Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 27

Thread: PC to a crawl, icons disappearing, S & D won't run...

  1. #11
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Ok. Let's continue

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    File::
    c:\windows\system32\mlfcache.dat
    C:\Documents and Settings\Scott & Jenni Kailey\Application Data\Sun\Java\Deployment\cache\6.0\37\63380ea5-67161fdb
    C:\Documents and Settings\Scott & Jenni Kailey\Application Data\Sun\Java\Deployment\cache\6.0\54\6e4d3ab6-4f4a55e5
    c:\windows\system32\win32hlp.cnf
    c:\windows\temp\ntdll64.dll
    
    DDS::
    TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
    TB: {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - No File

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows (including this one!) Refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.


    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Please post contents of that file, above mentioned ComboFix log & a fresh dds log in your next reply.
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  2. #12
    Junior Member
    Join Date
    Mar 2009
    Posts
    16

    Default

    Thanks Blade...

    I have pasted the ComboFix log and attached the rest. Just so you know... while I was running the Malwarebytes' Anti-Malware, my AVG popped up after about an hour. It apparently had been scanning as well, even though I disabled it as instructed in previous posts. When my PC rebooted from ComboFix, it was in the system tray, but everything was disabled as it should have been. I just canceled it when I saw it. Also, Malwarebytes' Anti-Malware prompted me for a reboot after it was finished removing everything so I did. It was not in your instructions so I wanted to let you know it happened. The DDS logs are from after that reboot.

    Thanks again... I hope we are getting closer. However... as we speak I see windows popping open and immediately closing on the infected PC so I am concerned it is not clean. I have disconnected it from the internet until I hear back.

    ComboFix 09-03-29.04 - owner 2009-03-30 18:36:57.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.595 [GMT -5:00]
    Running from: C:\ComFxx.exe
    Command switches used :: C:\CFScript.txt
    AV: *On-access scanning disabled* (Outdated)
    AV: AVG 7.5.557 *On-access scanning disabled* (Outdated)
    FW: *disabled*
    * Created a new restore point

    FILE ::
    c:\documents and settings\Scott & Jenni Kailey\Application Data\Sun\Java\Deployment\cache\6.0\37\63380ea5-67161fdb
    c:\documents and settings\Scott & Jenni Kailey\Application Data\Sun\Java\Deployment\cache\6.0\54\6e4d3ab6-4f4a55e5
    c:\windows\system32\mlfcache.dat
    c:\windows\system32\win32hlp.cnf
    c:\windows\temp\ntdll64.dll
    .
    Error: Cfolders.dat

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Scott & Jenni Kailey\Application Data\Sun\Java\Deployment\cache\6.0\37\63380ea5-67161fdb
    c:\documents and settings\Scott & Jenni Kailey\Application Data\Sun\Java\Deployment\cache\6.0\54\6e4d3ab6-4f4a55e5
    c:\windows\system32\mlfcache.dat
    c:\windows\system32\win32hlp.cnf
    c:\windows\temp\ntdll64.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
    .

    2009-03-29 12:55 . 2009-03-29 12:55 410,984 --a------ c:\windows\system32\deploytk.dll
    2009-03-29 12:55 . 2009-03-29 12:55 73,728 --a------ c:\windows\system32\javacpl.cpl
    2009-03-28 10:20 . 2009-03-30 18:35 2,937,685 -ra------ C:\ComFxx.exe
    2009-03-25 23:59 . 2009-03-25 23:59 <DIR> d-------- c:\program files\ERUNT
    2009-03-25 18:36 . 2009-03-25 18:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVG7
    2009-03-25 17:51 . 2006-07-12 08:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
    2009-03-25 17:51 . 2007-05-30 21:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
    2009-03-25 17:51 . 2006-07-12 08:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ATI
    2009-03-25 17:51 . 2009-03-25 17:51 <DIR> d-------- c:\documents and settings\Administrator
    2009-03-21 09:49 . 2009-03-21 09:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2009-03-21 09:49 . 2009-03-21 09:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-02-15 00:43 . 2009-02-15 00:43 <DIR> d-------- c:\documents and settings\Scott & Jenni Kailey\Application Data\dvdcss
    2009-02-15 00:42 . 2009-02-15 00:42 <DIR> d-------- c:\program files\VideoLAN

