PDA

View Full Version : Antivir Solution Pro Malware Infection?



kobdog
2010-08-12, 03:49
Our computer had slowed down, then we were getting random IE sessions opening to websites like dotomi.com, and a Heinz 57 website, then Registry Defender pop-ups, then "Registry Error" IE sessons suggesting we download registry cleaner. I used Task Manager to end all of the applications rather than just closing them and ran scans with AVG, Malwarebytes' and Spybot S&D which we do with all three every week or two. Yesterday when I turned the computer on I received a RUNDLL error "Error loading eqaqp.dll, specified module could not be found" and "Antivir Solution Pro" loaded. It wouldn't let me load Task Manager and when AVG caught some of the trojans it would fail when I tried to remove selected items. IE also can't access any websites. "Antivir Solution Pro" appeared to have completed a scan, and I was able to disable TeaTimer and reboot. Now I am able to load Task Manager, "Antivir Solution Pro" doesn't load, I still get the RUNDLL error and IE still cannot access any websites. That's the short of it...

Not sure what we picked up where, but any help would be greatly appreciated in cleaning up this mess and getting IE and our computer working agian!

Thanks in advance and here is the DDS.txt info:


DDS (Ver_10-03-17.01) - NTFSx86
Run by OWNER at 19:18:43.78 on Wed 08/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.549 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\dcmsvc\dcmsvc.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\OWNER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
mSearchURL = hxxp://www.google.com/
BHO: {095CD655-22C4-4845-AA1D-10590EA36D1A} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {497B6553-405A-47A7-9E64-2695AFBF5A48} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Internet Explorer Plugin: {7922062a-bfdc-4708-9211-f91aab7d60c7} - pavwx.dll
BHO: {95ABACE8-8DCC-4871-9E26-1654AC49F0C8} - No File
BHO: {95bc13d5-1e85-4af9-a538-c9452fc9392f} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E5D5BE53-CA78-4CEE-A405-456AE551483F} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: ZeroBar: {f5735c15-1fb2-41fe-ba12-242757e69dde} - c:\program files\netzero\Toolbar.dll
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [dcmsvc] c:\program files\dcmsvc\dcmsvc.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [sta] rundll32 "eqaqp.dll",,Run
mRun: [MChk] c:\windows\system32\rqaqp.exe
mRun: [tjnqswsc] c:\documents and settings\networkservice\local settings\application data\mtafvoxcl\rgcgsbytssd.exe
dRun: [Xgoqafonut] rundll32.exe "c:\windows\wmdfPI.dll",Startup
dRun: [tjnqswsc] c:\documents and settings\networkservice\local settings\application data\mtafvoxcl\rgcgsbytssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} - hxxps://www.select2perform.com/cabs/QOLCheck.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128119231437
DPF: {6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} - hxxp://admin.mem.com/imagefunctions/imagxpress7.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} - hxxp://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} - hxxp://admin.mem.com/imagefunctions/TwainPro4.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38165.3998726852
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://intercall.webex.com/client/T27L10NSP11EP5/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://webmail.mckesson.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli scecli
mASetup: {8405C2C5-CF8C-4ED4-A8DE-61926AA39EC0} - rundll32 pavwx.dll,laspi
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-3 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-3 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-4 243024]
R1 tcpip7x;tcpip7x;c:\windows\system32\drivers\tcpip7x.sys [2010-8-10 243968]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2008-4-5 7040]
S3 LGDDCDevice;LGDDCDevice;c:\program files\lg soft india\fortemanager\bin\I2CDriver.sys [2009-10-20 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\lg soft india\fortemanager\bin\PII2CDriver.sys [2009-10-20 18432]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-4 38224]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-23 27904]

=============== Created Last 30 ================

2010-08-10 10:09:34 783360 ----a-w- c:\windows\system32\drivers\zkzoetdz.sys
2010-08-10 10:09:30 5 ----a-w- C:\zrpt.xml
2010-08-10 10:09:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-10 10:09:15 243968 ----a-w- c:\windows\system32\drivers\tcpip7x.sys
2010-08-02 22:21:20 98304 ----a-w- c:\windows\system32\klgd.bmp
2010-08-02 22:21:20 37458 ----a-w- c:\windows\system32\vtpkt
2010-07-15 20:42:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-14 11:38:54 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-07-15 20:42:18 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 20:41:26 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

