View Full Version : Browser hijacker, hot svchost, and click.giftload
oldkrock
2011-05-22, 22:23
Hello,
Having problem with browser hijacker - almost all hits from google are redirected. Also, svchost.exe grabs more and more memory until computer locks up. Finally (at least by my uneducated observations) there is a Click.GiftLoad infection; Spybot was (have been away from this machine for about a week) finding this, but it would re-appear on reboot - now Spybot is not finding it.
Sorry, but from the forum FAQS, it looks like I went too far before I started in the forum - malware removal attempts, etc.
With those caveats, here is the DDS log:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mitchell family at 14:48:31.48 on Sun 05/22/2011
Internet Explorer: 7.0.5730.13
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
\??\C:\Program Files\AVG\AVG10\avgrsx.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
\??\C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mitchell family\Desktop\dds.com
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.rcn.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [spchecker] "c:\program files\avg\avg10\notification\SPCheckerTE.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
dRunOnce: [RunNarrator] Narrator.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.3/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? itlperf;Intel CPU
R? McrdSvc;Media Center Extender Service
R? mrt_ivqmykwc;mrt_ivqmykwc
S? AVGIDSAgent;AVGIDSAgent
S? AVGIDSDriver;AVGIDSDriver
S? AVGIDSEH;AVGIDSEH
S? AVGIDSFilter;AVGIDSFilter
S? AVGIDSShim;AVGIDSShim
S? Avgldx86;AVG AVI Loader Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? avgwd;AVG WatchDog
S? LBeepKE;Logitech Beep Suppression Driver
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2007-09-26 19:27:34 51422520 ----a-w- c:\program files\iTunes742Setup.exe
2007-06-20 15:38:50 14993976 ----a-w- c:\program files\GoogleEarthWin.exe
2007-03-31 19:24:14 1586332 -c--a-w- c:\program files\WRT54Gv5v6_v1[1].02.0_fw.bin
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-75NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8732B40F
user & kernel MBR OK
.
============= FINISH: 14:58:20.15 ===============
redcar92
2011-05-23, 03:10
Hello oldkrock and welcome to the Safer Networking Form.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.
Please observe these rules while we work: Read the entire procedure It is important to perform ALL actions in sequence. If you don't know, stop and ask! Don't keep going on. Please reply to this thread. Do not start a new topic. Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it. Remember, absence of symptoms does not mean the infection is all gone. Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.
Please bear with me, I will post back to you as soon as I can.
IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.
Stay with this topic until I give you the all clean post.
oldkrock
2011-05-23, 04:19
Hello Bill/Redcar92
Thanks for the help. I'm out of my league here, so no hurry at all. I'll watch for instructions.
redcar92
2011-05-23, 18:02
Greeting oldkrock,
I see that your DDS is downlevel, please delete DDS.exe and any logs.
Next
Please download DDS from LINK 1 (http://download.bleepingcomputer.com/sUBs/dds.scr) or LINK 2 (http://download.bleepingcomputer.com/sUBs/dds.com)
and save it to your desktop.
Double click dds.scr to run the tool.
When done, two DDS.txt's will open.
Save both reports to your desktop.
Please include the contents of the following in your reply using Copy / Paste:
DDS.txt & Attach.txt
Next
Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the**save log button, save it to your desktop and post it in your next reply.
