05-10 15:24 -------- d-----w- c:\program files\Softronics
2040-05-10 15:24 . 2040-05-10 15:24 -------- d-----w- c:\documents and settings\Richard\WINDOWS
2010-05-04 02:38 . 2010-05-04 02:38 -------- d-----w- c:\program files\ERUNT
2010-05-04 01:06 . 2010-05-04 01:06 -------- d-----w- c:\program files\ESET
2010-05-03 19:49 . 2010-05-03 19:49 81728 ----a-w- c:\documents and settings\Mobile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-03 14:44 . 2001-08-17 17:48 17664 ----a-w- c:\windows\system32\drivers\sermouse.sys
2010-05-03 14:44 . 2001-08-17 17:48 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2010-04-30 19:54 . 2010-04-30 19:54 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-04-30 19:54 . 2010-05-03 19:50 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-04-30 19:54 . 2010-04-30 19:54 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2010-04-30 19:54 . 2010-04-30 19:54 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-04-30 19:50 . 2010-04-30 19:50 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-04-30 19:50 . 2010-04-30 19:50 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-04-30 19:22 . 2010-05-03 15:38 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\majhgqhvg
2010-04-30 14:19 . 2010-04-30 14:19 13407072 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-04-22 19:24 . 2003-07-16 18:27 43264 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-04-14 17:04 . 2010-04-14 17:04 666112 ----a-w- c:\documents and settings\Richard\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1003220-0-main.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 17:44 . 2009-08-18 18:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2009-08-18 18:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-08-18 18:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 16:07 . 2009-08-12 19:24 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-23 16:07 . 2009-08-12 19:24 56 --sh--r- c:\windows\system32\F535003831.sys
2010-04-22 19:31 . 2010-04-22 18:53 -------- d-----w- c:\program files\Nortel Networks
2010-04-22 19:24 . 2006-01-06 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 09:49 . 2010-03-14 08:32 439816 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\setup.exe
2010-03-30 14:20 . 2010-03-30 14:18 20846064 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-19 15:17 . 2006-03-09 15:20 81728 ----a-w- c:\documents and settings\Richard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-19 15:16 . 2010-03-19 15:16 -------- d-----w- c:\program files\Microsoft
2010-03-19 15:16 . 2010-03-19 15:15 -------- d-----w- c:\program files\Windows Live
2010-03-19 15:16 . 2010-03-19 15:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-19 15:11 . 2010-03-19 15:11 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-14 16:34 . 2010-03-14 16:34 8405312 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-14 16:33 . 2010-03-14 16:33 149000 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-14 16:33 . 2010-03-14 16:33 283280 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-14 16:33 . 2010-03-14 16:33 181768 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-14 16:33 . 2010-03-14 16:33 79368 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-14 16:33 . 2010-03-14 16:33 64000 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-14 16:33 . 2010-03-14 16:33 52288 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-14 16:33 . 2010-03-14 16:33 50688 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-14 16:33 . 2010-03-14 16:33 49152 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-14 16:33 . 2010-03-14 16:33 118784 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-11 12:38 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-11-27 17:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-11 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-11 23:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-01-06 19:19 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-11 23:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-11 23:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-11 23:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
1998-12-21 14:39 . 2010-04-22 18:53 573386 ------w- c:\program files\100Install.pdf
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2008-09-19 87336]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-06 98304]
c:\documents and settings\Richard\Start Menu\Programs\Startup\
Antimalware Doctor.lnk.disabled [2010-4-30 1196]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
"gotnewupdate.exe"=c:\documents and settings\Richard\Application Data\0C4F25E5B97220179BE6E847CBD2114D\gotnewupdate.exe
"ylwmqtmd"=c:\documents and settings\Richard\Local Settings\Application Data\majhgqhvg\smbgfgbtssd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\awrem32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Active WebCam\\WebCam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Richard\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"6440:TCP"= 6440:TCP:Services
"6441:TCP"= 6441:TCP:Services
"7475:TCP"= 7475:TCP:Services
"7476:TCP"= 7476:TCP:Services
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/12/2008 2:11 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/12/2008 2:11 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [27/12/2008 2:11 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/12/2008 2:11 PM 297752]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [07/04/2009 11:15 AM 16680]
S2 Norstart;Norstar TSP Launcher;Norstart.exe --> Norstart.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2006-03-09 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-11 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Active WebCam - c:\program files\Active WebCam\PY_UNINSTAL.EXE SOFTWARE\PySoft\Act_WebCam
AddRemove-Active WebCam Viewer - c:\windows\system32\PY_UNINSTAL.EXE SOFTWARE\PySoft\Act_WebCam\Viewer
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 19:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A6AECB8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> 0x8a6aecb8
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\NavLogon.dll
.
Completion time: 2010-05-11 19:30:21
ComboFix-quarantined-files.txt 2010-05-11 23:30
Pre-Run: 55,935,000,576 bytes free
Post-Run: 56,719,187,968 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - BF9ECB74081DAD2DAC61CD0F1F3D0437
DDS (Ver_10-03-17.01) - NTFSx86
Run by Richard at 19:36:13.37 on 11/05/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1945 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Richard\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ConnectionManager] c:\program files\winsim\connectionmanager\Simply.SystemTrayIcon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\documents and settings\richard\start menu\programs\startup\Antimalware Doctor.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141915787625
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230399775572
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-27 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-27 108552]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-27 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-27 297752]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\connectionmanager\SimplyConnectionManager.exe [2009-4-7 16680]
S2 Norstart;Norstar TSP Launcher;Norstart.exe --> Norstart.exe [?]
