View Full Version : click.giftload strikes again
bounser01
2011-03-23, 14:34
So I am working on someones computer that at one point also had Security Essentials 2011 trojan on it as well. Im pretty sure that is cleaned up. But the click.giftload has been lingering and causing issues with IE. Random popups when starting IE and sometimes auto-redirecting when doing a search or choosing a seach result.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Office at 8:14:26.54 on Wed 03/23/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.834 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Office\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [PeachtreePrefetcher.exe] "c:\progra~1\sageso~1\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: microsoft.com\windowsupdate
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222365818148&h=fa4ebfe14e90a6b513ca3e9aac8e3f6f/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: cryptnet32 - cryptnet32.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\223\g2ax_winlogon.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-2 64288]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2008-6-6 435496]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\223\g2ax_service.exe [2010-4-29 161144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-21 14:09:32 -------- d-----w- c:\program files\CCleaner
2011-03-21 14:07:02 -------- d-----w- c:\docume~1\office\applic~1\AVG10
2011-03-18 20:52:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-18 20:52:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-18 19:07:02 -------- d--h--w- C:\$AVG
2011-03-18 18:50:46 -------- d-----w- C:\AVG10
2011-03-18 18:49:34 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-03-18 18:48:50 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-18 18:48:26 -------- d-----w- c:\program files\AVG
2011-03-18 17:10:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-18 17:00:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-16 17:48:11 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-15 12:38:23 295800 ----a-w- c:\windows\system32\shimg.dll
2011-03-14 15:20:14 -------- d-----w- c:\docume~1\office\applic~1\Malwarebytes
2011-03-14 15:20:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-14 15:20:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-14 15:20:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-14 15:20:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2009-01-22 14:18:32 16792624 ----a-w- c:\program files\setup PROFITFAB.exe
2008-10-29 14:48:42 81306392 ----a-w- c:\program files\DBANextGen.exe
.
============= FINISH: 8:21:11.42 ===============
Blottedisk
2011-03-23, 15:21
Hi bounser01,
Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.
Please follow these steps in order:
Step 1 | Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.
Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png)
Click the image to enlarge it
Step 2 | Please download GMER from one of the following locations and save it to your desktop:
Main Mirror (http://gmer.net/download.php) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
--------------------------------------------------------------------
Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:
IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)
http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif)
Click the image to enlarge it
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm).
Step 3 | Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.
bounser01
2011-03-23, 16:05
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-23 10:01:24
-----------------------------
10:01:24.453 OS Version: Windows 5.1.2600 Service Pack 3
10:01:24.453 Number of processors: 2 586 0xF0D
10:01:24.453 ComputerName: MAINOFFICE UserName: Office
10:01:25.109 Initialize success
10:01:29.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:01:29.546 Disk 0 Vendor: ST316081 4.AD Size: 152587MB BusType: 3
10:01:29.562 Disk 0 MBR read successfully
10:01:29.562 Disk 0 MBR scan
10:01:29.562 Disk 0 scanning sectors +312496380
10:01:29.593 Disk 0 scanning C:\WINDOWS\system32\drivers
10:01:36.171 Service scanning
10:01:37.140 Disk 0 trace - called modules:
10:01:37.156 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
10:01:37.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89cff8c8]
10:01:37.156 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a645030]
10:01:37.156 Scan finished successfully
bounser01
2011-03-23, 16:06
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-23 10:05:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST316081 rev.4.AD
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uxtiyaog.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xAAA5B6C0]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA0F8BFE]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xAAA5B770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xAAA5B810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xAAA5B8B0]
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB82EA360, 0x3475F7, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xAFDE9A00]
? C:\DOCUME~1\Office\LOCALS~1\Temp\uxtiyaob.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B15 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD16D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E502F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F61 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FCC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E32 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5092 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EF6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBC8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1592] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E53B0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E502F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F61 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FCC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E32 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5092 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3156] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EF6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B15 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD16D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E502F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F61 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FCC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E32 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5092 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EF6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBC8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3672] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E53B0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- EOF - GMER 1.0.15 ----
bounser01
2011-03-23, 16:06
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c
Kernel Drivers (total 131):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA328000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9E5C000 iaStor.sys
0xBA330000 cercsr6.sys
0xB9E44000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E24000 fltmgr.sys
0xBA0F8000 Lbd.sys
0xB9E0E000 DRVMCDB.SYS
0xBA108000 PxHelp20.sys
0xB9DF7000 KSecDD.sys
0xB9D6A000 Ntfs.sys
0xB9D3D000 NDIS.sys
0xB9D23000 Mup.sys
0xBA318000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8D58000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB8D44000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3E8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8D20000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3F0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8CF8000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8CCD000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB8CB9000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA128000 \SystemRoot\system32\DRIVERS\serial.sys
0xB9531000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA138000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5DA000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xBA148000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA158000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8C96000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA5DC000 \SystemRoot\system32\DRIVERS\serscan.sys
0xBA72A000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA168000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9529000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8C7F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA178000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA188000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8C6E000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA198000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA400000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA408000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8C3E000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA410000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA418000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5DE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8BE0000 \SystemRoot\system32\DRIVERS\update.sys
0xBA568000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB5EFF000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB5B9F000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA618000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB253E000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xB251A000 \SystemRoot\system32\drivers\portcls.sys
0xB5B8F000 \SystemRoot\system32\drivers\drmk.sys
0xB241A000 \SystemRoot\system32\drivers\Senfilt.sys
0xAE0FD000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA62A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAD745000 \SystemRoot\System32\Drivers\Null.SYS
0xBA62C000 \SystemRoot\System32\Drivers\Beep.SYS
0xAD804000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0xAD7FC000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAD7F4000 \SystemRoot\System32\drivers\vga.sys
0xBA62E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA630000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAD7EC000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAD7E4000 \SystemRoot\System32\Drivers\Npfs.SYS
0xADDDC000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAC90D000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAC8B4000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAC864000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAC83E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAC81C000 \SystemRoot\System32\drivers\afd.sys
0xAD6F6000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAC7F1000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAC781000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAD6E6000 \SystemRoot\System32\Drivers\Fips.SYS
0xAD455000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xAD6D6000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAD620000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xAD445000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xAD43D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAD686000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAD60C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xACFE7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xACE78000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAD42D000 \SystemRoot\system32\DRIVERS\point32.sys
0xACE6C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAD425000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xACFD7000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xACE68000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xAC6BA000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xACE54000 \SystemRoot\System32\drivers\Dxapi.sys
0xAD40D000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA753000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF594000 \SystemRoot\System32\ATMFD.DLL
0xB1990000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xBA7F3000 \SystemRoot\System32\DLA\DLADResM.SYS
0xAC4A2000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xB2B96000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xACEEA000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xAD80C000 \SystemRoot\System32\DLA\DLABMFSM.SYS
0xB2B8E000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xAC48C000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xAC475000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xAF1AA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAC438000 \SystemRoot\system32\drivers\wdmaud.sys
0xB5F3F000 \SystemRoot\system32\drivers\sysaudio.sys
0xAC3BD000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA5B6000 \??\C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
0xAC2E5000 \SystemRoot\system32\DRIVERS\srv.sys
0xABC8C000 \SystemRoot\System32\Drivers\HTTP.sys
0xABF75000 \??\C:\DOCUME~1\Office\LOCALS~1\Temp\aswMBR.sys
0xAAFEB000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 36):
0 System Idle Process
4 System
620 C:\WINDOWS\system32\smss.exe
684 csrss.exe
708 C:\WINDOWS\system32\winlogon.exe
752 C:\WINDOWS\system32\services.exe
764 C:\WINDOWS\system32\lsass.exe
960 C:\WINDOWS\system32\svchost.exe
1028 svchost.exe
1124 C:\WINDOWS\system32\svchost.exe
1224 svchost.exe
1288 svchost.exe
1476 C:\WINDOWS\system32\spoolsv.exe
1792 svchost.exe
1828 C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
1980 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
2036 C:\WINDOWS\system32\svchost.exe
208 C:\WINDOWS\system32\nvsvc32.exe
324 C:\WINDOWS\system32\svchost.exe
488 C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
600 C:\WINDOWS\system32\svchost.exe
2244 alg.exe
2328 C:\WINDOWS\system32\wscntfy.exe
2576 C:\WINDOWS\explorer.exe
3068 C:\WINDOWS\system32\ctfmon.exe
3192 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
3208 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3232 C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
3364 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
3476 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3524 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3596 C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
2480 C:\Program Files\Internet Explorer\iexplore.exe
2612 C:\Program Files\Internet Explorer\iexplore.exe
3304 C:\Program Files\Internet Explorer\iexplore.exe
2592 C:\Documents and Settings\Office\Local Settings\Temporary Internet Files\Content.IE5\3YHEQ05X\MBRCheck[1].exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)
PhysicalDrive0 Model Number: ST3160815AS, Rev: 4.ADA
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
Done!
Blottedisk
2011-03-23, 16:53
Hi bounser01,
This next program is needed to remove the main infection. However...AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the remaining infection.
After uninstalling AVG from the Control Panel, also run the AVG remover from their site.
http://www.avg.com/us-en/download-tools
direct link to the AVG Remover:
http://download.avg.com/filedir/util..._2011_1149.exe
You may also use this tool to uninstall AVG:
http://www.appremover.com/appremover/avg/AppRemover.exe
Instructions:
http://www.appremover.com/about/using-appremover.html
Once you have uninstalled AVG, please visit the following and have a look how you can disable your security software.
How to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260)
After disabling your security programs, download Combofix from any of the links below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
--------------------------------------------------------------------
Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
bounser01
2011-03-23, 18:59
Not sure why it still shows Ad-Watch installed I removed that.
ComboFix 11-03-22.09 - Office 03/23/2011 11:24:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1565 [GMT -4:00]
Running from: c:\documents and settings\Office\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Office\Application Data\Adobe\plugs
c:\documents and settings\Office\g2ax_customer_downloadhelper_win32_x86.exe
c:\windows\system32\shimg.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-22 21:37 . 2011-03-22 21:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2011-03-21 14:09 . 2011-03-21 14:09 -------- d-----w- c:\program files\CCleaner
2011-03-21 14:07 . 2011-03-21 14:07 -------- d-----w- c:\documents and settings\Office\Application Data\AVG10
2011-03-18 20:52 . 2011-03-22 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-18 20:52 . 2011-03-18 20:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-18 18:50 . 2011-03-18 18:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-18 18:50 . 2011-03-18 18:50 -------- d-----w- C:\AVG10
2011-03-18 18:49 . 2011-03-18 18:49 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-18 18:48 . 2011-03-18 18:48 -------- d-----w- c:\program files\AVG
2011-03-18 17:10 . 2011-03-23 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-18 17:00 . 2011-03-18 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-17 16:54 . 2011-03-17 16:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-03-16 17:48 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-15 19:09 . 2011-03-15 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-03-15 12:40 . 2011-03-15 12:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-03-15 12:40 . 2011-03-15 12:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-14 20:51 . 2011-03-14 20:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\documents and settings\Office\Application Data\Malwarebytes
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-14 15:20 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-14 15:20 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-11 17:03 . 2011-03-11 17:03 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 10:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2009-01-22 14:18 . 2009-01-22 14:18 16792624 ----a-w- c:\program files\setup PROFITFAB.exe
2008-10-29 14:48 . 2008-10-29 14:48 81306392 ----a-w- c:\program files\DBANextGen.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iphlpppi]
@="{DA14CB6F-CBF1-16BE-12CC-31988CCC9B54}"
[HKEY_CLASSES_ROOT\CLSID\{DA14CB6F-CBF1-16BE-12CC-31988CCC9B54}]
2008-04-14 00:11 173568 ----a-w- c:\windows\system32\iphlpppi.ocx
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [2009-08-13 28456]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-13 8523776]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 185896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-04-29 18:13 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2011-01-05 17:11 4321112 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-09-11 23:58 1015808 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DBA Manufacturing\\ejsme.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2009 2:22 PM 64288]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 3:30 PM 79168]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 2:03 PM 435496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2010 6:06 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [4/29/2010 2:13 PM 161144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:06]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:06]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\windowsupdate
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 11:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
Completion time: 2011-03-23 11:30:47
ComboFix-quarantined-files.txt 2011-03-23 15:30
.
Pre-Run: 133,705,748,480 bytes free
Post-Run: 135,651,397,632 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7F69708DC299C033C1561C5EF4511829
Blottedisk
2011-03-23, 19:43
Hi bounser01,
How's the machine working?
Please go to the following site to scan a file: Virus Total (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.virustotal.com)
Click on Browse, and upload the following file for analysis:
c:\windows\system32\iphlpppi.ocx
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
bounser01
2011-03-23, 19:55
It has been running much better. I haven't had IE redirect me. None of the svchosts are running out of control as of right now.
AhnLab-V3 2011.03.24.00 2011.03.23 -
AntiVir 7.11.5.50 2011.03.23 BDS/Afcore.A.8
Antiy-AVL 2.0.3.7 2011.03.22 -
Avast 4.8.1351.0 2011.03.23 -
Avast5 5.0.677.0 2011.03.23 -
AVG 10.0.0.1190 2011.03.23 -
BitDefender 7.2 2011.03.23 Gen:Trojan.Heur.LP.ku4@aGqBsoo
CAT-QuickHeal 11.00 2011.03.23 -
ClamAV 0.96.4.0 2011.03.23 -
Commtouch 5.2.11.5 2011.03.22 -
Comodo 8078 2011.03.23 -
DrWeb 5.0.2.03300 2011.03.23 -
eSafe 7.0.17.0 2011.03.22 -
eTrust-Vet 36.1.8231 2011.03.23 -
F-Prot 4.6.2.117 2011.03.22 -
F-Secure 9.0.16440.0 2011.03.23 Gen:Trojan.Heur.LP.ku4@aGqBsoo
Fortinet 4.2.254.0 2011.03.23 -
GData 21 2011.03.23 Gen:Trojan.Heur.LP.ku4@aGqBsoo
Ikarus T3.1.1.97.0 2011.03.23 Gen.Trojan.Heur
Jiangmin 13.0.900 2011.03.23 Trojan/PSW.Qbot.kd
K7AntiVirus 9.94.4194 2011.03.23 -
McAfee 5.400.0.1158 2011.03.23 CoreFlood.dll
McAfee-GW-Edition 2010.1C 2011.03.23 CoreFlood.dll
Microsoft 1.6603 2011.03.23 Backdoor:Win32/Afcore.gen!A
NOD32 5978 2011.03.23 -
Norman 6.07.03 2011.03.23 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.23 Suspicious file
PCTools 7.0.3.5 2011.03.21 -
Prevx 3.0 2011.03.23 -
Rising 23.50.01.11 2011.03.23 -
Sophos 4.63.0 2011.03.23 -
SUPERAntiSpyware 4.40.0.1006 2011.03.23 -
Symantec 20101.3.0.103 2011.03.23 Trojan.Gen
TheHacker 6.7.0.1.156 2011.03.23 -
TrendMicro 9.200.0.1012 2011.03.23 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.23 -
VBA32 3.12.14.3 2011.03.23 -
VIPRE 8794 2011.03.23 Trojan.Win32.Generic!BT
ViRobot 2011.3.23.4372 2011.03.23 -
VirusBuster 13.6.266.0 2011.03.23 -
Blottedisk
2011-03-23, 20:11
Close any open browsers. Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.
Please open Notepad.
In Notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE:
http://forums.spybot.info/showthread.php?p=398587#post398587
Collect::
c:\windows\system32\iphlpppi.ocx
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iphlpppi]
[-HKEY_CLASSES_ROOT\CLSID\{DA14CB6F-CBF1-16BE-12CC-31988CCC9B54}]
In the notepad click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save.
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
This will start ComboFix again.Close all browser/windows first.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
**Note: When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Please advise if the upload was successful and post back including the Combofix log.
bounser01
2011-03-23, 20:29
ComboFix 11-03-22.09 - Office 03/23/2011 14:23:39.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1477 [GMT -4:00]
Running from: c:\documents and settings\Office\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Office\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-22 21:37 . 2011-03-22 21:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2011-03-21 14:09 . 2011-03-21 14:09 -------- d-----w- c:\program files\CCleaner
2011-03-21 14:07 . 2011-03-21 14:07 -------- d-----w- c:\documents and settings\Office\Application Data\AVG10
2011-03-18 20:52 . 2011-03-22 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-18 20:52 . 2011-03-18 20:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-18 18:50 . 2011-03-18 18:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-18 18:50 . 2011-03-18 18:50 -------- d-----w- C:\AVG10
2011-03-18 18:49 . 2011-03-18 18:49 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-18 18:48 . 2011-03-18 18:48 -------- d-----w- c:\program files\AVG
2011-03-18 17:10 . 2011-03-23 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-18 17:00 . 2011-03-18 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-17 16:54 . 2011-03-17 16:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-03-16 17:48 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-15 19:09 . 2011-03-15 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-03-15 12:40 . 2011-03-15 12:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-03-15 12:40 . 2011-03-15 12:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-14 20:51 . 2011-03-14 20:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\documents and settings\Office\Application Data\Malwarebytes
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-14 15:20 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-14 15:20 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-11 17:03 . 2011-03-11 17:03 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 10:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2009-01-22 14:18 . 2009-01-22 14:18 16792624 ----a-w- c:\program files\setup PROFITFAB.exe
2008-10-29 14:48 . 2008-10-29 14:48 81306392 ----a-w- c:\program files\DBANextGen.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\jmddgawi]
@="{8A4B8A9E-8A00-46E1-E38D-6EC87D8DC404}"
[HKEY_CLASSES_ROOT\CLSID\{8A4B8A9E-8A00-46E1-E38D-6EC87D8DC404}]
2002-12-19 15:44 186368 ----a-w- c:\windows\system32\jmddgawi.ocx
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [2009-08-13 28456]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-13 8523776]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-04 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-04-29 18:13 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2011-01-05 17:11 4321112 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-09-11 23:58 1015808 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DBA Manufacturing\\ejsme.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2009 2:22 PM 64288]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 3:30 PM 79168]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 2:03 PM 435496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2010 6:06 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [4/29/2010 2:13 PM 161144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:06]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:06]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\windowsupdate
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 14:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
- - - - - - - > 'explorer.exe'(844)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-23 14:26:30
ComboFix-quarantined-files.txt 2011-03-23 18:26
ComboFix2.txt 2011-03-23 15:30
.
Pre-Run: 135,693,488,128 bytes free
Post-Run: 135,665,229,824 bytes free
.
- - End Of File - - 46098DF76304EE03FEE77A680F598548
Blottedisk
2011-03-23, 21:43
Hi,
There's something in there respawning malicious keys and files. Please follow these steps:
Step 1 | Please download CCleaner (freeware) (http://www.majorgeeks.com/download4191.html)
Run the installer.
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
http://i210.photobucket.com/albums/bb164/jedi_030/CCleanerA.png
Next: click Options (in the left panel) and click the Advanced button.
Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.
Step 2 | Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Step 3 | Let's perform an ESET Online Scan
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html).
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif (Selecting Uninstall application on close if you so wish)
bounser01
2011-03-23, 23:01
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6145
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
3/23/2011 4:00:16 PM
mbam-log-2011-03-23 (16-00-16).txt
Scan type: Quick scan
Objects scanned: 161933
Time elapsed: 1 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=bf26a6fcb58eb04299ed90a0e278df37
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-23 08:57:53
# local_time=2011-03-23 04:57:53 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=109493
# found=3
# cleaned=0
# scan_time=3152
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\19\b9ce693-21483a11 Java/TrojanDownloader.OpenStream.NBM trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\38\5eb4f3e6-11312e9a Java/TrojanDownloader.OpenStream.NBM trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Office\Application Data\Sun\Java\Deployment\cache\6.0\57\31f78339-223d546f multiple threats (unable to clean) 00000000000000000000000000000000 I
Blottedisk
2011-03-24, 00:27
Hi,
Please do the following:
Step 1 | Please follow these steps to remove older version Java components and update.
Click on the following link to visit java website: Java Runtime Environment (JRE) 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html)
Scroll down to where it says "JDK 6 Update 23 (JDK or JRE)".
Click the "Download" button to the right column (JRE).
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License
Agreement". Click on Continue. The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a
coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and AppletsTrace and Log Files
Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.
Step 2 | ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
Please open Notepad and copy/paste all the text below... into the window:
Files::
c:\windows\system32\jmddgawi.ocx
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\jmddgawi]
[-HKEY_CLASSES_ROOT\CLSID\{8A4B8A9E-8A00-46E1-E38D-6EC87D8DC404}]
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif
This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.
** Enable your Antivirus and Firewall, before connecting to the Internet again! **
bounser01
2011-03-24, 14:48
And i still dont know why Ad-watch is still showing up. There must be a lingering folder/registry entry somewhere that didnt get deleted when i uninstalled Ad-Aware
ComboFix 11-03-23.05 - Office 03/24/2011 8:27.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1588 [GMT -4:00]
Running from: c:\documents and settings\Office\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Office\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-24 to 2011-03-24 )))))))))))))))))))))))))))))))
.
.
2011-03-24 12:22 . 2011-03-24 12:22 -------- d-----w- c:\program files\Common Files\Java
2011-03-24 12:22 . 2011-03-24 12:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-24 12:22 . 2011-03-24 12:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-23 20:02 . 2011-03-23 20:02 -------- d-----w- c:\program files\ESET
2011-03-22 21:37 . 2011-03-22 21:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2011-03-21 14:09 . 2011-03-21 14:09 -------- d-----w- c:\program files\CCleaner
2011-03-21 14:07 . 2011-03-21 14:07 -------- d-----w- c:\documents and settings\Office\Application Data\AVG10
2011-03-18 20:52 . 2011-03-23 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-18 20:52 . 2011-03-18 20:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-18 18:50 . 2011-03-18 18:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-18 18:50 . 2011-03-18 18:50 -------- d-----w- C:\AVG10
2011-03-18 18:49 . 2011-03-18 18:49 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-18 18:48 . 2011-03-18 18:48 -------- d-----w- c:\program files\AVG
2011-03-18 17:10 . 2011-03-23 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-18 17:00 . 2011-03-18 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-17 16:54 . 2011-03-17 16:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-03-16 17:48 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-15 19:09 . 2011-03-15 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-03-15 12:40 . 2011-03-15 12:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-03-15 12:40 . 2011-03-15 12:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-14 20:51 . 2011-03-14 20:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\documents and settings\Office\Application Data\Malwarebytes
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-14 15:20 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-14 15:20 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-11 17:03 . 2011-03-11 17:03 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 10:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2009-01-22 14:18 . 2009-01-22 14:18 16792624 ----a-w- c:\program files\setup PROFITFAB.exe
2008-10-29 14:48 . 2008-10-29 14:48 81306392 ----a-w- c:\program files\DBANextGen.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-23_15.29.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-24 12:22 . 2011-03-24 12:22 16384 c:\windows\temp\Perflib_Perfdata_370.dat
+ 2011-03-23 18:00 . 2011-03-24 12:22 3582 c:\windows\system32\onexd.dat
+ 2011-03-23 18:00 . 2011-03-24 12:22 4395 c:\windows\system32\IMGFX30K.dat
+ 2011-03-24 12:22 . 2011-03-24 12:22 157472 c:\windows\system32\javaws.exe
+ 2011-03-24 12:22 . 2011-03-24 12:22 145184 c:\windows\system32\javaw.exe
+ 2011-03-24 12:22 . 2011-03-24 12:22 145184 c:\windows\system32\java.exe
+ 2011-03-24 12:22 . 2011-03-24 12:22 180224 c:\windows\Installer\15101.msi
+ 2011-03-24 12:22 . 2011-03-24 12:22 677376 c:\windows\Installer\150fc.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [2009-08-13 28456]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-13 8523776]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-04 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-04-29 18:13 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2011-01-05 17:11 4321112 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-09-11 23:58 1015808 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DBA Manufacturing\\ejsme.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2009 2:22 PM 64288]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 3:30 PM 79168]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 2:03 PM 435496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2010 6:06 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [4/29/2010 2:13 PM 161144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:06]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:06]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\windowsupdate
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-24 08:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
- - - - - - - > 'explorer.exe'(3388)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-24 08:33:39
ComboFix-quarantined-files.txt 2011-03-24 12:33
ComboFix2.txt 2011-03-23 18:26
ComboFix3.txt 2011-03-23 15:30
.
Pre-Run: 135,472,447,488 bytes free
Post-Run: 135,439,822,848 bytes free
.
- - End Of File - - EB2EE5EB1F70FCCDB528E2515BF3AAE4
Blottedisk
2011-03-24, 15:17
Hi,
Some of the security applications have a specific removal tool to remove all traces of the program. Unfortunately Ad-Watch Live doesn't seem to have one. I would suggest you that when we finish here, go to the Lavasoft Support Forums and ask for help there:
http://www.lavasoftsupport.com/index.php?showforum=30
We got rid of that respawning entry. We're almost done here. Please do the following:
ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
Please open Notepad and copy/paste all the text below... into the window:
File::
c:\windows\system32\onexd.dat
c:\windows\system32\IMGFX30K.dat
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif
This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.
** Enable your Antivirus and Firewall, before connecting to the Internet again! **
bounser01
2011-03-24, 15:43
ComboFix 11-03-23.05 - Office 03/24/2011 9:32.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1578 [GMT -4:00]
Running from: c:\documents and settings\Office\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Office\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
FILE ::
"c:\windows\system32\IMGFX30K.dat"
"c:\windows\system32\onexd.dat"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\IMGFX30K.dat
c:\windows\system32\onexd.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-02-24 to 2011-03-24 )))))))))))))))))))))))))))))))
.
.
2011-03-24 13:29 . 2011-03-24 13:29 -------- d-----w- c:\windows\LastGood
2011-03-24 12:22 . 2011-03-24 12:22 -------- d-----w- c:\program files\Common Files\Java
2011-03-24 12:22 . 2011-03-24 12:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-24 12:22 . 2011-03-24 12:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-23 20:02 . 2011-03-23 20:02 -------- d-----w- c:\program files\ESET
2011-03-22 21:37 . 2011-03-22 21:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2011-03-21 14:09 . 2011-03-21 14:09 -------- d-----w- c:\program files\CCleaner
2011-03-21 14:07 . 2011-03-21 14:07 -------- d-----w- c:\documents and settings\Office\Application Data\AVG10
2011-03-18 20:52 . 2011-03-23 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-18 20:52 . 2011-03-18 20:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-18 18:50 . 2011-03-18 18:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-18 18:50 . 2011-03-18 18:50 -------- d-----w- C:\AVG10
2011-03-18 18:49 . 2011-03-18 18:49 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-18 18:48 . 2011-03-18 18:48 -------- d-----w- c:\program files\AVG
2011-03-18 17:10 . 2011-03-24 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-18 17:00 . 2011-03-24 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-17 16:54 . 2011-03-17 16:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-03-16 17:48 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-15 19:09 . 2011-03-15 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-03-15 12:40 . 2011-03-15 12:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-03-15 12:40 . 2011-03-15 12:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-14 20:51 . 2011-03-14 20:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\documents and settings\Office\Application Data\Malwarebytes
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-14 15:20 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-14 15:20 . 2011-03-14 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-14 15:20 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-11 17:03 . 2011-03-11 17:03 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 10:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2009-01-22 14:18 . 2009-01-22 14:18 16792624 ----a-w- c:\program files\setup PROFITFAB.exe
2008-10-29 14:48 . 2008-10-29 14:48 81306392 ----a-w- c:\program files\DBANextGen.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-23_15.29.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-24 13:20 . 2011-03-24 13:20 16384 c:\windows\temp\Perflib_Perfdata_1f4.dat
+ 2011-03-24 13:29 . 2010-09-07 07:48 26064 c:\windows\LastGood\system32\DRIVERS\avgrkx86.sys
+ 2011-03-24 13:29 . 2010-09-07 07:48 34384 c:\windows\LastGood\system32\DRIVERS\avgmfx86.sys
+ 2011-03-24 13:29 . 2010-08-03 19:23 26192 c:\windows\LastGood\system32\DRIVERS\AVGIDSShim.sys
+ 2011-03-24 13:29 . 2010-08-03 19:23 30288 c:\windows\LastGood\system32\DRIVERS\AVGIDSFilter.sys
+ 2011-03-24 13:29 . 2010-09-13 19:27 25680 c:\windows\LastGood\system32\DRIVERS\AVGIDSEH.sys
+ 2004-08-04 10:00 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
- 2004-08-04 10:00 . 2008-04-14 00:12 135168 c:\windows\system32\shsvcs.dll
+ 2011-03-24 12:22 . 2011-03-24 12:22 157472 c:\windows\system32\javaws.exe
+ 2011-03-24 12:22 . 2011-03-24 12:22 145184 c:\windows\system32\javaw.exe
+ 2011-03-24 12:22 . 2011-03-24 12:22 145184 c:\windows\system32\java.exe
+ 2009-07-27 23:17 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
+ 2011-03-24 13:29 . 2010-11-12 17:19 299984 c:\windows\LastGood\system32\DRIVERS\avgtdix.sys
+ 2011-03-24 13:29 . 2010-12-08 08:12 251728 c:\windows\LastGood\system32\DRIVERS\avgldx86.sys
+ 2011-03-24 13:29 . 2010-08-03 19:23 123472 c:\windows\LastGood\system32\DRIVERS\AVGIDSDriver.sys
+ 2011-03-24 12:22 . 2011-03-24 12:22 180224 c:\windows\Installer\15101.msi
+ 2011-03-24 12:22 . 2011-03-24 12:22 677376 c:\windows\Installer\150fc.msi
+ 2011-03-24 12:43 . 2011-03-24 12:43 3277312 c:\windows\Installer\13a1f7.msi
+ 2011-03-24 12:42 . 2011-03-24 12:42 1611776 c:\windows\Installer\13a1f3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [2009-08-13 28456]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-13 8523776]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-12 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-04 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-04-29 18:13 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2011-01-05 17:11 4321112 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-09-11 23:58 1015808 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DBA Manufacturing\\ejsme.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2009 2:22 PM 64288]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 3:30 PM 79168]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 2:03 PM 435496]
R4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
R4 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys --> c:\windows\system32\DRIVERS\avgtdix.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2010 6:06 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [4/29/2010 2:13 PM 161144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Avgldx86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:06]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 22:06]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-24 09:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
Completion time: 2011-03-24 09:39:34
ComboFix-quarantined-files.txt 2011-03-24 13:39
ComboFix2.txt 2011-03-24 12:33
ComboFix3.txt 2011-03-23 18:26
ComboFix4.txt 2011-03-23 15:30
.
Pre-Run: 134,955,794,432 bytes free
Post-Run: 134,929,727,488 bytes free
.
- - End Of File - - 41EC8E5C08CBF0C718ED1DB112DACF88
Blottedisk
2011-03-24, 21:01
Well done bounser01, we are done :bigthumb:
Please follow these last steps:
Step 1 | Delete ComboFix and Clean Up
The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:
ComboFix /Uninstall
Please advise if this step is missed for any reason as it performs some important actions.
Step 2 | Please download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe ) to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Also, please delete manually any logfiles left in your desktop (move the files to the bin or right-click the files and choose "Send to recycle bin"). Also delete both MBRCheck.exe as well as aswMBR.exe
Last Step | Now, in order to avoid future infections, please take time to read the following article:
So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279)
Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed :)
bounser01
2011-03-24, 21:23
Thank you very very much. Its been a long couple days and you have helped greatly. I have never seen something buried so deep.
Thank you again,
Adam (Bounser01)
Blottedisk
2011-03-24, 21:29
You are very welcome :bigthumb:
Best regards.
Jack&Jill
2011-03-26, 08:14
As your problems appear to have been resolved, this topic is now closed.
We are glad to be of help. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)