Logs to post:
DDS.txt
Attach.txt
aswmbr.txt
oldkrock
2011-05-23, 18:39
Bill,
Thanks, here are the logs:
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Mitchell family at 11:33:06 on 2011-05-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.472 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Documents and Settings\Mitchell family\Local Settings\Temporary Internet Files\Content.IE5\F8VY2PJF\dds[1].scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.rcn.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
dRunOnce: [RunNarrator] Narrator.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.3/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-3-12 10448]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S1 mrt_ivqmykwc;mrt_ivqmykwc;\??\c:\program files\common files\system\mrt_ivqmykwc32.dll --> c:\program files\common files\system\mrt_ivqmykwc32.dll [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-2 136176]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2005-8-16 14336]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-2 136176]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-04-15 01:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-05 04:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 20:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-03-12 14:59:18 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2007-09-26 19:27:34 51422520 ----a-w- c:\program files\iTunes742Setup.exe
2007-06-20 15:38:50 14993976 ----a-w- c:\program files\GoogleEarthWin.exe
2007-03-31 19:24:14 1586332 -c--a-w- c:\program files\WRT54Gv5v6_v1[1].02.0_fw.bin
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-75NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8732B5C9]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87331960]; MOV EAX, [0x873319dc]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x87371AB8]
3 CLASSPNP[0xF7652FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x872C1C48]
\Driver\atapi[0x873E0F38] -> IRP_MJ_CREATE -> 0x8732B5C9
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8732B40F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:35:19.09 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/20/2006 8:03:08 PM
System Uptime: 5/23/2011 11:28:10 AM (0 hours ago)
.
Motherboard: Dell Inc. | | 0WG261
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 144 GiB total, 119.742 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMPHILIPS_DVD+-RW_DVD8701_________________5D24____\594D4D3037393335303735313539504233304539
Manufacturer: (Standard CD-ROM drives)
Name: PHILIPS DVD+-RW DVD8701
PNP Device ID: IDE\CDROMPHILIPS_DVD+-RW_DVD8701_________________5D24____\594D4D3037393335303735313539504233304539
Service: cdrom
.
==== System Restore Points ===================
.
RP328: 1/27/2011 10:32:05 AM - System Checkpoint
RP329: 1/29/2011 11:07:28 AM - System Checkpoint
RP330: 2/1/2011 8:08:13 AM - System Checkpoint
RP331: 2/2/2011 6:30:54 PM - System Checkpoint
RP332: 2/5/2011 10:54:53 AM - System Checkpoint
RP333: 2/6/2011 12:38:48 PM - System Checkpoint
RP334: 2/10/2011 12:34:16 PM - Software Distribution Service 3.0
RP335: 2/11/2011 8:57:15 PM - Software Distribution Service 3.0
RP336: 2/18/2011 7:31:27 PM - System Checkpoint
RP337: 2/20/2011 5:52:48 PM - System Checkpoint
RP338: 2/21/2011 8:24:28 PM - System Checkpoint
RP339: 2/25/2011 5:27:19 PM - System Checkpoint
RP340: 2/27/2011 11:42:14 AM - System Checkpoint
RP341: 2/28/2011 8:21:17 PM - System Checkpoint
RP342: 3/3/2011 6:45:03 PM - System Checkpoint
RP343: 3/5/2011 11:43:22 AM - System Checkpoint
RP344: 3/8/2011 8:07:48 PM - System Checkpoint
RP345: 3/11/2011 9:45:19 PM - Software Distribution Service 3.0
RP346: 3/15/2011 7:03:28 PM - System Checkpoint
RP347: 3/17/2011 7:24:47 AM - Software Distribution Service 3.0
RP348: 3/19/2011 12:48:34 PM - System Checkpoint
RP349: 3/20/2011 8:57:38 PM - System Checkpoint
RP350: 3/24/2011 9:18:37 AM - System Checkpoint
RP351: 3/24/2011 2:25:05 PM - Software Distribution Service 3.0
RP352: 3/25/2011 6:12:21 PM - System Checkpoint
RP353: 3/30/2011 6:42:35 PM - System Checkpoint
RP354: 4/1/2011 7:06:31 PM - System Checkpoint
RP355: 4/2/2011 9:43:59 PM - Removed Musicmatch for Windows Media Player
RP356: 4/4/2011 8:32:41 PM - System Checkpoint
RP357: 4/5/2011 6:26:06 PM - Installed SpyZooka
RP358: 4/5/2011 9:33:43 PM - Removed iTunes
RP359: 4/9/2011 11:05:22 AM - Removed SpyZooka
RP360: 4/9/2011 11:24:46 AM - ARO 2011 Sat, Apr 09, 11 11:24
RP361: 4/9/2011 1:57:45 PM - Removed Ask Toolbar.
RP362: 4/10/2011 5:11:59 PM - System Checkpoint
RP363: 4/11/2011 8:47:31 PM - System Checkpoint
RP364: 4/13/2011 8:31:12 PM - System Checkpoint
RP365: 4/15/2011 12:51:30 PM - System Checkpoint
RP366: 4/16/2011 6:16:45 PM - System Checkpoint
RP367: 4/17/2011 6:36:37 PM - System Checkpoint
RP368: 4/25/2011 7:24:37 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AVG 2011
AVG PC Tuneup 2011
Compatibility Pack for the 2007 Office system
Corel Paint Shop Pro X
Corel Photo Album 6
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Photo Printer 720
Dell Support 3.1
Dell System Restore
ELIcon
eReg
ERUNT 1.1j
Garmin City Navigator North America NT 2010.10 Update
Garmin USB Drivers
Garmin WebUpdater
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Juniper Networks Host Checker
Logitech SetPoint 6.20
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Music Central 96
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2007
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 6-9 Converter
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Philips Photo Manager 1.0
Photo Finale 4
PowerDVD 5.5
QuickTime
RealPlayer Basic
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
Westwood Shared Internet Components
Windows Defender Signatures
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
5/23/2011 11:33:17 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
5/22/2011 12:13:56 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/22/2011 11:26:51 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Imapi redbook
5/22/2011 11:26:44 AM, error: Service Control Manager [7023] - The Intel CPU service terminated with the following error: The specified module could not be found.
5/22/2011 11:26:44 AM, error: Service Control Manager [7023] - The Help and Support service terminated with the following error: The specified module could not be found.
5/22/2011 11:26:44 AM, error: Service Control Manager [7001] - The Media Center Extender Service service depends on the SSDP Discovery Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
5/22/2011 11:26:44 AM, error: Service Control Manager [7000] - The Zune Bus Enumerator Driver service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-23 11:37:55
-----------------------------
11:37:55.687 OS Version: Windows 5.1.2600 Service Pack 3
11:37:55.687 Number of processors: 2 586 0x403
11:37:55.687 ComputerName: FAMILYROOMDELL UserName:
11:37:56.156 Initialize success
11:38:13.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort1
11:38:13.671 Disk 0 Vendor: WDC_WD1600JS-75NCB1 10.02E01 Size: 152587MB BusType: 3
11:38:13.671 Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:38:13.671 Device \Driver\atapi -> DriverStartIo 8732b40f
11:38:15.671 Disk 0 MBR read successfully
11:38:15.671 Disk 0 MBR scan
11:38:15.671 Disk 0 TDL4@MBR code has been found
11:38:15.671 Disk 0 MBR hidden
11:38:15.671 Disk 0 MBR [TDL4] **ROOTKIT**
11:38:15.671 Disk 0 trace - called modules:
11:38:15.671 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8732b5c9]<<
11:38:15.671 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87371ab8]
11:38:15.671 3 CLASSPNP.SYS[f7652fd7] -> nt!IofCallDriver -> [0x872c1c48]
11:38:15.671 \Driver\atapi[0x873e0f38] -> IRP_MJ_CREATE -> 0x8732b5c9
11:38:15.671 Scan finished successfully
11:39:31.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mitchell family\Desktop\MBR.dat"
11:39:31.359 The log file has been saved successfully to "C:\Documents and Settings\Mitchell family\Desktop\aswMBR.txt"
redcar92
2011-05-23, 22:53
Greeting oldkrock,
Great logs, thanks,
Now
Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the Fix button.
Wait for the tool to report 'Infection fixed successfully', and reboot when prompted.
http://img.photobucket.com/albums/v666/sUBs/aswMBR_A.png
When it has rebooted, post the contents of the aswMBR.txt in your next reply.
Also let me know if your pc is behaving any better after the fix, please.
oldkrock
2011-05-23, 23:34
Bill,
Thanks very much for the quick response. There does seem to be progress. Svchost.exe does not look to be running away on startup. I have not yet checked for browser redirect - I thought I should wait for guidance from you before testing that. Here is the requested log:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-23 11:37:55
-----------------------------
11:37:55.687 OS Version: Windows 5.1.2600 Service Pack 3
11:37:55.687 Number of processors: 2 586 0x403
11:37:55.687 ComputerName: FAMILYROOMDELL UserName:
11:37:56.156 Initialize success
11:38:13.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort1
11:38:13.671 Disk 0 Vendor: WDC_WD1600JS-75NCB1 10.02E01 Size: 152587MB BusType: 3
11:38:13.671 Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:38:13.671 Device \Driver\atapi -> DriverStartIo 8732b40f
11:38:15.671 Disk 0 MBR read successfully
11:38:15.671 Disk 0 MBR scan
11:38:15.671 Disk 0 TDL4@MBR code has been found
11:38:15.671 Disk 0 MBR hidden
11:38:15.671 Disk 0 MBR [TDL4] **ROOTKIT**
11:38:15.671 Disk 0 trace - called modules:
11:38:15.671 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8732b5c9]<<
11:38:15.671 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87371ab8]
11:38:15.671 3 CLASSPNP.SYS[f7652fd7] -> nt!IofCallDriver -> [0x872c1c48]
11:38:15.671 \Driver\atapi[0x873e0f38] -> IRP_MJ_CREATE -> 0x8732b5c9
11:38:15.671 Scan finished successfully
11:39:31.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mitchell family\Desktop\MBR.dat"
11:39:31.359 The log file has been saved successfully to "C:\Documents and Settings\Mitchell family\Desktop\aswMBR.txt"
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-23 16:28:32
-----------------------------
16:28:32.234 OS Version: Windows 5.1.2600 Service Pack 3
16:28:32.234 Number of processors: 2 586 0x403
16:28:32.234 ComputerName: FAMILYROOMDELL UserName:
16:28:32.812 Initialize success
16:28:34.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort1
16:28:34.312 Disk 0 Vendor: WDC_WD1600JS-75NCB1 10.02E01 Size: 152587MB BusType: 3
16:28:34.312 Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
16:28:34.312 Device \Driver\atapi -> DriverStartIo 8731340f
16:28:36.312 Disk 0 MBR read successfully
16:28:36.312 Disk 0 MBR scan
16:28:36.312 Disk 0 TDL4@MBR code has been found
16:28:36.312 Disk 0 MBR hidden
16:28:36.312 Disk 0 MBR [TDL4] **ROOTKIT**
16:28:36.312 Disk 0 trace - called modules:
16:28:36.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x873135c9]<<
16:28:36.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87356ab8]
16:28:36.312 3 CLASSPNP.SYS[f7652fd7] -> nt!IofCallDriver -> [0x873a6148]
16:28:36.312 \Driver\atapi[0x873a45b8] -> IRP_MJ_CREATE -> 0x873135c9
16:28:36.812 Scan finished successfully
16:29:08.656 Disk 0 fixing MBR ...
16:29:18.656 Disk 0 MBR restored successfully
16:29:18.656 Verifying disinfection
16:29:32.687 Infection fixed successfully - please reboot ASAP
16:29:46.500 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mitchell family\Desktop\MBR.dat"
16:29:46.531 The log file has been saved successfully to "C:\Documents and Settings\Mitchell family\Desktop\aswMBR.txt"
redcar92
2011-05-24, 17:06
Greetings oldkrock,
So far so good,
Please go to one of the below sites to scan the following files:
jotti.org (http://virusscan.jotti.org/)
Kaspersky Virus File Scanner (http://www.kaspersky.com/scanforvirus.html )
Virus Total (http://www.virustotal.com)
click on Browse, and upload the following file for analysis:c:\program files\common files\system\mrt_ivqmykwc32.dll
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Next
In order to run the next program, Combofix, you will need to uninstall AVG. While AVG is uninstalled, only use the internet to check email and post here. If you will need to surf the net then you should reinstall AVG. Should we need to run Combofix again and/or uninstall Combofix you will need to remove AVG again.
Download the AVG remover here (http://www.avg.com/us-en/download-tools).