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-30 23:43 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
    2009-03-29 17:54 --------- d-----w c:\program files\Java
    2009-03-29 17:52 --------- d-----w c:\program files\Common Files\Adobe
    2009-03-25 16:26 --------- d-----w c:\program files\Dl_cats
    2009-03-21 13:21 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
    2009-03-05 03:35 --------- d-----w c:\program files\Common Files\Adobe AIR
    2009-02-13 03:13 --------- d-----w c:\documents and settings\Scott & Jenni Kailey\Application Data\Move Networks
    2007-04-19 01:08 44,408 ------w c:\documents and settings\Scott & Jenni Kailey\Application Data\GDIPFONTCACHEV1.DAT
    2006-09-18 01:33 563,712 ------w c:\documents and settings\Scott & Jenni Kailey\gotomypc_370.exe
    2008-09-05 11:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-03-28_11.59.02.45 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-07-12 06:22:00 135,168 ----a-w c:\windows\system32\java.exe
    + 2009-03-29 17:55:00 144,792 ----a-w c:\windows\system32\java.exe
    - 2007-07-12 06:22:04 135,168 ----a-w c:\windows\system32\javaw.exe
    + 2009-03-29 17:55:00 144,792 ----a-w c:\windows\system32\javaw.exe
    - 2007-07-12 07:22:38 139,264 ----a-w c:\windows\system32\javaws.exe
    + 2009-03-29 17:55:00 148,888 ----a-w c:\windows\system32\javaws.exe
    + 2009-03-30 23:42:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2c4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2009-02-26 590848]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
    "dlcgmon.exe"="c:\program files\Dell AIO 810\dlcgmon.exe" [2005-10-20 425984]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
    "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
    "DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-07 180269]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 219136]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-07-12 24576]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDxVGAUTIL]
    --a------ 2007-08-01 11:41 237568 c:\windows\system32\Tdxvgautil.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "BITS"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
    "c:\\WINDOWS\\system32\\dlcgcoms.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcgpswx.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\GameHouse\\BounceOut\\BounceOut.exe"=
    "c:\\Program Files\\SopCast\\SopCast.exe"=
    "c:\\Documents and Settings\\Scott & Jenni Kailey\\Application Data\\SopCast\\adv\\SopAdver.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
    "c:\\Program Files\\Digital Line Detect\\DLG.exe"=
    "c:\\Program Files\\Dell\\QuickSet\\NicConfigSvc.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgupsvc.exe"=
    "c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "135:TCP"= 135:TCP:TCP Port 135
    "5000:TCP"= 5000:TCP:TCP Port 5000
    "5001:TCP"= 5001:TCP:TCP Port 5001
    "5002:TCP"= 5002:TCP:TCP Port 5002
    "5003:TCP"= 5003:TCP:TCP Port 5003
    "5004:TCP"= 5004:TCP:TCP Port 5004
    "5005:TCP"= 5005:TCP:TCP Port 5005
    "5006:TCP"= 5006:TCP:TCP Port 5006
    "5007:TCP"= 5007:TCP:TCP Port 5007
    "5008:TCP"= 5008:TCP:TCP Port 5008
    "5009:TCP"= 5009:TCP:TCP Port 5009
    "5010:TCP"= 5010:TCP:TCP Port 5010
    "5011:TCP"= 5011:TCP:TCP Port 5011
    "5012:TCP"= 5012:TCP:TCP Port 5012
    "5013:TCP"= 5013:TCP:TCP Port 5013
    "5014:TCP"= 5014:TCP:TCP Port 5014
    "5015:TCP"= 5015:TCP:TCP Port 5015
    "5016:TCP"= 5016:TCP:TCP Port 5016
    "5017:TCP"= 5017:TCP:TCP Port 5017
    "5018:TCP"= 5018:TCP:TCP Port 5018
    "5019:TCP"= 5019:TCP:TCP Port 5019
    "5020:TCP"= 5020:TCP:TCP Port 5020

    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
    R3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMini.sys [2008-01-26 249600]
    R3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [2008-01-26 252160]
    S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [2008-01-26 27135]
    S3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.SYS [2008-01-26 33280]
    S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys --> c:\windows\system32\DRIVERS\urvpndrv.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