============= FINISH: 19:20:55.14 ===============

peku006
2010-08-16, 19:15
Hello and :welcome: to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:


If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

kobdog
2010-08-17, 05:24
I followed the instructions for running ComboFix, unfortunately it sat on the “Scanning for Infected Files” for over an hour. I don’t know if I should have done this but I tried to close it so I could restart ComboFix, it wouldn’t close, I left it for a few minutes and I shutdown the PC using the power button. I Started the PC back up and ran ComboFix again. It ran and restarted the PC and prepared the log report. The results are below.

I hope I didn’t mess things up.

Thanks for your help!!

ComboFix.txt:

ComboFix 10-08-16.03 - pmaslos 08/16/2010 20:54:05.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.492 [GMT -5:00]
Running from: c:\documents and settings\pmaslos\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\All Users\invokesi.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\mtafvoxcl
c:\documents and settings\NetworkService\Local Settings\Application Data\mtafvoxcl\rgcgsbytssd.exe
c:\program files\Internet Explorer\SET51C.tmp
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
C:\Thumbs.db
c:\windows\$NtUninstallMTF1011$
c:\windows\$NtUninstallMTF1011$\apUninstall.exe
c:\windows\$NtUninstallMTF1011$\zrpt.xml
c:\windows\system\X10MSE32.CPL
c:\windows\system32\_003841_.tmp.dll
c:\windows\system32\_003842_.tmp.dll
c:\windows\system32\_003843_.tmp.dll
c:\windows\system32\_003844_.tmp.dll
c:\windows\system32\_003851_.tmp.dll
c:\windows\system32\_003852_.tmp.dll
c:\windows\system32\_003853_.tmp.dll
c:\windows\system32\_003855_.tmp.dll
c:\windows\system32\_003856_.tmp.dll
c:\windows\system32\_003859_.tmp.dll
c:\windows\system32\_003860_.tmp.dll
c:\windows\system32\_003862_.tmp.dll
c:\windows\system32\_003863_.tmp.dll
c:\windows\system32\_003864_.tmp.dll
c:\windows\system32\_003866_.tmp.dll
c:\windows\system32\_003869_.tmp.dll
c:\windows\system32\_003870_.tmp.dll
c:\windows\system32\_003874_.tmp.dll
c:\windows\system32\_003875_.tmp.dll
c:\windows\system32\_003877_.tmp.dll
c:\windows\system32\_003880_.tmp.dll
c:\windows\system32\_003882_.tmp.dll
c:\windows\system32\_003883_.tmp.dll
c:\windows\system32\_003884_.tmp.dll
c:\windows\system32\_003885_.tmp.dll
c:\windows\system32\_003888_.tmp.dll
c:\windows\system32\_003889_.tmp.dll
c:\windows\system32\_003890_.tmp.dll
c:\windows\system32\_003891_.tmp.dll
c:\windows\system32\_003892_.tmp.dll
c:\windows\system32\_003897_.tmp.dll
c:\windows\system32\_003899_.tmp.dll
c:\windows\system32\_006031_.tmp.dll
c:\windows\system32\_006032_.tmp.dll
c:\windows\system32\_006033_.tmp.dll
c:\windows\system32\_006034_.tmp.dll
c:\windows\system32\_006041_.tmp.dll
c:\windows\system32\_006042_.tmp.dll
c:\windows\system32\_006043_.tmp.dll
c:\windows\system32\_006044_.tmp.dll
c:\windows\system32\_006046_.tmp.dll
c:\windows\system32\_006047_.tmp.dll
c:\windows\system32\_006050_.tmp.dll
c:\windows\system32\_006051_.tmp.dll
c:\windows\system32\_006053_.tmp.dll
c:\windows\system32\_006054_.tmp.dll
c:\windows\system32\_006055_.tmp.dll
c:\windows\system32\_006057_.tmp.dll
c:\windows\system32\_006060_.tmp.dll
c:\windows\system32\_006061_.tmp.dll
c:\windows\system32\_006065_.tmp.dll
c:\windows\system32\_006066_.tmp.dll
c:\windows\system32\_006068_.tmp.dll
c:\windows\system32\_006071_.tmp.dll
c:\windows\system32\_006073_.tmp.dll
c:\windows\system32\_006074_.tmp.dll
c:\windows\system32\_006075_.tmp.dll
c:\windows\system32\_006076_.tmp.dll
c:\windows\system32\_006077_.tmp.dll
c:\windows\system32\_006080_.tmp.dll
c:\windows\system32\_006081_.tmp.dll
c:\windows\system32\_006082_.tmp.dll
c:\windows\system32\_006083_.tmp.dll
c:\windows\system32\_006084_.tmp.dll
c:\windows\system32\_006089_.tmp.dll
c:\windows\system32\_006091_.tmp.dll
c:\windows\system32\fsc.txt
c:\windows\system32\ide.txt
c:\windows\system32\klgd.bmp
c:\windows\system32\lpe.txt
c:\windows\system32\Thumbs.db
c:\windows\Temp\_ex-f.exe
c:\windows\wmdfPI.dll

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_TDSSSERV.SYS
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-10 10:09 . 2010-08-17 02:07 783360 ----a-w- c:\windows\system32\drivers\zkzoetdz.sys
2010-08-10 10:09 . 2010-08-17 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-10 10:09 . 2010-08-12 00:22 244480 ----a-w- c:\windows\system32\drivers\tcpip7x.sys
2010-08-01 23:53 . 2010-08-01 23:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-29 23:40 . 2010-07-29 23:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 00:16 . 2009-11-03 17:06 -------- d-----w- c:\program files\ERUNT
2010-07-21 22:27 . 2009-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-07-20 22:48 . 2010-07-20 22:48 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-20 22:48 . 2010-07-20 22:48 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-20 22:48 . 2010-07-20 22:48 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-15 20:42 . 2010-03-04 17:37 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 20:42 . 2010-07-15 20:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 20:41 . 2008-12-04 02:04 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2002-08-29 11:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-02 22:12 . 2008-12-04 02:04 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-25 11:21 . 2010-05-25 11:21 503808 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1e0de2e6-n\msvcp71.dll
2010-05-25 11:21 . 2010-05-25 11:21 499712 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1e0de2e6-n\jmc.dll
2010-05-25 11:21 . 2010-05-25 11:21 348160 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1e0de2e6-n\msvcr71.dll
2010-05-23 20:19 . 2010-05-23 20:19 503808 ----a-w- c:\documents and settings\dmasloski\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-381d6daf-n\msvcp71.dll
2010-05-23 20:19 . 2010-05-23 20:19 499712 ----a-w- c:\documents and settings\dmasloski\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-381d6daf-n\jmc.dll
2010-05-23 20:19 . 2010-05-23 20:19 348160 ----a-w- c:\documents and settings\dmasloski\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-381d6daf-n\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-09-26 1851392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-04-17 196608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-09 149280]
"dcmsvc"="c:\program files\dcmsvc\dcmsvc.exe" [2009-04-07 30440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 20:42 12536 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/3/2008 9:04 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/4/2010 12:37 PM 243024]
R1 tcpip7x;tcpip7x;c:\windows\SYSTEM32\DRIVERS\tcpip7x.sys [8/10/2010 5:09 AM 244480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 3:42 PM 308136]
R3 X10Hid;X10 Hid Device;c:\windows\SYSTEM32\DRIVERS\x10hid.sys [4/5/2008 3:14 PM 7040]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [10/20/2009 10:30 AM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [10/20/2009 10:30 AM 18432]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [12/4/2008 7:32 AM 38224]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [11/23/2008 11:16 PM 27904]