Select the first option, 32bit
Save to your desktop
Double click on AVG_Remover to remove AVG
If you wish, to avoid uninstalling and reinstalling AVG with every Combofix operation, you can install AVAST here (http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button), it is quite easy to disable and enable for Combofix operations. After uninstalling Combofix, the last Combofix operation, you could remove Avast in reinstall AVG should you not want AVAST.
Next
***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
Download Combofix from any of the links below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Logs to post:
File scan results
Combofix.txt
oldkrock
2011-05-24, 18:49
Bill,
Thanks for the update. On your first request - the file c:\program files\common files\system\mrt_ivqmykwc32.dll does not exist on my computer. Am I missing something? I will not execute the rest of your directives until I hear back on this file.
redcar92
2011-05-25, 00:27
oldkrock,
Thanks for the update, go ahead with the action plan as listed please.
oldkrock
2011-05-25, 03:12
Hi Bill,
OK, Here is what I did:
Ran AVGremover
Installed AVAST, then disabled it.
Installed and ran ComboFix.
Here is the log:
ComboFix 11-05-24.01 - Mitchell family 05/24/2011 19:54:43.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.603 [GMT -4:00]
Running from: c:\documents and settings\Mitchell family\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Mitchell family\Local Settings\Application Data\{DB784002-FED6-4D1B-92A4-7F9FFAA357D9}
c:\documents and settings\Mitchell family\Local Settings\Application Data\{DB784002-FED6-4D1B-92A4-7F9FFAA357D9}\chrome.manifest
c:\documents and settings\Mitchell family\Local Settings\Application Data\{DB784002-FED6-4D1B-92A4-7F9FFAA357D9}\chrome\content\_cfg.js
c:\documents and settings\Mitchell family\Local Settings\Application Data\{DB784002-FED6-4D1B-92A4-7F9FFAA357D9}\chrome\content\c.js
c:\documents and settings\Mitchell family\Local Settings\Application Data\{DB784002-FED6-4D1B-92A4-7F9FFAA357D9}\chrome\content\overlay.xul
c:\documents and settings\Mitchell family\Local Settings\Application Data\{DB784002-FED6-4D1B-92A4-7F9FFAA357D9}\install.rdf
c:\documents and settings\Mitchell family\WINDOWS
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\nadfkxoy.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-25 to 2011-05-25 )))))))))))))))))))))))))))))))
.
.
2011-05-24 23:42 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-24 23:42 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-24 23:42 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-24 23:42 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-24 23:42 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-24 23:42 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-24 23:42 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-24 23:42 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-24 23:42 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-05-24 23:42 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-24 23:41 . 2011-05-24 23:41 -------- d-----w- c:\program files\AVAST Software
2011-05-24 23:41 . 2011-05-24 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-23 15:44 . 2011-05-23 15:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2011-05-23 15:43 . 2011-05-23 15:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-30 21:53 . 2011-04-30 21:53 -------- d-----w- c:\program files\ERUNT
2011-04-29 21:59 . 2011-04-29 21:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-12 14:59 . 2011-03-12 14:59 53248 ----a-r- c:\documents and settings\Mitchell family\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-03-12 14:59 . 2011-03-12 14:59 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-03-07 05:33 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2005-08-16 10:18 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2005-08-16 10:18 1857920 ----a-w- c:\windows\system32\win32k.sys
2007-09-26 19:27 . 2007-09-26 19:27 51422520 ----a-w- c:\program files\iTunes742Setup.exe
2007-06-20 15:38 . 2007-06-20 15:38 14993976 ----a-w- c:\program files\GoogleEarthWin.exe
2007-03-31 19:24 . 2007-03-31 19:23 1586332 -c--a-w- c:\program files\WRT54Gv5v6_v1[1].02.0_fw.bin
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-06 03:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto Run Software for Photo Frame]
2006-08-04 21:57 2110464 ----a-w- c:\program files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2005-08-31 17:06 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 08:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-02-10 00:51 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-10-12 08:10 49263 ----a-w- c:\program files\Java\jre1.5.0_09\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"Browser"=2 (0x2)
"ALG"=3 (0x3)
"lanmanworkstation"=2 (0x2)
"WZCSVC"=2 (0x2)
"w32time"=2 (0x2)
"UPS"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"LmHosts"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Netlogon"=3 (0x3)
"CiSvc"=3 (0x3)
"helpsvc"=2 (0x2)
"MSDTC"=3 (0x3)
"CryptSvc"=3 (0x3)
"SSDPSRV"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/24/2011 7:42 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/24/2011 7:42 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/24/2011 7:42 PM 19544]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [3/12/2011 10:58 AM 10448]
S1 mrt_ivqmykwc;mrt_ivqmykwc;\??\c:\program files\Common Files\System\mrt_ivqmykwc32.dll --> c:\program files\Common Files\System\mrt_ivqmykwc32.dll [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/2/2011 2:54 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/2/2011 2:54 PM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWSNX
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-02 18:54]
.