    2009-03-25 c:\windows\Tasks\Master Data Backup.job
    - c:\windows\system32\ntbackup.exe [2001-08-17 22:36]

    2009-03-30 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://fp.bankshare.info/my.logon.php3
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = 128.238.88.64:3128
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Scott & Jenni Kailey\Application Data\Mozilla\Firefox\Profiles\px8ns5f7.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: c:\documents and settings\Scott & Jenni Kailey\Application Data\Mozilla\Firefox\Profiles\px8ns5f7.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
    FF - plugin: c:\documents and settings\Scott & Jenni Kailey\Application Data\Mozilla\Firefox\Profiles\px8ns5f7.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    .

    **************************************************************************

    catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-30 18:43:51
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,RunDLLEntry???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(884)
    c:\windows\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe
    c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe
    c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    c:\program files\Dell\QuickSet\NicConfigSvc.exe
    c:\windows\system32\sessmgr.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\windows\system32\locator.exe
    c:\windows\system32\wbem\wmiapsrv.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\dlcgcoms.exe
    c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-30 18:52:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-03-30 23:51:40
    ComboFix2.txt 2009-03-29 17:19:29
    ComboFix3.txt 2009-03-28 17:00:07

    Pre-Run: 29,683,679,232 bytes free
    Post-Run: 29,728,296,960 bytes free

    226 --- E O F --- 2009-03-13 03:02:38

  3. #13
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi

    What kind of popups are remaining there?

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "135:TCP"=-

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.

    BTW, your AVG seems to be outdated. Have you checked is it able to update itself?
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  4. #14
    Junior Member
    Join Date
    Mar 2009
    Posts
    16

    Default

    Well, that is why I am worried. They pop open and closed so fast, I can't tell. It is obvious it is something being run in the background. As far as AVG is concerned, it has not updated successfully in some time. It kept telling me it needed to reboot for it to finish, When I would reboot... nothing changed. When I would click on the red update manager, it kept telling me that it needed to be rebooted. I figured once I got all of this cleaned up, I would be able to install the latest version.

    Here is the log.

    ComboFix 09-03-29.04 - 2009-03-31 18:53:49.4 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.430 [GMT -5:00]
    Running from: C:\ComFxx.exe
    Command switches used :: F:\CFScript.txt
    AV: *On-access scanning disabled* (Outdated)
    AV: AVG 7.5.557 *On-access scanning disabled* (Outdated)
    FW: *disabled*
    * Created a new restore point
    .
    Error: Cfolders.dat

    ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
    .

    2009-03-30 19:09 . 2009-03-30 19:09 <DIR> d-------- c:\documents and settings\Scott & Jenni Kailey\Application Data\Malwarebytes
    2009-03-30 19:08 . 2009-03-30 19:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-03-30 19:08 . 2009-03-30 19:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-30 19:08 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-30 19:08 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2009-03-29 12:55 . 2009-03-29 12:55 410,984 --a------ c:\windows\system32\deploytk.dll
    2009-03-29 12:55 . 2009-03-29 12:55 73,728 --a------ c:\windows\system32\javacpl.cpl
    2009-03-28 10:20 . 2009-03-30 18:35 2,937,685 -ra------ C:\ComFxx.exe
    2009-03-25 23:59 . 2009-03-25 23:59 <DIR> d-------- c:\program files\ERUNT
    2009-03-25 18:36 . 2009-03-25 18:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVG7
    2009-03-25 17:51 . 2006-07-12 08:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
    2009-03-25 17:51 . 2007-05-30 21:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
    2009-03-25 17:51 . 2006-07-12 08:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ATI
    2009-03-25 17:51 . 2009-03-25 17:51 <DIR> d-------- c:\documents and settings\Administrator
    2009-03-21 09:49 . 2009-03-21 09:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2009-03-21 09:49 . 2009-03-21 09:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-02-15 00:43 . 2009-02-15 00:43 <DIR> d-------- c:\documents and settings\Scott & Jenni Kailey\Application Data\dvdcss
    2009-02-15 00:42 . 2009-02-15 00:42 <DIR> d-------- c:\program files\VideoLAN

