PDA

View Full Version : Infected: Cannot update or access safer-networking.org, redirects



doremix12
2010-05-11, 10:56
Hello,

I've got an infected computer.

Main problem: like the topic describes, I cannot update my spybot software, I get redirects when accessing certain websites, and safer-networking.org/malwarebytes.org is blocked. Multiple other malware showed up in Application data and startup registry. I removed as much as I can.

Some help would be greatly appreciated. "DDS" log report is posted below, and "Attach" report is attached.

Thank you.

--Scott


DDS (Ver_10-03-17.01) - NTFSx86
Run by Scott at 0:46:14.45 on 11/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3071.2362 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Rosewill\Common\RegistryWriter.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rosewill\Common\RaUI.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
X:\Internet Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [<NO NAME>]
mRun: [nwiz] nwiz.exe /install
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\scott\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rosewi~1.lnk - c:\program files\rosewill\common\RaUI.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Capture Selection - c:\program files\smarthru office\WebCapture.dll2.htm
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &Flash Movies - c:\program files\flash2x\flash hunter\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Save as HTML - c:\program files\smarthru office\WebCapture.dll1.htm
IE: Save Selected Text - c:\program files\smarthru office\WebCapture.dll.htm
IE: Web Capture - c:\program files\smarthru office\WebCapture.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - c:\program files\eltima software\flash decompiler trillix\saveflash\iebt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1241110233321&h=98a521ce91b15590f21d47ed0e70ebcb/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 93.188.163.180,93.188.166.171
TCP: {139B6145-4A09-4C4B-B0C1-FF13FA411210} = 93.188.163.180,93.188.166.171
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\5swdblv1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-29 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-29 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-29 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-15 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\rosewill\common\RegistryWriter.exe [2010-3-14 185632]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-11-29 2749224]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-3-14 719616]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\system\cpl bonus\vcdrom.sys --> c:\program files\system\cpl bonus\Vcdrom.sys [?]
S2 ramdisk;AR Soft RAM Disk Service;c:\windows\system32\drivers\ramdisk.sys [2008-10-16 10431]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2010-3-14 16512]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys --> c:\windows\system32\drivers\RTL8187.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-11-29 15656]

=============== Created Last 30 ================

2010-05-10 22:21:14 50990 ----a-w- c:\windows\system32\pjdvwwujaqof.exe
2010-05-10 22:20:59 173056 ----a-w- c:\windows\Cxiraa.exe
2010-05-10 22:20:34 36592 ----a-w- c:\windows\system32\net.net
2010-05-07 18:15:35 0 d-----w- c:\program files\Market Samurai
2010-04-30 18:05:38 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-04-30 18:05:37 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-04-30 18:05:37 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-04-30 18:05:36 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-04-30 18:05:36 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-04-30 18:05:35 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-04-30 18:05:35 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-04-30 18:05:32 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2010-04-29 20:27:10 0 d-----w- c:\program files\QuickTax 2009
2010-04-12 22:32:32 0 d-sh--w- c:\documents and settings\scott\IECompatCache
2010-04-12 02:44:40 0 d-----w- c:\documents and settings\scott\.idlerc
2010-04-12 02:44:00 0 d-----w- C:\Python26

==================== Find3M ====================

2010-04-21 10:38:43 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-19 04:41:42 104272 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-20 04:52:08 2145280 ----a-w- c:\windows\system32\python26.dll
2010-03-18 03:25:10 256 ----a-w- c:\documents and settings\scott\pool.bin
2010-03-15 10:50:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 10:49:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 09:06:20 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 12:50:36 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:12:52 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:27:58 100864 ----a-w- c:\windows\system32\6to4svc.dll
2008-11-29 07:42:31 2862 ----a-w- c:\program files\common files\unins000.dat
2008-11-29 07:42:28 728858 ----a-w- c:\program files\common files\unins000.exe
2008-03-09 15:25:10 236 ---ha-w- c:\program files\common files\dx.reg
2006-06-23 10:18:54 32768 ----a-w- c:\windows\inf\UpdateUSB.exe
1999-07-07 00:00:00 6 --sh--r- c:\windows\@@desktop.dat

============= FINISH: 0:47:28.56 ===============

doremix12
2010-05-12, 03:13
OK, I did some more reading on this forum and performed the following actions:

Ran Erunt
Disconnected from internet
Uninstalled utorrent
Disabled spybot resident activity (teatimer, sdhelper)
Disabled antivirus (avg resident)
Disabled firewall (windows)

Ran Combofix

After Combofix completed (it restarted my computer 4x before it activated, mentioning stuff about emulation drives and root kits), I was able to update spybot, and access safer-networking.org and malwarebytes.org. No new popups.

I think everything is all good now, Combofix log report below:

Anyways, thanks for having this forum!

ComboFix 10-05-10.05 - Scott 11/05/2010 15:49:17.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3071.2555 [GMT -7:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Scott\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk
c:\documents and settings\Scott\Local Settings\Application Data\babxcsokq
c:\documents and settings\Scott\Local Settings\Application Data\babxcsokq\wpddfcstssd.exe
C:\Thumbs.db
c:\windows\Cxiraa.exe
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\d3d10core.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\kernel32new.dll
c:\windows\system32\msvcrtnew.dll
c:\windows\system32\vb40032.dll

Infected copy of c:\windows\system32\drivers\WudfPf.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-11 06:09 . 2010-05-11 06:09 -------- d-----w- c:\program files\ERUNT
2010-05-10 22:21 . 2010-05-10 22:21 50990 ----a-w- c:\windows\system32\pjdvwwujaqof.exe
2010-05-10 22:20 . 2010-05-10 22:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-10 22:20 . 2010-05-10 22:20 99840 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b0000000c.dll
2010-05-07 18:15 . 2010-05-07 18:15 -------- d-----w- c:\program files\Market Samurai
2010-05-05 15:22 . 2010-05-04 14:26 650240 ----a-w- c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\5swdblv1.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-04-30 18:05 . 2009-09-05 00:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-04-30 18:05 . 2009-09-05 00:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-04-30 18:05 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-04-30 18:05 . 2009-09-05 00:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-04-30 18:05 . 2009-09-05 00:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-04-30 18:05 . 2009-09-05 00:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-04-30 18:05 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-04-30 18:05 . 2009-03-16 21:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2010-04-29 20:27 . 2010-04-29 21:31 -------- d-----w- c:\program files\QuickTax 2009
2010-04-12 22:32 . 2010-04-12 22:32 -------- d-sh--w- c:\documents and settings\Scott\IECompatCache
2010-04-12 02:44 . 2010-04-12 07:52 -------- d-----w- c:\documents and settings\Scott\.idlerc
2010-04-12 02:44 . 2010-04-12 02:44 -------- d-----w- C:\Python26

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 22:47 . 2008-11-29 10:15 -------- d-----w- c:\documents and settings\Scott\Application Data\WTablet
2010-05-11 22:21 . 2008-12-03 02:33 -------- d-----w- c:\documents and settings\Scott\Application Data\uTorrent
2010-05-11 05:52 . 2008-11-29 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-10 22:22 . 2009-05-25 19:59 -------- d-----w- c:\documents and settings\Scott\Application Data\FileZilla
2010-05-06 14:00 . 2009-05-04 23:24 -------- d--h--w- c:\documents and settings\All Users\Application Data\catalog.wci
2010-05-04 01:55 . 2008-11-29 08:31 150840 ----a-w- c:\documents and settings\Scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-30 18:04 . 2008-11-29 08:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-29 20:27 . 2009-05-01 19:20 -------- d-----w- c:\documents and settings\Scott\Application Data\Intuit Canada
2010-04-29 20:26 . 2009-05-01 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit Canada
2010-04-29 06:36 . 2008-11-29 07:42 -------- d-----w- c:\program files\CCleaner
2010-04-26 18:26 . 2009-10-12 10:44 1175792 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-23 09:09 . 2010-04-08 19:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-21 10:38 . 2008-11-29 08:50 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-20 00:45 . 2009-05-09 18:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-20 00:44 . 2009-10-10 20:45 38784 ----a-w- c:\documents and settings\Scott\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-19 04:41 . 2009-10-12 07:03 104272 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-16 19:19 . 2009-02-18 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-12 19:10 . 2009-11-12 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-09 03:26 . 2009-05-25 19:59 -------- d-----w- c:\program files\FileZilla FTP Client
2010-04-09 01:51 . 2009-10-10 21:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-08 21:45 . 2010-04-08 21:45 -------- d-----w- c:\program files\Flash2X
2010-04-08 20:10 . 2010-04-08 20:10 -------- d-----w- c:\program files\Eltima Software
2010-04-05 07:20 . 2010-03-31 22:40 -------- d-----w- c:\program files\Pixologic
2010-03-30 21:01 . 2010-03-30 21:01 45056 ----a-r- c:\documents and settings\Scott\Application Data\Microsoft\Installer\{E448503F-D677-46DB-AC77-7F9F094DFC01}\_28C06EB88381_4D72_BA9C_FEBD7FB46252.exe
2010-03-30 21:01 . 2010-03-30 21:01 15086 ----a-r- c:\documents and settings\Scott\Application Data\Microsoft\Installer\{E448503F-D677-46DB-AC77-7F9F094DFC01}\oC4.exe
2010-03-30 21:01 . 2010-03-30 21:01 -------- d-----w- c:\program files\portalgraphics
2010-03-27 06:37 . 2009-01-24 19:03 256 ----a-w- c:\windows\system32\pool.bin
2010-03-26 19:34 . 2010-03-26 19:34 -------- d-----w- c:\program files\Microsoft Chart Controls
2010-03-25 03:12 . 2010-03-25 03:12 -------- d-----w- c:\program files\Vector Magic
2010-03-20 04:52 . 2010-03-20 04:52 2145280 ----a-w- c:\windows\system32\python26.dll
2010-03-18 17:47 . 2010-03-18 17:47 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-03-18 17:41 . 2010-03-18 17:32 -------- d-----w- c:\program files\Warhammer 40,000 - Dawn of War II
2010-03-18 04:32 . 2010-03-18 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-03-18 04:32 . 2009-01-24 04:57 -------- d-----w- c:\program files\Research In Motion
2010-03-18 04:31 . 2009-01-24 19:03 -------- d-----w- c:\documents and settings\Scott\Application Data\Research In Motion
2010-03-18 04:18 . 2009-01-24 04:57 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-03-18 03:25 . 2009-04-01 08:52 256 ----a-w- c:\documents and settings\Scott\pool.bin
2010-03-15 10:50 . 2010-03-15 10:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 10:50 . 2008-11-29 08:50 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 10:49 . 2008-11-29 08:50 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 09:06 . 2010-03-14 09:06 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-03-14 09:06 . 2010-03-14 09:06 -------- d-----w- c:\program files\Rosewill
2010-03-14 09:06 . 2010-03-14 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosewill Driver
2010-03-10 06:15 . 2008-10-16 01:24 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-08-26 07:24 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 04:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 12:50 . 2008-10-16 01:25 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:12 . 2008-08-14 10:09 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:27 . 2008-04-14 09:41 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 11:36 . 2008-10-16 01:24 226880 ------w- c:\windows\system32\drivers\tcpip6.sys
2008-11-29 07:42 . 2008-11-29 07:42 2862 ----a-w- c:\program files\Common Files\unins000.dat
2008-11-29 07:42 . 2008-11-29 07:42 728858 ----a-w- c:\program files\Common Files\unins000.exe
2008-03-09 15:25 . 2008-11-29 07:42 236 ---ha-w- c:\program files\Common Files\dx.reg
1999-07-07 00:00 . 1999-07-07 00:00 6 --sh--r- c:\windows\@@desktop.dat
.

------- Sigcheck -------

[-] 2008-10-16 . DF70435F3D17C40D5CB15E6DC918342E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-10-16 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"nwiz"="nwiz.exe" [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\Scott\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Rosewill Wireless Utility.lnk - c:\program files\Rosewill\Common\RaUI.exe [2010-3-14 1691648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 10:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\keyclone\\keyclone.exe"=
"x:\\Internet Downloads\\keyclone_patched_FINAL.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Autodesk\\Maya2009\\bin\\maya.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\ScanMgr.exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\SCX4x28\\Scan2Pc.exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\SCX4x28\\Sscan2io.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\Warhammer 40,000 - Dawn of War II\\DOW2.exe"=
"c:\\UDK\\UDK-2010-03\\Binaries\\Win32\\UDK.exe"=
"c:\\Python26\\pythonw.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21487:TCP"= 21487:TCP:BitComet 21487 TCP
"21487:UDP"= 21487:UDP:BitComet 21487 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/11/2008 1:50 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/11/2008 1:50 AM 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [15/03/2010 3:49 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/03/2010 3:49 AM 308064]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [29/11/2008 3:14 AM 2749224]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 8:05 AM 92008]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [29/11/2008 3:14 AM 15656]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\System\CPL Bonus\Vcdrom.sys --> c:\program files\System\CPL Bonus\Vcdrom.sys [?]
S2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [12/03/2009 6:36 PM 86016]
S2 ramdisk;AR Soft RAM Disk Service;c:\windows\system32\drivers\ramdisk.sys [16/10/2008 5:54 AM 10431]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys --> c:\windows\system32\DRIVERS\RTL8187.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [29/11/2008 8:46 PM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-11-29 22:31]

2010-05-11 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-11-29 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://scottxiong.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Capture Selection - c:\program files\SmarThru Office\WebCapture.dll2.htm
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &Flash Movies - c:\program files\Flash2X\Flash Hunter\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save as HTML - c:\program files\SmarThru Office\WebCapture.dll1.htm
IE: Save Selected Text - c:\program files\SmarThru Office\WebCapture.dll.htm
IE: Web Capture - c:\program files\SmarThru Office\WebCapture.dll
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\5swdblv1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Warhammer 40,000 - Dawn of War II - c:\windows\Warhammer 40
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 15:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:58,6f,36,11,2b,1b,19,3e,75,e5,d2,3b,b6,bd,7a,c2,79,1c,36,24,56,
5f,96,a1,99,8e,89,48,5a,1c,d7,e1,80,e2,ac,f8,e3,c1,af,1b,72,3f,36,8f,36,f6,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CF80BCAE-C263-0C3E-014A-DD93F0C8D942}\InProcServer32*]
"jaamencnndnkcciaejoo"=hex:6b,61,63,6e,66,6c,65,6a,6a,6e,61,6c,65,67,69,62,65,
67,6e,63,67,6b,00,00
"iaamommlecflbibgpg"=hex:6b,61,63,6e,66,6c,65,6a,6a,6e,61,6c,65,67,69,62,65,67,
6e,63,67,6b,00,00

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:58,6f,36,11,2b,1b,19,3e,75,e5,d2,3b,b6,bd,7a,c2,79,1c,36,24,56,
5f,96,a1,99,8e,89,48,5a,1c,d7,e1,80,e2,ac,f8,e3,c1,af,1b,72,3f,36,8f,36,f6,\
.
Completion time: 2010-05-11 15:59:16
ComboFix-quarantined-files.txt 2010-05-11 22:59

Pre-Run: 193,026,818,048 bytes free
Post-Run: 192,988,299,264 bytes free

- - End Of File - - F387F2939DFEB4769F775532F0C15144

tashi
2010-05-25, 08:33
Hello doremix12,

OK, I did some more reading on this forum and performed the following actions:

Ran Erunt
Disconnected from internet
Uninstalled utorrent
Disabled spybot resident activity (teatimer, sdhelper)
Disabled antivirus (avg resident)
Disabled firewall (windows)

Ran Combofix

Please do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806) ;)

Also you should not disable your firewall or anti virus program unless requested. :eek:

When you added a post to your topic before a helper responded it removed the zero reply they look for. If you still need help please start a new topic and provide a link back to this one.

Best regards. :)