2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-02 18:54]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.rcn.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.3/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-MimBoot - c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
AddRemove-HijackThis - D:\HijackThis.exe
AddRemove-MicrosoftMusicCentral96 - d:\data\App\Uninstal.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-24 20:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(2096)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2011-05-24 20:08:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-25 00:08
ComboFix2.txt 2009-01-23 20:34
.
Pre-Run: 128,465,633,280 bytes free
Post-Run: 128,831,217,664 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 9CCF1D15E3F787C737B6EDBFEFC16081
redcar92
2011-05-25, 05:32
Hello oldkrock,
Excellent job so far,
I am still worried about this file.
c:\program files\common files\system\mrt_ivqmykwc32.dll
The next procedure adds a couple of steps prior to submitting a file,
Go to My Computer-> Tools-> Folder Options-> View tab:
Under the Hidden files and folders heading:
Select - Show hidden files and folders.
Uncheck- Hide protected operating system files (recommended) option.
Also, make sure there is no checkmark beside Hide file extensions for known file types.
Click OK. (Remember to Hide files and folders once done)
Please go to one of the below sites to scan the following files:
jotti.org (http://virusscan.jotti.org/)
Kaspersky Virus File Scanner (http://www.kaspersky.com/scanforvirus.html )
Virus Total (http://www.virustotal.com)
click on Browse, and upload the following file for analysis:
c:\program files\common files\system\mrt_ivqmykwc32.dll
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
oldkrock
2011-05-25, 19:54
Bill,
For some reason, I can not find the file. I modified (at least tried to) the folder properties, but cannot see the file from the scan site, or from explorer. I have attached a screen shot of the folder - I see other DLL's but not that one. Soory to delay, but what am I missing?
redcar92
2011-05-26, 04:03
Great so far.
I see that you have Viewpoint Media Player installed on your system. Although it is not technically malware, it can be a nuisance. I recommend using Control Panel -> Add or Remove Programs to remove Viewpoint Media Player.
Next
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Next
I see in your logs that you have Malwarebytes installed on your system.
Double click on MalwareBytes, mbam.exe to run it.
If Malwarebytes asks to update click on yes, if you are not asked.
Click on the Update tab then click on Check for updates.
After updates finish, click on the Scanner tab. Select Perform quick scan.
Click on Scan button.
When finished copy/paste the contents of mbam.txt into your next post please.
Next
Please use Internet Explorer to download and run the following scan: Eset Online Scanner
(http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes if there are any infections you will see a List of found threats.
Click Export to text file
Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.
If no threats are found there will be no list, this is good, just tell me that no threats were found.
Logs to post:
mbam.txt
results of ESET
oldkrock
2011-05-26, 06:39
Bill,
I still can't find the DLL file. But here is what I did:
Removed Viewpoint media player.
Downloaded and ran TFC (had to disable AVAST), rebooted.
Updated and ran MalwareBytes - on first try, it hit an error and closed. Second time it ran fine - log below.