--- Other Services/Drivers In Memory ---

*Deregistered* - zkzoetdz
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=maznd.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} - hxxp://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} - hxxp://admin.mem.com/imagefunctions/TwainPro4.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{095CD655-22C4-4845-AA1D-10590EA36D1A} - (no file)
BHO-{497B6553-405A-47A7-9E64-2695AFBF5A48} - (no file)
BHO-{95ABACE8-8DCC-4871-9E26-1654AC49F0C8} - (no file)
BHO-{95bc13d5-1e85-4af9-a538-c9452fc9392f} - (no file)
BHO-{E5D5BE53-CA78-4CEE-A405-456AE551483F} - (no file)
Toolbar-Locked - (no file)
HKLM-Run-sta - eqaqp.dll
HKLM-Run-MChk - c:\windows\system32\rqaqp.exe
HKU-Default-Run-Xgoqafonut - c:\windows\wmdfPI.dll
Notify-WgaLogon - (no file)
ActiveSetup-{8405C2C5-CF8C-4ED4-A8DE-61926AA39EC0} - pavwx.dll
AddRemove-$NtUninstallMTF1011$ - c:\windows\$NtUninstallMTF1011$\apUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zkzoetdz]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2128)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-16 21:18:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 02:17

Pre-Run: 13,999,247,360 bytes free
Post-Run: 14,186,524,672 bytes free

- - End Of File - - 4D821638B413B4AF030BC4B43DE04442

peku006
2010-08-17, 11:04
Hi kobdog

Open Notepad and copy/paste the text in the box into the window:



File::
c:\windows\system32\drivers\zkzoetdz.sys

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zkzoetdz



Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Thanks peku006

kobdog
2010-08-17, 15:00
Below are the results from the latest ComboFix run with the script.

Thanks again for you help!!

log.txt:

ComboFix 10-08-16.03 - pmaslos 08/17/2010 6:23.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.597 [GMT -5:00]
Running from: c:\documents and settings\pmaslos\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pmaslos\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\zkzoetdz.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\zkzoetdz.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_zkzoetdz
-------\Service_zkzoetdz


((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-10 10:09 . 2010-08-17 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-10 10:09 . 2010-08-12 00:22 244480 ----a-w- c:\windows\system32\drivers\tcpip7x.sys
2010-08-01 23:53 . 2010-08-01 23:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-29 23:40 . 2010-07-29 23:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 00:16 . 2009-11-03 17:06 -------- d-----w- c:\program files\ERUNT
2010-07-21 22:27 . 2009-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-07-20 22:48 . 2010-07-20 22:48 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-20 22:48 . 2010-07-20 22:48 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-20 22:48 . 2010-07-20 22:48 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-15 20:42 . 2010-03-04 17:37 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 20:42 . 2010-07-15 20:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 20:41 . 2008-12-04 02:04 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2002-08-29 11:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-02 22:12 . 2008-12-04 02:04 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-25 11:21 . 2010-05-25 11:21 503808 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1e0de2e6-n\msvcp71.dll
2010-05-25 11:21 . 2010-05-25 11:21 499712 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1e0de2e6-n\jmc.dll
2010-05-25 11:21 . 2010-05-25 11:21 348160 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1e0de2e6-n\msvcr71.dll
2010-05-23 20:19 . 2010-05-23 20:19 503808 ----a-w- c:\documents and settings\dmasloski\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-381d6daf-n\msvcp71.dll
2010-05-23 20:19 . 2010-05-23 20:19 499712 ----a-w- c:\documents and settings\dmasloski\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-381d6daf-n\jmc.dll
2010-05-23 20:19 . 2010-05-23 20:19 348160 ----a-w- c:\documents and settings\dmasloski\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-381d6daf-n\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-09-26 1851392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-04-17 196608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-09 149280]
"dcmsvc"="c:\program files\dcmsvc\dcmsvc.exe" [2009-04-07 30440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 20:42 12536 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/3/2008 9:04 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/4/2010 12:37 PM 243024]
R1 tcpip7x;tcpip7x;c:\windows\SYSTEM32\DRIVERS\tcpip7x.sys [8/10/2010 5:09 AM 244480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 3:42 PM 308136]
R3 X10Hid;X10 Hid Device;c:\windows\SYSTEM32\DRIVERS\x10hid.sys [4/5/2008 3:14 PM 7040]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [10/20/2009 10:30 AM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [10/20/2009 10:30 AM 18432]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [12/4/2008 7:32 AM 38224]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [11/23/2008 11:16 PM 27904]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=owner.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} - hxxp://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} - hxxp://admin.mem.com/imagefunctions/TwainPro4.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 06:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-17 06:46:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 11:46
ComboFix2.txt 2010-08-17 02:18

Pre-Run: 14,204,518,400 bytes free
Post-Run: 14,185,115,648 bytes free

- - End Of File - - 04670315C7F87EA4555679C2A738AB7C

peku006
2010-08-17, 18:40
Hi kobdog

once again......:D:

Open Notepad and copy/paste the text in the box into the window:



File::
c:\windows\SYSTEM32\DRIVERS\tcpip7x.sys

Driver::
tcpip7x



Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop. If needed...Tutorial w/screenshots (http://thespykiller.co.uk/index.php/topic,5946.0.html)
Alternate download sites available here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or here (http://www.besttechie.net/tools/mbam-setup.exe).
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
Problems downloading the updates? Manually download them from here (http://malwarebytes.gt500.org/mbam-rules.exe) and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please reply with

the ComboFix log(C:\ComboFix.txt)
the Malwarebytes' Anti-Malware Log

Thanks peku006

kobdog
2010-08-19, 03:53
I ran ComboFix by dragging the script onto it. After it reached “Completed Stage_47” a an error popped up on the screen with C:\ComboFix\PEV.cfxxe in the header and “This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.” I clicked “Ok”. A few minutes later I noticed in the ComboFix window it there were a few lines that stated “The system cannot execute the specified program” and “Insufficient resources exist to complete the requested service”. Shortly after that a “Low on Virtual Memory” message popped up on the screen, I clicked “Ok”. I let it sit for over 2 hours, the rebooted and started the process over by dragging the script onto the ComboFix shortcut on the desktop again. This time it completed and the ComboFix.txt log is below.

I had already been using MBAM so I updated it, then followed your instructions to run a scan.

Here are the logs:

ComboFix.txt:

ComboFix 10-08-16.03 - pmaslos 08/17/2010 21:12:04.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.584 [GMT -5:00]
Running from: c:\documents and settings\pmaslos\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pmaslos\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\SYSTEM32\DRIVERS\tcpip7x.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\DRIVERS\tcpip7x.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TCPIP7X
-------\Service_tcpip7x


((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-10 10:09 . 2010-08-17 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-01 23:53 . 2010-08-01 23:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-29 23:40 . 2010-07-29 23:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 00:16 . 2009-11-03 17:06 -------- d-----w- c:\program files\ERUNT
2010-07-21 22:27 . 2009-06-25 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-07-20 22:48 . 2010-07-20 22:48 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-20 22:48 . 2010-07-20 22:48 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-20 22:48 . 2010-07-20 22:48 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-15 20:42 . 2010-03-04 17:37 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 20:42 . 2010-07-15 20:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 20:41 . 2008-12-04 02:04 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2002-08-29 11:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-02 22:12 . 2008-12-04 02:04 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-25 11:21 . 2010-05-25 11:21 503808 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1e0de2e6-n\msvcp71.dll
2010-05-25 11:21 . 2010-05-25 11:21 499712 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1e0de2e6-n\jmc.dll
2010-05-25 11:21 . 2010-05-25 11:21 348160 ----a-w- c:\documents and settings\pmaslos\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1e0de2e6-n\msvcr71.dll
2010-05-23 20:19 . 2010-05-23 20:19 503808 ----a-w- c:\documents and settings\dmasloski\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-381d6daf-n\msvcp71.dll
2010-05-23 20:19 . 2010-05-23 20:19 499712 ----a-w- c:\documents and settings\dmasloski\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-381d6daf-n\jmc.dll
2010-05-23 20:19 . 2010-05-23 20:19 348160 ----a-w- c:\documents and settings\dmasloski\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-381d6daf-n\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2005-10-14 69632]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-09-26 1851392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-04-17 196608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-09 149280]
"dcmsvc"="c:\program files\dcmsvc\dcmsvc.exe" [2009-04-07 30440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\warnhp.html
FriendlyName= Desktop Uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 20:42 12536 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [12/3/2008 9:04 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/4/2010 12:37 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 3:42 PM 308136]
R3 X10Hid;X10 Hid Device;c:\windows\SYSTEM32\DRIVERS\x10hid.sys [4/5/2008 3:14 PM 7040]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [10/20/2009 10:30 AM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [10/20/2009 10:30 AM 18432]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [12/4/2008 7:32 AM 38224]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\ndisprot.sys [11/23/2008 11:16 PM 27904]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=owner.mn&key=31767f1ae3952ac16daade64f209f1cb&ts=4078514e&A=0&B=1034233200000&C=1034233200000&D=0&I=7.NQ3&N=&O=A
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
mSearchURL = hxxp://www.google.com/
DPF: {839BC21A-05E8-422A-88AD-F81A209595A4} - hxxp://admin.mem.com/imagefunctions/upload/assets/MeMMediaUploader.cab
DPF: {9EB329EF-4119-41F7-AE5F-804E287CEBD8} - hxxp://admin.mem.com/imagefunctions/TwainPro4.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 21:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3012)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-17 21:32:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-18 02:32
ComboFix2.txt 2010-08-17 11:46
ComboFix3.txt 2010-08-17 02:18

Pre-Run: 14,028,967,936 bytes free
Post-Run: 14,014,283,776 bytes free

- - End Of File - - B1DF918D42E22616D06E8FF758F457FE


MBAM.log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4447

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/18/2010 7:18:57 PM
mbam-log-2010-08-18 (19-18-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 236681
Time elapsed: 1 hour(s), 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Update\seupd.exe.vir (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\mtafvoxcl\rgcgsbytssd.exe.vir (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0047952.sys (Trojan.Agent.Gen) -> Not selected for removal.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0048034.exe (Trojan.Clicker) -> Not selected for removal.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0048036.exe (Trojan.FakeAV) -> Not selected for removal.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0048253.sys (Trojan.Agent.Gen) -> Not selected for removal.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0048346.sys (Trojan.Agent.Gen) -> Not selected for removal.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0048468.sys (Trojan.Agent.Gen) -> Not selected for removal.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0049549.sys (Trojan.Agent.Gen) -> Not selected for removal.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0049670.sys (Trojan.Agent.Gen) -> Not selected for removal.

peku006
2010-08-19, 10:34
Hi kobdog


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Please go to Kaspersky Online Virus Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) © Kaspersky Lab to perform an online antivirus scan.

Read the "Advantages - Requirements and Limitations" then press... the ACCEPT...button.
The latest program and definition files will be downloaded. It takes time, please be patient, let it finish.
Once the files have been downloaded, click on the SETTINGS...button.
In the scan settings make sure the following are selected:
Detect malicious programs of the following categories:
Viruses, Worms, Trojan Horses, Rootkits
Spyware, Adware, Dialers and other potentially dangerous programs
Scan compound files (doesn't apply to the File scan area):
Archives
Mail databases
By default the above items should already be checked.
Click the SAVE...button, if you made any changes.
Now under the Scan section on the left:Select My Computer
The program will start scanning your system. This takes a while, be patient... let it run.
Once the scan is complete it will display if your system has been infected.
Save the scan results as a Text file ... save it to your desktop.
Copy and paste the saved scan results file in your next reply.

Thanks peku006

kobdog
2010-08-21, 04:47
Ran TFC and it prompted for a reboot. After rebooting I ran Kaspersky and the results from that are below.

Thank peku006 for all your help!

Kaspersky Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 20, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 20, 2010 16:38:47
Records in database: 4127786
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 76315
Threats found: 7
Infected objects found: 12
Suspicious objects found: 0
Scan duration: 02:32:00


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\google_search.xml.vir Infected: Trojan.Win32.Clicker.hd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pciide.sys.vir Infected: Virus.Win32.TDSS.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\zkzoetdz.sys.vir Infected: Rootkit.Win32.Bubnix.kf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\_zkzoetdz_.sys.zip Infected: Rootkit.Win32.Bubnix.kf 1
C:\Qoobox\Quarantine\C\WINDOWS\wmdfPI.dll.vir Infected: Trojan-Downloader.Win32.Mufanom.aafz 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0043635.dll Infected: Packed.Win32.Krap.hc 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0048034.exe Infected: Trojan.Win32.Clicker.hd 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0048036.exe Infected: Trojan.Win32.FraudPack.bfba 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0048105.dll Infected: Trojan-Downloader.Win32.Mufanom.aafz 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0048124.sys Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0048436.sys Infected: Rootkit.Win32.Bubnix.kf 1
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20090425-090814.backup Infected: Trojan.Win32.Qhost.mcf 1

Selected area has been scanned.

peku006
2010-08-21, 09:37
Hi kobdog

Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.

Thanks peku006

kobdog
2010-08-21, 15:44
The resulte from SecurityCheck are below.

Thanks again!!!

checkup:

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 9.0
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 17
Out of date Java installed!
Adobe Flash Player
Adobe Reader 7.0.9
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

peku006
2010-08-21, 18:04
Hi kobdog

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.
Download the latest version of Java Runtime Environment (JRE) 6 Here (http://java.sun.com/javase/downloads/index.jsp)
Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
Click the orange Download JRE button to the right
Select the Windows platform from the dropdown menu
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
Click on the link to download Windows Offline Installation & save the file to your desktop
Close any programs you may have running - especially your web browser
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (or Programs and Features-Uninstall Programs in Vista) & remove all older versions of Java
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
Click the Remove or Change/Remove button. (Select item then select Uninstall in Vista)
Repeat as many times as necessary to remove each Java versions
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
Trace and Log Files Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version 9.3.3.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here (http://www.filehippo.com/download_foxit/download/423817ca4028434efe3f6174b07468b0/FoxitReader30_enu_Setup.exe). It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.


How's the computer running now? Any problems?

Thanks peku006

kobdog
2010-08-21, 19:11
I uninstalled the old versions of Java and installed the latest, as well as installed/upgraded to Adobe Reader 9.3.3.

The computer is working much better! Faster, especially the internet and sites like Hotmail a much faster!!

I did have a couple of questions:

Is it okay to turn my AVG Resident Shield and TeaTimer back on?


Is there anything I should do with the information from Kaspersky? Should I delete the Qoobox folder or the other files it found?


Can I install and/or delete all the tools we installed with the exception of SecurityCheck which I'm wondering if it's okay to use SecurityCheck periodically to see if things are up-to-date?


I update and run scans with AVG, Malwarebytes and Spybot S&D every week or two, anything more I should be doing to prevent this in the future?


Anything more I need to do at this time?


Once again, thank you for your help peku006!!!

peku006
2010-08-21, 19:34
Hi kobdog


Is it okay to turn my AVG Resident Shield and TeaTimer back on?
yes

Is there anything I should do with the information from Kaspersky? Should I delete the Qoobox folder or the other files it found?
Can I install and/or delete all the tools we installed
we removed them now.......(without SecurityCheck)

I'm wondering if it's okay to use SecurityCheck periodically to see if things are up-to-date?
Yes

anything more I should be doing to prevent this in the future?
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.

Your log now appears to be clean. Congratulations! :yahoo:

Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.

Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep ......Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Here are some things that I think are worth having a look at if you don't already know a bout them:.

Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy safe surfing! :bigthumb:

peku006

kobdog
2010-08-21, 20:43
Followed the rest of your instructions and thanks for the additional information, we'll read that too. Everything seems to be working fine and much better.

Thanks again!!!!!!!!!!!!!!!!!!!!!!!

peku006
2010-08-23, 10:44
As this issue appears to be resolved, this topic is now closed

We are pleased to have been some help in getting you clean.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)