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-30 23:43 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
    2009-03-29 17:54 --------- d-----w c:\program files\Java
    2009-03-29 17:52 --------- d-----w c:\program files\Common Files\Adobe
    2009-03-25 16:26 --------- d-----w c:\program files\Dl_cats
    2009-03-21 13:21 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
    2009-03-05 03:35 --------- d-----w c:\program files\Common Files\Adobe AIR
    2009-02-13 03:13 --------- d-----w c:\documents and settings\Scott & Jenni Kailey\Application Data\Move Networks
    2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
    2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
    2009-01-27 06:55 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys
    2009-01-17 03:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
    2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
    2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
    2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
    2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
    2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
    2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
    2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll
    2008-12-05 06:54 144,896 ------w c:\windows\system32\dllcache\schannel.dll
    2007-04-19 01:08 44,408 ------w c:\documents and settings\Scott & Jenni Kailey\Application Data\GDIPFONTCACHEV1.DAT
    2006-09-18 01:33 563,712 ------w c:\documents and settings\Scott & Jenni Kailey\gotomypc_370.exe
    2008-09-05 11:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-03-28_11.59.02.45 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-07-12 06:22:00 135,168 ----a-w c:\windows\system32\java.exe
    + 2009-03-29 17:55:00 144,792 ----a-w c:\windows\system32\java.exe
    - 2007-07-12 06:22:04 135,168 ----a-w c:\windows\system32\javaw.exe
    + 2009-03-29 17:55:00 144,792 ----a-w c:\windows\system32\javaw.exe
    - 2007-07-12 07:22:38 139,264 ----a-w c:\windows\system32\javaws.exe
    + 2009-03-29 17:55:00 148,888 ----a-w c:\windows\system32\javaws.exe
    + 2009-03-31 01:34:27 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_e4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2009-02-26 590848]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
    "dlcgmon.exe"="c:\program files\Dell AIO 810\dlcgmon.exe" [2005-10-20 425984]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
    "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
    "DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-07 180269]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 219136]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-07-12 24576]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDxVGAUTIL]
    --a------ 2007-08-01 11:41 237568 c:\windows\system32\Tdxvgautil.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "BITS"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
    "c:\\WINDOWS\\system32\\dlcgcoms.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcgpswx.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\GameHouse\\BounceOut\\BounceOut.exe"=
    "c:\\Program Files\\SopCast\\SopCast.exe"=
    "c:\\Documents and Settings\\Scott & Jenni Kailey\\Application Data\\SopCast\\adv\\SopAdver.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
    "c:\\Program Files\\Digital Line Detect\\DLG.exe"=
    "c:\\Program Files\\Dell\\QuickSet\\NicConfigSvc.exe"=
    "c:\\Program Files\\Grisoft\\AVG Free\\avgupsvc.exe"=
    "c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5000:TCP"= 5000:TCP:TCP Port 5000
    "5001:TCP"= 5001:TCP:TCP Port 5001
    "5002:TCP"= 5002:TCP:TCP Port 5002
    "5003:TCP"= 5003:TCP:TCP Port 5003
    "5004:TCP"= 5004:TCP:TCP Port 5004
    "5005:TCP"= 5005:TCP:TCP Port 5005
    "5006:TCP"= 5006:TCP:TCP Port 5006
    "5007:TCP"= 5007:TCP:TCP Port 5007
    "5008:TCP"= 5008:TCP:TCP Port 5008
    "5009:TCP"= 5009:TCP:TCP Port 5009
    "5010:TCP"= 5010:TCP:TCP Port 5010
    "5011:TCP"= 5011:TCP:TCP Port 5011
    "5012:TCP"= 5012:TCP:TCP Port 5012
    "5013:TCP"= 5013:TCP:TCP Port 5013
    "5014:TCP"= 5014:TCP:TCP Port 5014
    "5015:TCP"= 5015:TCP:TCP Port 5015
    "5016:TCP"= 5016:TCP:TCP Port 5016
    "5017:TCP"= 5017:TCP:TCP Port 5017
    "5018:TCP"= 5018:TCP:TCP Port 5018
    "5019:TCP"= 5019:TCP:TCP Port 5019
    "5020:TCP"= 5020:TCP:TCP Port 5020

    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
    R3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMini.sys [2008-01-26 249600]
    R3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [2008-01-26 252160]
    S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [2008-01-26 27135]
    S3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.SYS [2008-01-26 33280]
    S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys --> c:\windows\system32\DRIVERS\urvpndrv.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

    2009-03-31 c:\windows\Tasks\Master Data Backup.job
    - c:\windows\system32\ntbackup.exe [2001-08-17 22:36]

    2009-03-31 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://fp.bankshare.info/my.logon.php3
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = 128.238.88.64:3128
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Scott & Jenni Kailey\Application Data\Mozilla\Firefox\Profiles\px8ns5f7.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.google.com
    .