Downloaded and ran ESET. It found some issues, log below
--
logs:
---
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6682
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
5/25/2011 10:01:40 PM
mbam-log-2011-05-25 (22-01-40).txt
Scan type: Quick scan
Objects scanned: 155372
Time elapsed: 3 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
---
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\WINDOWS\system32\nadfkxoy.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\Ttuvvyxx.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\Ttuvvyxx.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP355\A0049241.dll probably a variant of Win32/Agent.NKIAEVN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055748.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055749.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055750.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055751.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055752.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055762.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055795.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055796.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055797.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055798.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055799.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP360\A0055800.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP370\A0074436.dll Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP370\A0074439.ini Win32/Adware.Virtumonde.NEO application
redcar92
2011-05-27, 17:48
Greetings oldkrock,
Things are looking great from this side, those entries found by ESET are baddies quarantined by Combofix and files in the System Restore databases. These entries will be removed shortly, when we uninstall combofix. But first:
Open Notepad, paste the following into the text..
@echo off
sc stop mrt_ivqmykwc
sc delete mrt_ivqmykwc
exit
Use Notepad's File, Save As to save it to your desktop as File type All Files (not as text file or it won't work), and file name FixSvc.bat
Exit Notepad and right click on FixSvc.bat and select Run.
A Command window will flash on and off.
REBOOT your machine. Sign in to your usual.
Next
I see by your logs that you are using Internet Explorer 7 (IE7) IE8 is much more secure. You should download and install IE8 from here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=341c2ad5-8c3d-4347-8c03-08cdecd8852b
Next
Your Java appears to be down level.
Navigate to Control Panel then open on Programs and Features (Vista / Windows7), or Add Remove Programs (XP).
Highlight each Java item listed then Remove or Uninstall.
Visit this site (http://www.java.com/en/download/index.jsp) to down load and install the latest Java.
Next
Your Adobe appears to be down level
Please visit this site http://www.adobe.com/downloads/ Click on the Adobe Reader icon on the right side and you will be presented with the correct Adobe for your system.
Down load and install this Adobe please.
Next
Just to be sure, one more DDS.txt please
Double click dds.scr to run the tool.
When done,DDS.txt's will open.
Save both reports to your desktop.
Please include the contents of the following in your reply using Copy / Paste:
DDS.txt
Let me know if you PC is still OK, better or worse please.
oldkrock
2011-05-27, 20:48
Bill,
OK, here is what I did:
Created and ran the FixSvc.bat (there was not a run option from icon right click, so I ran it from startup menu). It just flashed by on the screen, but I think it may not have found the mrt_ file?
Rebooted.
Installed IE 8, with a reboot.
Removed Java apps via Control panel, then installed Java.
Rebooted.
Deleted Adobes, then installed latest version.
Rebooted.
Ran DDS.scr from desktop.
Here is the log:
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mitchell family at 13:38:46 on 2011-05-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.613 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mitchell family\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.rcn.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.3/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-24 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-24 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-24 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-24 42184]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-3-12 10448]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-2 136176]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-2 136176]
.
=============== Created Last 30 ================
.
2011-05-27 17:29:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-27 17:08:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-27 17:08:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-27 16:52:53 -------- d-sh--w- c:\documents and settings\mitchell family\PrivacIE
2011-05-27 16:51:45 -------- d-sh--w- c:\documents and settings\mitchell family\IETldCache
2011-05-27 16:48:35 -------- d-----w- c:\windows\ie8updates
2011-05-27 16:44:52 -------- dc-h--w- c:\windows\ie8
2011-05-27 16:42:57 7680 ------w- c:\windows\system32\dllcache\iecompat.dll
2011-05-27 16:42:51 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-05-27 16:42:50 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-05-27 16:42:50 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-05-26 02:04:37 -------- d-----w- c:\program files\ESET
2011-05-24 23:53:00 -------- d-sha-r- C:\cmdcons
2011-05-24 23:49:52 89088 ----a-w- c:\windows\MBR.exe
2011-05-24 23:49:52 256512 ----a-w- c:\windows\PEV.exe
2011-05-24 23:42:25 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-24 23:42:06 40112 ----a-w- c:\windows\avastSS.scr
2011-05-24 23:41:54 -------- d-----w- c:\program files\AVAST Software
2011-05-24 23:41:54 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
.
==================== Find3M ====================
.
2011-03-12 14:59:18 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2007-09-26 19:27:34 51422520 ----a-w- c:\program files\iTunes742Setup.exe
2007-06-20 15:38:50 14993976 ----a-w- c:\program files\GoogleEarthWin.exe
2007-03-31 19:24:14 1586332 -c--a-w- c:\program files\WRT54Gv5v6_v1[1].02.0_fw.bin
.
============= FINISH: 13:42:33.73 ===============
Overall, the PC does seem much better. I have not been browising (except as directed), and certainly no browser search engine activity.
Great feedback thus far - thanks!
redcar92
2011-05-28, 15:39
Greetings oldkrock,
Way to go,:bigthumb: now we are on the downhill side.
This file c:\program files\common files\system\mrt_ivqmykwc32.dll was a false positive, it was not on your PC while we were working on it. Nothing to worry about there.
Now is the time to clean up our tools:
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
This will also remove those entries you saw in the ESET report.
On your desktop, right click on DDS.scr select delete, do the same for DDS.txt and attach.txt
On your desktop, right click on aswMBR.exe to delete, do the same for aswMBR.txt
You should keep Malwarebytes, TFC and ESET, run and update these tools periodically to keep your system clean.
If you wish to keep AVAST great, if not, here is a site for an uninstaller http://www.avast.com/uninstall-utility . Be sure to reinstall AVG after removing AVAST.
You appear to be All Clean:band:
Your logs are finally clean and the machine seems to be performing as it should. You know how much work and effort you've had to put into getting it back into working order, so hopefully you can impress upon the others who use this machine, to be more careful.
For the future safety of this machine and your data, try to ensure they sit down and read the following threads: (it won't take them very long)
Cracked/Illegal Software (http://www.techsupportforum.com/f50/cracked-illegal-software-248501.html)
Perils of P2P File Sharing (http://www.techsupportforum.com/f50/perils-of-p2p-file-sharing-305923.html)
Think Prevention (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
If there aren't any more problems, we have some final housekeeping to tend to now.
To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
* Microsoft Windows Update - http://www.windowsupdate.com (http://www.windowsupdate.com/)
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
* SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
o SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.
* color=BLUE]FIREWALL[/color]
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here (http://www.bleepingcomputer.com/forums/tutorial60.html)
Do not install more than one firewall program because they will conflict with each other
* WOT (http://www.mywot.com/), Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
o Green to go
o Yellow for caution
o Red to stop
WOT has an addon available for both Firefox and IE.
* Scan here http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/)for out of date & vulnerable common applications on your computer
* BACKING UP YOUR REGISTRY (http://www.larshederer.homepage.t-online.de/erunt/)
ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.
Vista/Windows 7 users - see this link for proper setup of Erunt http://www.winhelponline.com/blog/ba...y-using-erunt/
NTREGOPT (http://download.cnet.com/NTREGOPT/3000-2086_4-10549462.html) works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Of course please post if you have any more questions, issues or problems that we could help with, if not this thread will close in a few days.
oldkrock
2011-05-29, 18:08
Bill,
Thank you so very much for guding me through this - the machine is working MUCH better, and I was finally brave enough to use a browser search - no problems.
Thank you also for the preventive guidance - I have put these actions in place.
Maybe one final question. You recommend a third party firewall. Is this in replacement of the Windows firewall?
Thanks again, and I think you deserve a bunch of gold stats for your redcar!
:thanks:
redcar92
2011-05-29, 23:51
Greetings oldkrock,
In answer to your question about firewalls, if you are using a router then the Windows Firewall is adequate for what you do. Should you be using a laptop or note/netbook at free hotspots like Starbucks or hotels with free wifi, then I might recommend one of the free firewalls. Third party firewalls will offer a slight degree more protection than Windows firewall. They are particularly good at stopping out going traffic from your PC.
oldman960
2011-06-03, 03:33
Since this issue appears to be resolved ... this Topic has been closed.