S3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060308.007\NAVENG.sys [2006-3-9 77864]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060308.007\NAVEX15.sys [2006-3-9 750952]
S3 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
=============== Created Last 30 ================
2085-05-11 15:31:42 0 d-----w- c:\windows\pss
2040-05-10 15:26:49 63 ----a-w- c:\windows\SOFTERM.INI
2040-05-10 15:24:42 0 d-----w- c:\program files\Softronics
2040-05-10 15:24:21 0 d-----w- c:\documents and settings\richard\WINDOWS
2010-05-11 23:13:36 0 d-sha-r- C:\cmdcons
2010-05-11 23:03:46 98816 ----a-w- c:\windows\sed.exe
2010-05-11 23:03:46 77312 ----a-w- c:\windows\MBR.exe
2010-05-11 23:03:46 256512 ----a-w- c:\windows\PEV.exe
2010-05-11 23:03:46 161792 ----a-w- c:\windows\SWREG.exe
2010-05-04 01:06:54 0 d-----w- c:\program files\ESET
2010-05-03 14:44:16 17664 ----a-w- c:\windows\system32\drivers\sermouse.sys
2010-05-03 14:44:16 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2010-04-22 19:24:31 43264 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-04-22 18:53:00 0 d-----w- c:\program files\Nortel Networks
==================== Find3M ====================
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 16:07:45 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
1998-12-21 14:39:20 573386 ------w- c:\program files\100Install.pdf
============= FINISH: 19:36:32.75 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 09/03/2006 9:22:09 AM
System Uptime: 05/11/2010 7:18:49 PM (-4272 hours ago)
Motherboard: Dell Inc. | | 0JC474
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 71 GiB total, 52.844 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 03/05/2010 7:25:12 PM - System Checkpoint
RP2: 11/05/2010 7:06:06 PM - ComboFix created restore point
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Atomic Clock Sync
AVG 8.5
BDE Setup (Map Version)
Compatibility Pack for the 2007 Office system
Corel Photo Album 6
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell System Restore
DellSupport
Digital Content Portal
ERUNT 1.1j
ESET Online Scanner v3
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
hp LaserJet 1010 Series
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MapPoint North America 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSN
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MySQL Connector/ODBC 3.51
Norstar CTA 100 Driver
Norstar CTE Toolkit
Norstar Personal Call Manager
Norstar TSP Toolkit
Norton AntiVirus Corporate Edition
Octoshape add-in for Adobe Flash Player
PL-2303 USB-to-Serial
QuickTime
RealPlayer
Santa's Breakout Demo
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Simply Accounting by Sage 2009
Softerm Modular
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SpeedFan (remove only)
Spybot - Search & Destroy
Symantec pcAnywhere
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office 12
==== End Of File ===========================
Hi,
Please download HelpAsst_mebroot_fix.exe (http://noahdfear.net/downloads/HelpAsst/HelpAsst_mebroot_fix.exe) and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.
mbr -f
Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
C:\Documents and Settings\Richard\Desktop\HelpAsst_mebroot_fix.exe
12/05/2010 at 10:42:13.54
HelpAssistant account is Active ~ attempting to de-activate
Account active Yes
Local Group Memberships *Administrators
HelpAssistant successfully set Inactive
~~ Checking for termsrv32.dll ~~
termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll
~~ Checking firewall ports ~~
backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports
HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"6440:TCP"=-
"6441:TCP"=-
"7475:TCP"=-
"7476:TCP"=-
"3085:TCP"=-
"4670:TCP"=-
backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports
HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"6440:TCP"=-
"6441:TCP"=-
"7475:TCP"=-
"7476:TCP"=-
"4670:TCP"=-
"3085:TCP"=-
~~ Checking profile list ~~
HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2980887014-2906947648-1817360126-1004
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~
~~ Checking mbr ~~
mbr infection detected! ~ running mbr -f
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Status check on 12/05/2010 at 11:10:55.01
Account active No
Local Group Memberships
~~ Checking mbr ~~
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
~~ Checking for termsrv32.dll ~~
termsrv32.dll not found
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll
~~ Checking profile list ~~
No HelpAssistant profile in registry
~~ Checking for HelpAssistant directories ~~
none found
~~ Checking firewall ports ~~
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
~~ EOF ~~
Thank you.
Hi,
Please run ComboFix again and post back its log + fresh dds.txt log.
Hi and thanks for the quick response. Here are the logs you requested:
ComboFix 10-05-12.01 - Richard 12/05/2010 17:15:16.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.2000 [GMT -4:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.
2085-05-10 19:21 . 2085-05-10 19:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2040-05-10 15:24 . 2040-05-10 15:24 -------- d-----w- c:\program files\Softronics
2040-05-10 15:24 . 2040-05-10 15:24 -------- d-----w- c:\documents and settings\Richard\WINDOWS
2010-05-12 14:42 . 2010-05-12 14:42 -------- d-----w- C:\HelpAsst_backup
2010-05-04 02:38 . 2010-05-04 02:38 -------- d-----w- c:\program files\ERUNT
2010-05-04 01:06 . 2010-05-04 01:06 -------- d-----w- c:\program files\ESET
2010-05-03 19:49 . 2010-05-03 19:49 81728 ----a-w- c:\documents and settings\Mobile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-03 14:44 . 2001-08-17 17:48 17664 ----a-w- c:\windows\system32\drivers\sermouse.sys
2010-05-03 14:44 . 2001-08-17 17:48 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2010-04-30 19:22 . 2010-05-03 15:38 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\majhgqhvg
2010-04-30 14:19 . 2010-04-30 14:19 13407072 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-04-22 19:24 . 2003-07-16 18:27 43264 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-04-14 17:04 . 2010-04-14 17:04 666112 ----a-w- c:\documents and settings\Richard\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1003220-0-main.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 17:44 . 2009-08-18 18:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2009-08-18 18:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-08-18 18:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 16:07 . 2009-08-12 19:24 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-23 16:07 . 2009-08-12 19:24 56 --sh--r- c:\windows\system32\F535003831.sys
2010-04-22 19:31 . 2010-04-22 18:53 -------- d-----w- c:\program files\Nortel Networks
2010-04-22 19:24 . 2006-01-06 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 09:49 . 2010-03-14 08:32 439816 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\setup.exe
2010-03-30 14:20 . 2010-03-30 14:18 20846064 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-19 15:17 . 2006-03-09 15:20 81728 ----a-w- c:\documents and settings\Richard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-19 15:16 . 2010-03-19 15:16 -------- d-----w- c:\program files\Microsoft
2010-03-19 15:16 . 2010-03-19 15:15 -------- d-----w- c:\program files\Windows Live
2010-03-19 15:16 . 2010-03-19 15:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-19 15:11 . 2010-03-19 15:11 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-14 16:34 . 2010-03-14 16:34 8405312 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-14 16:33 . 2010-03-14 16:33 149000 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-14 16:33 . 2010-03-14 16:33 283280 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-14 16:33 . 2010-03-14 16:33 181768 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-14 16:33 . 2010-03-14 16:33 79368 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-14 16:33 . 2010-03-14 16:33 64000 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-14 16:33 . 2010-03-14 16:33 52288 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-14 16:33 . 2010-03-14 16:33 50688 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-14 16:33 . 2010-03-14 16:33 49152 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-14 16:33 . 2010-03-14 16:33 118784 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-11 12:38 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-11-27 17:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-11 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-11 23:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-01-06 19:19 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-11 23:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-11 23:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
1998-12-21 14:39 . 2010-04-22 18:53 573386 ------w- c:\program files\100Install.pdf
.
((((((((((((((((((((((((((((( SnapShot@2010-05-11_23.28.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-27 17:41 . 2010-05-12 15:24 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2004-08-11 23:12 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
+ 2004-08-11 23:12 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2008-12-27 17:14 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-12-27 17:14 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-12-27 17:41 . 2010-05-12 15:24 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2009-08-12 22:53 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-08-12 22:53 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\18e9b8.msp
+ 2010-04-21 21:46 . 2010-04-21 21:46 5522432 c:\windows\Installer\18e9a3.msp
+ 2006-03-09 15:07 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2008-09-19 87336]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-06 98304]
c:\documents and settings\Richard\Start Menu\Programs\Startup\
Antimalware Doctor.lnk.disabled [2010-4-30 1196]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
"gotnewupdate.exe"=c:\documents and settings\Richard\Application Data\0C4F25E5B97220179BE6E847CBD2114D\gotnewupdate.exe
"ylwmqtmd"=c:\documents and settings\Richard\Local Settings\Application Data\majhgqhvg\smbgfgbtssd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\awrem32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Active WebCam\\WebCam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Richard\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/12/2008 2:11 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/12/2008 2:11 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [27/12/2008 2:11 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/12/2008 2:11 PM 297752]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [07/04/2009 11:15 AM 16680]
S2 Norstart;Norstar TSP Launcher;Norstart.exe --> Norstart.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2006-03-09 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-11 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 17:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\NavLogon.dll
- - - - - - - > 'explorer.exe'(3992)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-12 17:22:00
ComboFix-quarantined-files.txt 2010-05-12 21:21
ComboFix2.txt 2010-05-11 23:30
Pre-Run: 56,584,327,168 bytes free
Post-Run: 56,544,129,024 bytes free
- - End Of File - - 7BB325D17A52709B99838CD4C1521671
DDS (Ver_10-03-17.01) - NTFSx86
Run by Richard at 17:51:52.42 on 12/05/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1948 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\HPBPRO.EXE
C:\Documents and Settings\Richard\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ConnectionManager] c:\program files\winsim\connectionmanager\Simply.SystemTrayIcon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\documents and settings\richard\start menu\programs\startup\Antimalware Doctor.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141915787625
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230399775572
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-27 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-27 108552]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-27 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-27 297752]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\connectionmanager\SimplyConnectionManager.exe [2009-4-7 16680]
S2 Norstart;Norstar TSP Launcher;Norstart.exe --> Norstart.exe [?]
S3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060308.007\NAVENG.sys [2006-3-9 77864]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060308.007\NAVEX15.sys [2006-3-9 750952]
S3 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
=============== Created Last 30 ================
2085-05-11 15:31:42 0 d-----w- c:\windows\pss
2040-05-10 15:26:49 63 ----a-w- c:\windows\SOFTERM.INI
2040-05-10 15:24:42 0 d-----w- c:\program files\Softronics
2040-05-10 15:24:21 0 d-----w- c:\documents and settings\richard\WINDOWS
2010-05-12 14:42:15 0 d-----w- C:\HelpAsst_backup
2010-05-11 23:13:36 0 d-sha-r- C:\cmdcons
2010-05-11 23:03:46 98816 ----a-w- c:\windows\sed.exe
2010-05-11 23:03:46 77312 ----a-w- c:\windows\MBR.exe
2010-05-11 23:03:46 256512 ----a-w- c:\windows\PEV.exe
2010-05-11 23:03:46 161792 ----a-w- c:\windows\SWREG.exe
2010-05-04 01:06:54 0 d-----w- c:\program files\ESET
2010-05-03 14:44:16 17664 ----a-w- c:\windows\system32\drivers\sermouse.sys
2010-05-03 14:44:16 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2010-04-22 19:24:31 43264 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-04-22 18:53:00 0 d-----w- c:\program files\Nortel Networks
==================== Find3M ====================
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 16:07:45 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
1998-12-21 14:39:20 573386 ------w- c:\program files\100Install.pdf
============= FINISH: 17:52:11.45 ===============
Thank You
Hi again,
You have both AVG and Norton installed there. Please decide which one you want to keep since it's not recommended to have more than one antivirus program installed in same system.
Open notepad and copy/paste the text in the quotebox below into it:
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
File::
c:\documents and settings\Richard\Start Menu\Programs\Startup\Antimalware Doctor.lnk.disabled
Folder::
c:\documents and settings\Richard\Local Settings\Application Data\majhgqhvg
c:\documents and settings\Richard\Application Data\0C4F25E5B97220179BE6E847CBD2114D
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"gotnewupdate.exe"=-
"ylwmqtmd"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows, disable protection and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 20 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Hello,
Here are the logs as requested. Thank you.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Richard at 15:13:26.23 on 13/05/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1834 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\Norstart.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\Cte.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\HPBPRO.EXE
C:\Documents and Settings\Richard\Desktop\AntiVirus Programs\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ConnectionManager] c:\program files\winsim\connectionmanager\Simply.SystemTrayIcon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141915787625
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230399775572
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-27 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-27 108552]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-27 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-27 297752]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
R2 Norstart;Norstar TSP Launcher;Norstart.exe --> Norstart.exe [?]
S2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\connectionmanager\SimplyConnectionManager.exe [2009-4-7 16680]
S3 NAVAP;NAVAP;\??\c:\program files\navnt\navap.sys --> c:\program files\navnt\NAVAP.sys [?]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20060308.007\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20060308.007\NAVENG.sys [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20060308.007\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20060308.007\NAVEX15.sys [?]
=============== Created Last 30 ================
2085-05-11 15:31:42 0 d-----w- c:\windows\pss
2040-05-10 15:26:49 63 ----a-w- c:\windows\SOFTERM.INI
2040-05-10 15:24:42 0 d-----w- c:\program files\Softronics
2040-05-10 15:24:21 0 d-----w- c:\documents and settings\richard\WINDOWS
2010-05-13 13:54:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-13 13:54:46 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-12 14:42:15 0 d-----w- C:\HelpAsst_backup
2010-05-11 23:13:36 0 d-sha-r- C:\cmdcons
2010-05-11 23:03:46 98816 ----a-w- c:\windows\sed.exe
2010-05-11 23:03:46 77312 ----a-w- c:\windows\MBR.exe
2010-05-11 23:03:46 256512 ----a-w- c:\windows\PEV.exe
2010-05-11 23:03:46 161792 ----a-w- c:\windows\SWREG.exe
2010-05-04 01:06:54 0 d-----w- c:\program files\ESET
2010-05-03 14:44:16 17664 ----a-w- c:\windows\system32\drivers\sermouse.sys
2010-05-03 14:44:16 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2010-04-22 19:24:31 43264 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-04-22 18:53:00 0 d-----w- c:\program files\Nortel Networks
==================== Find3M ====================
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 16:07:45 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
1998-12-21 14:39:20 573386 ------w- c:\program files\100Install.pdf
============= FINISH: 15:14:06.04 ===============
ComboFix 10-05-12.04 - Richard 13/05/2010 7:43.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1898 [GMT -4:00]
Running from: c:\documents and settings\Richard\Desktop\AntiVirus Programs\ComboFix.exe
Command switches used :: c:\documents and settings\Richard\Desktop\AntiVirus Programs\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\documents and settings\Richard\Start Menu\Programs\Startup\Antimalware Doctor.lnk.disabled"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Richard\Local Settings\Application Data\majhgqhvg
c:\documents and settings\Richard\Start Menu\Programs\Startup\Antimalware Doctor.lnk.disabled
.
((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.
2085-05-10 19:21 . 2085-05-10 19:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2040-05-10 15:24 . 2040-05-10 15:24 -------- d-----w- c:\program files\Softronics
2040-05-10 15:24 . 2040-05-10 15:24 -------- d-----w- c:\documents and settings\Richard\WINDOWS
2010-05-12 14:42 . 2010-05-12 14:42 -------- d-----w- C:\HelpAsst_backup
2010-05-04 02:38 . 2010-05-04 02:38 -------- d-----w- c:\program files\ERUNT
2010-05-04 01:06 . 2010-05-04 01:06 -------- d-----w- c:\program files\ESET
2010-05-03 19:49 . 2010-05-03 19:49 81728 ----a-w- c:\documents and settings\Mobile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-03 14:44 . 2001-08-17 17:48 17664 ----a-w- c:\windows\system32\drivers\sermouse.sys
2010-05-03 14:44 . 2001-08-17 17:48 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2010-04-30 14:19 . 2010-04-30 14:19 13407072 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-04-22 19:24 . 2003-07-16 18:27 43264 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-04-14 17:04 . 2010-04-14 17:04 666112 ----a-w- c:\documents and settings\Richard\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1003220-0-main.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 17:44 . 2009-08-18 18:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2009-08-18 18:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-08-18 18:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 16:07 . 2009-08-12 19:24 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-23 16:07 . 2009-08-12 19:24 56 --sh--r- c:\windows\system32\F535003831.sys
2010-04-22 19:31 . 2010-04-22 18:53 -------- d-----w- c:\program files\Nortel Networks
2010-04-22 19:24 . 2006-01-06 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 09:49 . 2010-03-14 08:32 439816 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\setup.exe
2010-03-30 14:20 . 2010-03-30 14:18 20846064 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-19 15:17 . 2006-03-09 15:20 81728 ----a-w- c:\documents and settings\Richard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-19 15:16 . 2010-03-19 15:16 -------- d-----w- c:\program files\Microsoft
2010-03-19 15:16 . 2010-03-19 15:15 -------- d-----w- c:\program files\Windows Live
2010-03-19 15:16 . 2010-03-19 15:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-19 15:11 . 2010-03-19 15:11 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-14 16:34 . 2010-03-14 16:34 8405312 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-14 16:33 . 2010-03-14 16:33 149000 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-14 16:33 . 2010-03-14 16:33 283280 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-14 16:33 . 2010-03-14 16:33 181768 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-14 16:33 . 2010-03-14 16:33 79368 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-14 16:33 . 2010-03-14 16:33 64000 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-14 16:33 . 2010-03-14 16:33 52288 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-14 16:33 . 2010-03-14 16:33 50688 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-14 16:33 . 2010-03-14 16:33 49152 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-14 16:33 . 2010-03-14 16:33 118784 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-11 12:38 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-11-27 17:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-11 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-11 23:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-01-06 19:19 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-11 23:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
1998-12-21 14:39 . 2010-04-22 18:53 573386 ------w- c:\program files\100Install.pdf
.
((((((((((((((((((((((((((((( SnapShot@2010-05-11_23.28.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-27 17:41 . 2010-05-12 15:24 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2004-08-11 23:12 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
+ 2004-08-11 23:12 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2008-12-27 17:14 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-12-27 17:14 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-12-27 17:41 . 2010-05-12 15:24 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2009-08-12 22:53 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-08-12 22:53 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\18e9b8.msp
+ 2010-04-21 21:46 . 2010-04-21 21:46 5522432 c:\windows\Installer\18e9a3.msp
+ 2006-03-09 15:07 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2008-09-19 87336]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-06 98304]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\awrem32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Active WebCam\\WebCam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Richard\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/12/2008 2:11 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/12/2008 2:11 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [27/12/2008 2:11 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/12/2008 2:11 PM 297752]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [07/04/2009 11:15 AM 16680]
S2 Norstart;Norstar TSP Launcher;Norstart.exe --> Norstart.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2006-03-09 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-11 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 07:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\NavLogon.dll
.
Completion time: 2010-05-13 07:50:15
ComboFix-quarantined-files.txt 2010-05-13 11:50
ComboFix2.txt 2010-05-12 21:22
ComboFix3.txt 2010-05-11 23:30
Pre-Run: 56,546,099,200 bytes free
Post-Run: 56,505,327,616 bytes free
- - End Of File - - 9F0EE289B9CF4E30F8A8611F887B285D
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 13, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, May 13, 2010 10:36:49
Records in database: 4105732
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Objects scanned: 74895
Threats found: 5
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 01:56:18
File name / Threat / Threats count
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-dc18ef-40157a28.zip Infected: Exploit.Java.Agent.f 1
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temp\asnecxmorw.tmp Infected: Packed.Win32.Katusha.j 1
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\CJVZF5CE\exefile[1].exe Infected: Packed.Win32.Krap.an 1
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\CYOT69KL\stp1b838[1].txt Infected: Trojan-Downloader.Win32.CodecPack.kye 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
Selected area has been scanned.
Hi,
Open notepad and copy/paste the text in the quotebox below into it:
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let ComboFix update itself).
Then post the resultant log + fresh dds.txt log. How's the system running?
Good morning,
The computer is running much better now, it is back to what I consider "normal". The only odd thing is that after running Combofix, I tried to run DDS and it wouldn't run. I had to restart the computer and then run it.
Do you have any idea how I could have got this infection? I did not open any unknown email attachment or visit any website that I don't normally visit. The only thing I recall is a "flash" of a page during browsing, than AVG popping up. It then got worse very quickly including phishing banking sites and directing to antispyware and porn! It is quite troubling since I really don't have a clue how this happened.
In any event, here are the logs. Thank you so much for the assistance.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 09/03/2006 9:22:09 AM
System Uptime: 14/05/2010 10:30:00 AM (0 hours ago)
Motherboard: Dell Inc. | | 0JC474
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 71 GiB total, 52.232 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 03/05/2010 7:25:12 PM - System Checkpoint
RP2: 11/05/2010 7:06:06 PM - ComboFix created restore point
RP3: 12/05/2010 11:19:58 AM - Software Distribution Service 3.0
RP4: 13/05/2010 9:50:05 AM - Removed Norton AntiVirus Corporate Edition
RP5: 13/05/2010 9:54:28 AM - Installed Java(TM) 6 Update 20
RP6: 13/05/2010 9:58:26 AM - Removed Adobe Reader 7.0
RP7: 13/05/2010 10:06:24 AM - Installed Adobe Reader 9.3.
==== Installed Programs ======================
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3
Atomic Clock Sync
AVG 8.5
BDE Setup (Map Version)
Compatibility Pack for the 2007 Office system
Corel Photo Album 6
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell System Restore
DellSupport
Digital Content Portal
ERUNT 1.1j
ESET Online Scanner v3
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
hp LaserJet 1010 Series
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java(TM) 6 Update 20
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MapPoint North America 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSN
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MySQL Connector/ODBC 3.51
Norstar CTA 100 Driver
Norstar CTE Toolkit
Norstar Personal Call Manager
Norstar TSP Toolkit
Octoshape add-in for Adobe Flash Player
PL-2303 USB-to-Serial
QuickTime
RealPlayer
Santa's Breakout Demo
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Simply Accounting by Sage 2009
Softerm Modular
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SpeedFan (remove only)
Spybot - Search & Destroy
Symantec pcAnywhere
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office 12
==== End Of File ===========================
ComboFix 10-05-13.03 - Richard 14/05/2010 10:20:29.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1736 [GMT -4:00]
Running from: c:\documents and settings\Richard\Desktop\AntiVirus Programs\ComboFix.exe
Command switches used :: c:\documents and settings\Richard\Desktop\AntiVirus Programs\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\ialmuARA.dll
c:\windows\system32\ialmuARB.dll
c:\windows\system32\ialmuCHS.dll
c:\windows\system32\ialmuCHT.dll
c:\windows\system32\ialmuCSY.dll
c:\windows\system32\ialmuDAN.dll
c:\windows\system32\ialmuDEU.dll
c:\windows\system32\ialmudlg.exe
c:\windows\system32\ialmuELL.dll
c:\windows\system32\ialmuENG.dll
c:\windows\system32\ialmuESP.dll
c:\windows\system32\ialmuFIN.dll
c:\windows\system32\ialmuFRA.dll
c:\windows\system32\ialmuFRC.dll
c:\windows\system32\ialmuHEB.dll
c:\windows\system32\ialmuHUN.dll
c:\windows\system32\ialmuITA.dll
c:\windows\system32\ialmuJPN.dll
c:\windows\system32\ialmuKOR.dll
c:\windows\system32\ialmuNLD.dll
c:\windows\system32\ialmuNOR.dll
c:\windows\system32\ialmuPLK.dll
c:\windows\system32\ialmuPTB.dll
c:\windows\system32\ialmuPTG.dll
c:\windows\system32\ialmuRUS.dll
c:\windows\system32\ialmuSVE.dll
c:\windows\system32\ialmuTHA.dll
c:\windows\system32\ialmuTRK.dll
c:\windows\system32\igfxrara.lrc
c:\windows\system32\igfxrchs.lrc
c:\windows\system32\igfxrcht.lrc
c:\windows\system32\igfxrcsy.lrc
c:\windows\system32\igfxrdan.lrc
c:\windows\system32\igfxrdeu.lrc
c:\windows\system32\igfxrell.lrc
c:\windows\system32\igfxrenu.lrc
c:\windows\system32\igfxresp.lrc
c:\windows\system32\igfxrfin.lrc
c:\windows\system32\igfxrfra.lrc
c:\windows\system32\igfxrheb.lrc
c:\windows\system32\igfxrhun.lrc
c:\windows\system32\igfxrita.lrc
c:\windows\system32\igfxrjpn.lrc
c:\windows\system32\igfxrkor.lrc
c:\windows\system32\igfxrnld.lrc
c:\windows\system32\igfxrnor.lrc
c:\windows\system32\igfxrplk.lrc
c:\windows\system32\igfxrptb.lrc
c:\windows\system32\igfxrptg.lrc
c:\windows\system32\igfxrrus.lrc
c:\windows\system32\igfxrsve.lrc
c:\windows\system32\igfxrtha.lrc
c:\windows\system32\igfxrtrk.lrc
.
((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.
2040-05-10 15:24 . 2040-05-10 15:24 -------- d-----w- c:\program files\Softronics
2040-05-10 15:24 . 2040-05-10 15:24 -------- d-----w- c:\documents and settings\Richard\WINDOWS
2010-05-13 14:04 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Richard\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-13 14:04 . 2010-05-13 14:04 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-13 14:02 . 2010-05-13 14:02 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-13 14:02 . 2010-05-13 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-13 13:55 . 2010-05-13 13:55 503808 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5af529c0-n\msvcp71.dll
2010-05-13 13:55 . 2010-05-13 13:55 499712 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5af529c0-n\jmc.dll
2010-05-13 13:55 . 2010-05-13 13:55 348160 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5af529c0-n\msvcr71.dll
2010-05-13 13:54 . 2010-05-13 13:54 61440 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59faa788-n\decora-sse.dll
2010-05-13 13:54 . 2010-05-13 13:54 12800 ----a-w- c:\documents and settings\Richard\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59faa788-n\decora-d3d.dll
2010-05-13 13:54 . 2010-05-13 13:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-12 14:42 . 2010-05-12 14:42 -------- d-----w- C:\HelpAsst_backup
2010-05-04 02:38 . 2010-05-04 02:38 -------- d-----w- c:\program files\ERUNT
2010-05-04 01:06 . 2010-05-04 01:06 -------- d-----w- c:\program files\ESET
2010-05-03 19:49 . 2010-05-03 19:49 81728 ----a-w- c:\documents and settings\Mobile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-03 14:44 . 2001-08-17 17:48 17664 ----a-w- c:\windows\system32\drivers\sermouse.sys
2010-05-03 14:44 . 2001-08-17 17:48 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2010-04-30 14:19 . 2010-04-30 14:19 13407072 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-04-22 19:24 . 2003-07-16 18:27 43264 ------w- c:\windows\system32\drivers\ser2pl.sys
2010-04-14 17:04 . 2010-04-14 17:04 666112 ----a-w- c:\documents and settings\Richard\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1003220-0-main.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 14:06 . 2006-03-09 15:08 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-13 13:55 . 2006-01-06 19:33 -------- d-----w- c:\program files\Common Files\Java
2010-05-13 13:54 . 2006-01-06 19:33 -------- d-----w- c:\program files\Java
2010-05-13 13:50 . 2006-03-09 14:32 -------- d-----w- c:\program files\Symantec
2010-05-13 13:50 . 2006-03-09 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-13 13:50 . 2006-03-09 14:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-03 17:44 . 2009-08-18 18:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2009-08-18 18:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-08-18 18:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 16:07 . 2009-08-12 19:24 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-23 16:07 . 2009-08-12 19:24 56 --sh--r- c:\windows\system32\F535003831.sys
2010-04-22 19:31 . 2010-04-22 18:53 -------- d-----w- c:\program files\Nortel Networks
2010-04-22 19:24 . 2006-01-06 19:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 09:49 . 2010-03-14 08:32 439816 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\setup.exe
2010-03-30 14:20 . 2010-03-30 14:18 20846064 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-19 15:17 . 2006-03-09 15:20 81728 ----a-w- c:\documents and settings\Richard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-19 15:16 . 2010-03-19 15:16 -------- d-----w- c:\program files\Microsoft
2010-03-19 15:16 . 2010-03-19 15:15 -------- d-----w- c:\program files\Windows Live
2010-03-19 15:16 . 2010-03-19 15:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-19 15:11 . 2010-03-19 15:11 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-14 16:34 . 2010-03-14 16:34 8405312 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-14 16:33 . 2010-03-14 16:33 149000 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-14 16:33 . 2010-03-14 16:33 283280 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-14 16:33 . 2010-03-14 16:33 181768 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-14 16:33 . 2010-03-14 16:33 79368 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-14 16:33 . 2010-03-14 16:33 64000 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-14 16:33 . 2010-03-14 16:33 52288 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-14 16:33 . 2010-03-14 16:33 50688 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-14 16:33 . 2010-03-14 16:33 49152 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-14 16:33 . 2010-03-14 16:33 118784 ----a-w- c:\documents and settings\Richard\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-11 12:38 . 2004-08-11 23:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-11-27 17:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-11 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-11 23:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-01-06 19:19 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-11 23:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
1998-12-21 14:39 . 2010-04-22 18:53 573386 ------w- c:\program files\100Install.pdf
.
((((((((((((((((((((((((((((( SnapShot@2010-05-11_23.28.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-13 14:15 . 2010-05-13 14:15 16384 c:\windows\temp\Perflib_Perfdata_c8.dat
+ 2010-05-13 14:05 . 2010-05-13 14:05 24576 c:\windows\Installer\877e0.msi
+ 2010-05-13 14:04 . 2010-05-13 14:04 27648 c:\windows\Installer\877db.msi
+ 2008-12-27 17:41 . 2010-05-12 15:24 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-05-13 13:54 . 2010-05-13 13:54 153376 c:\windows\system32\javaws.exe
+ 2006-03-09 14:29 . 2010-05-13 13:54 145184 c:\windows\system32\javaw.exe
+ 2006-03-09 14:29 . 2010-05-13 13:54 145184 c:\windows\system32\java.exe
+ 2004-08-11 23:12 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2004-08-11 23:12 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
+ 2008-12-27 17:14 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
- 2008-12-27 17:14 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-05-13 13:55 . 2010-05-13 13:55 180224 c:\windows\Installer\876a7.msi
+ 2010-05-13 13:54 . 2010-05-13 13:54 576000 c:\windows\Installer\876a2.msi
- 2008-12-27 17:41 . 2010-04-15 07:03 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-12-27 17:41 . 2010-05-12 15:24 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-12-27 17:41 . 2010-04-15 07:03 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-08-12 22:53 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
- 2009-08-12 22:53 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2010-05-13 14:07 . 2010-05-13 14:07 3940352 c:\windows\Installer\877e5.msi
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\18e9b8.msp
+ 2010-04-21 21:46 . 2010-04-21 21:46 5522432 c:\windows\Installer\18e9a3.msp
+ 2006-03-09 15:07 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2008-09-19 87336]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-06 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 16:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcanywhere\\awrem32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Active WebCam\\WebCam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Richard\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/12/2008 2:11 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/12/2008 2:11 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [27/12/2008 2:11 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/12/2008 2:11 PM 297752]
R2 Norstart;Norstar TSP Launcher;Norstart.exe --> Norstart.exe [?]
S2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [07/04/2009 11:15 AM 16680]
.
Contents of the 'Scheduled Tasks' folder
2006-03-09 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-11 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-14 10:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\NavLogon.dll
.
Completion time: 2010-05-14 10:26:54
ComboFix-quarantined-files.txt 2010-05-14 14:26
ComboFix2.txt 2010-05-13 11:50
ComboFix3.txt 2010-05-12 21:22
ComboFix4.txt 2010-05-11 23:30
Pre-Run: 55,933,583,360 bytes free
Post-Run: 56,059,179,008 bytes free
- - End Of File - - 55C85F298C1985F061EEB9A337831F91
Hi,
One potential reason for infection was outdated software. Bad guys exploit vulnerabilities found in old versions of apps like Adobe Reader and Java.
Open notepad and copy/paste the text in the codebox below into it:
@echo off
for %%g in (
c:\qoobox\quarantine\c\windows\system32\ialmuARA.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuARB.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuCHS.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuCHT.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuCSY.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuDAN.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuDEU.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmudlg.exe.vir
c:\qoobox\quarantine\c\windows\system32\ialmuELL.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuENG.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuESP.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuFIN.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuFRA.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuFRC.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuHEB.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuHUN.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuITA.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuJPN.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuKOR.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuNLD.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuNOR.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuPLK.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuPTB.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuPTG.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuRUS.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuSVE.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuTHA.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuTRK.dll.vir
c:\qoobox\quarantine\c\windows\system32\igfxrara.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrchs.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrcht.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrcsy.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrdan.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrdeu.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrell.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrenu.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxresp.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrfin.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrfra.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrheb.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrhun.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrita.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrjpn.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrkor.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrnld.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrnor.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrplk.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrptb.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrptg.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrrus.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrsve.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrtha.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrtrk.lrc.vir
) do zip Files_for_submission %%g
del %0
Save this as grab.bat
Choose to Save type as - All Files
Save it on your desktop.
It should look like this: http://www.techsupportforum.com/sectools/tetonbob/bat_icon.gif
Double click on grab.bat & allow it to run
A file, Files_for_submission.zip will be created on your desktop. Please upload it to this site (http://www.bleepingcomputer.com/submit-malware.php?channel=4). Include a link to this topic. Let me know when you've done that.
Thanks for the file submission :)
Get update 9.3.2 for Adobe Reader here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm).
Uninstall these old Javas:
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Open notepad and copy/paste the text in the quotebox below into it:
DeQuarantine::
c:\qoobox\quarantine\c\windows\system32\ialmuARA.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuARB.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuCHS.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuCHT.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuCSY.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuDAN.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuDEU.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmudlg.exe.vir
c:\qoobox\quarantine\c\windows\system32\ialmuELL.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuENG.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuESP.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuFIN.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuFRA.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuFRC.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuHEB.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuHUN.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuITA.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuJPN.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuKOR.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuNLD.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuNOR.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuPLK.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuPTB.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuPTG.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuRUS.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuSVE.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuTHA.dll.vir
c:\qoobox\quarantine\c\windows\system32\ialmuTRK.dll.vir
c:\qoobox\quarantine\c\windows\system32\igfxrara.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrchs.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrcht.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrcsy.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrdan.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrdeu.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrell.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrenu.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxresp.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrfin.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrfra.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrheb.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrhun.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrita.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrjpn.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrkor.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrnld.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrnor.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrplk.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrptb.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrptg.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrrus.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrsve.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrtha.lrc.vir
c:\qoobox\quarantine\c\windows\system32\igfxrtrk.lrc.vir
Quit::
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Hello,
After I ran ComboFix I had no internet connection and had to restart the computer. After the restart, it was fine. Here is the log:
c:\qoobox\quarantine\c\windows\system32\ialmuARA.dll.vir -> c:\windows\system32\ialmuARA.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuARB.dll.vir -> c:\windows\system32\ialmuARB.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuCHS.dll.vir -> c:\windows\system32\ialmuCHS.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuCHT.dll.vir -> c:\windows\system32\ialmuCHT.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuCSY.dll.vir -> c:\windows\system32\ialmuCSY.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuDAN.dll.vir -> c:\windows\system32\ialmuDAN.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuDEU.dll.vir -> c:\windows\system32\ialmuDEU.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmudlg.exe.vir -> c:\windows\system32\ialmudlg.exe ( 114688 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuELL.dll.vir -> c:\windows\system32\ialmuELL.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuENG.dll.vir -> c:\windows\system32\ialmuENG.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuESP.dll.vir -> c:\windows\system32\ialmuESP.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuFIN.dll.vir -> c:\windows\system32\ialmuFIN.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuFRA.dll.vir -> c:\windows\system32\ialmuFRA.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuFRC.dll.vir -> c:\windows\system32\ialmuFRC.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuHEB.dll.vir -> c:\windows\system32\ialmuHEB.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuHUN.dll.vir -> c:\windows\system32\ialmuHUN.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuITA.dll.vir -> c:\windows\system32\ialmuITA.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuJPN.dll.vir -> c:\windows\system32\ialmuJPN.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuKOR.dll.vir -> c:\windows\system32\ialmuKOR.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuNLD.dll.vir -> c:\windows\system32\ialmuNLD.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuNOR.dll.vir -> c:\windows\system32\ialmuNOR.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuPLK.dll.vir -> c:\windows\system32\ialmuPLK.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuPTB.dll.vir -> c:\windows\system32\ialmuPTB.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuPTG.dll.vir -> c:\windows\system32\ialmuPTG.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuRUS.dll.vir -> c:\windows\system32\ialmuRUS.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuSVE.dll.vir -> c:\windows\system32\ialmuSVE.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuTHA.dll.vir -> c:\windows\system32\ialmuTHA.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\ialmuTRK.dll.vir -> c:\windows\system32\ialmuTRK.dll ( 40960 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrara.lrc.vir -> c:\windows\system32\igfxrara.lrc ( 122880 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrchs.lrc.vir -> c:\windows\system32\igfxrchs.lrc ( 81920 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrcht.lrc.vir -> c:\windows\system32\igfxrcht.lrc ( 81920 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrcsy.lrc.vir -> c:\windows\system32\igfxrcsy.lrc ( 139264 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrdan.lrc.vir -> c:\windows\system32\igfxrdan.lrc ( 139264 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrdeu.lrc.vir -> c:\windows\system32\igfxrdeu.lrc ( 155648 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrell.lrc.vir -> c:\windows\system32\igfxrell.lrc ( 155648 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrenu.lrc.vir -> c:\windows\system32\igfxrenu.lrc ( 135168 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxresp.lrc.vir -> c:\windows\system32\igfxresp.lrc ( 151552 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrfin.lrc.vir -> c:\windows\system32\igfxrfin.lrc ( 139264 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrfra.lrc.vir -> c:\windows\system32\igfxrfra.lrc ( 147456 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrheb.lrc.vir -> c:\windows\system32\igfxrheb.lrc ( 118784 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrhun.lrc.vir -> c:\windows\system32\igfxrhun.lrc ( 143360 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrita.lrc.vir -> c:\windows\system32\igfxrita.lrc ( 151552 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrjpn.lrc.vir -> c:\windows\system32\igfxrjpn.lrc ( 98304 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrkor.lrc.vir -> c:\windows\system32\igfxrkor.lrc ( 98304 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrnld.lrc.vir -> c:\windows\system32\igfxrnld.lrc ( 147456 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrnor.lrc.vir -> c:\windows\system32\igfxrnor.lrc ( 139264 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrplk.lrc.vir -> c:\windows\system32\igfxrplk.lrc ( 143360 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrptb.lrc.vir -> c:\windows\system32\igfxrptb.lrc ( 143360 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrptg.lrc.vir -> c:\windows\system32\igfxrptg.lrc ( 143360 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrrus.lrc.vir -> c:\windows\system32\igfxrrus.lrc ( 143360 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrsve.lrc.vir -> c:\windows\system32\igfxrsve.lrc ( 139264 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrtha.lrc.vir -> c:\windows\system32\igfxrtha.lrc ( 126976 bytes )
c:\qoobox\quarantine\c\windows\system32\igfxrtrk.lrc.vir -> c:\windows\system32\igfxrtrk.lrc ( 135168 bytes )
Thank You.
Good. How's the system running now?
Good morning,
System is running better than ever!!
Thank you so much for your assistance.
:beerbeerb:
You're welcome :)
Here's a list of the final steps to follow.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Run Secunia vulnerability check here (http://secunia.com/vulnerability_scanning/online/) and fix its findings.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.