    **************************************************************************

    catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-31 18:57:12
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,RunDLLEntry???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(884)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2009-03-31 18:59:28
    ComboFix-quarantined-files.txt 2009-03-31 23:59:25
    ComboFix2.txt 2009-03-30 23:52:05
    ComboFix3.txt 2009-03-29 17:19:29
    ComboFix4.txt 2009-03-28 17:00:07

    Pre-Run: 29,702,090,752 bytes free
    Post-Run: 29,683,744,768 bytes free

    199 --- E O F --- 2009-03-13 03:02:38

  5. #15
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi

    Download GMER and save it your desktop:
    • Extract it to your desktop and double-click GMER.exe
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log in your reply.
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  6. #16
    Junior Member
    Join Date
    Mar 2009
    Posts
    16

    Default

    Blade, I kicked this off right before I left this morning. I don't have access to the PC right now, but my wife called me and told me that in the middle of the scan it gave her a blue screen that told her something to the effect of having a critical error and having to shut down. I had her shut it down and fire it back up and she saw an error box that said the system was recovering from an error and "Please don't tell Microsoft". There was a way to view the files that were involved, but not easily print a log. (It was to hard to explain to her how to send me a screen shot). I had her try to run GMER again and after about 5 minutes she got another error that said something to the effect that "GMER encountered an error and must shut down". I just told her to shut it down and I would try again later.

    In the meantime I wanted to post that info here before it got too late and you were no longer online. Do you have anything else you want me to try when I get home this evening?

  7. #17
    Junior Member
    Join Date
    Mar 2009
    Posts
    16

    Default

    Hi Blade...

    Ok, so I got home and I ran it again myself. After about 1 1/2 hours... I get a blue screen that says the following:

    A problem has been detected and windows has been shut down to prevent damage to your computer.

    The problem seems to be caused by the following file: aujasnkj.sys

    PAGE_FAULT_IN_NONPAGED_AREA

    If this is the first time you have seen this stop error screen, restart your compurter. If this screen appears again, follow these steps:

    Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.

    If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

    Technical Information:

    *** STOP: 0x00000050 (0xFDAD9000,0x00000000,0xEF17F5B6,0x00000000)

    *** aujasnkj.sys - Address EF17F5B6 base at EF174000, DateStamp 49b65e3c

    Beginning dump of physical memory
    Physical memory dump complete.
    Contact your system administrator or technical support group for further assistance
    I have restarted the computer and this is where I stand...

  8. #18
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi

    Do those bluescreens still occur (if you don't run GMER)? Please see if you can update AVG at this point. If update doesn't work, please reinstall AVG. Let me know how it goes.

    About those popups.. Were those website ones or some command boxes (black background with white text)?
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #19
    Junior Member
    Join Date
    Mar 2009
    Posts
    16

    Default

    Hey Blade,

    No the blue screens have only occurred when I run GMER. So far, no other time. When I tried to update AVG, it would not update, so I have uninstalled it and reinstalled AVG 8.5 Free Edition. After installation I was able to download updates.

    ** Side note, I am not able to see any images when using IE7, only in Firefox. Not sure if it is something I have disabled along the way to run these scans or if there is an issue.

    I have not seen the box run since the first time I reported it to you, but it seemed like a web box, not a command prompt.

    I will await word from you before I do anything else.

    Thanks again for your continued help.

  10. #20
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi

    Please see instructions for picture displaying issue here.

    I think it's best if we'll uninstall ComboFix now and see how the system behaves during next few days.


    • Click START then RUN
    • Now type "C:\ComFxx.exe" /u in the runbox and click OK
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •