Page 6 of 11 FirstFirst ... 2345678910 ... LastLast
Results 51 to 60 of 109

Thread: Browser Hijack and Virus

  1. #51
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please then try this instead:

    Please download Rooter.exe to your desktop.
    • Double click on Rooter.exe to start the application.
    • Now click on the Scan button.
    • When the scan is completed a text file called Rooter.txt will appear on your desktop, post the contents in your next reply.
    • Now click on Close button to exit Rooter.


    Note: The logfile can also be located within this folder Rooter$ at the root of your installed Hard-Drive. EG: C:\Rooter$
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  2. #52
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default Rooter Log

    Rooter.exe (v1.0.2) by Eric_71
    .
    SeDebugPrivilege granted successfully ...
    .
    Windows XP Home Edition (5.1.2600) Service Pack 3
    [32_bits] - x86 Family 15 Model 1 Stepping 2, GenuineIntel
    .
    [wscsvc] (Security Center) RUNNING (state:4)
    [SharedAccess] RUNNING (state:4)
    Windows Firewall -> Enabled
    .
    Internet Explorer 8.0.6001.18702
    .
    A:\ [Removable]
    C:\ [Fixed-FAT32] .. ( Total:74 Go - Free:3 Go )
    D:\ [CD_Rom]
    .
    Scan : 07:11.13
    Path : C:\Documents and Settings\default\Desktop\Rooter.exe
    User : default ( Administrator -> YES )
    .
    ----------------------\\ Processes
    .
    Locked [System Process] (0)
    ______ System (4)
    ______ \??\C:\WINDOWS\system32\csrss.exe (352)
    ______ \??\C:\WINDOWS\system32\winlogon.exe (376)
    ______ C:\WINDOWS\system32\services.exe (420)
    ______ C:\WINDOWS\system32\lsass.exe (432)
    ______ C:\WINDOWS\system32\svchost.exe (584)
    ______ C:\WINDOWS\system32\svchost.exe (652)
    ______ C:\WINDOWS\System32\svchost.exe (720)
    ______ C:\WINDOWS\system32\svchost.exe (852)
    ______ C:\WINDOWS\system32\svchost.exe (960)
    ______ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (1040)
    ______ C:\WINDOWS\system32\spoolsv.exe (1132)
    ______ C:\WINDOWS\system32\svchost.exe (1260)
    ______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1296)
    ______ C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (1312)
    ______ C:\Program Files\Bonjour\mDNSResponder.exe (1336)
    ______ C:\Program Files\Java\jre6\bin\jqs.exe (1384)
    ______ C:\WINDOWS\system32\svchost.exe (1468)
    ______ C:\PROGRA~1\AVG\AVG8\avgemc.exe (1604)
    ______ C:\PROGRA~1\AVG\AVG8\avgrsx.exe (1628)
    ______ C:\PROGRA~1\AVG\AVG8\avgnsx.exe (1644)
    ______ C:\Program Files\AVG\AVG8\avgcsrvx.exe (1880)
    ______ C:\WINDOWS\system32\wbem\unsecapp.exe (252)
    ______ C:\WINDOWS\System32\alg.exe (320)
    ______ C:\WINDOWS\system32\wbem\wmiprvse.exe (356)
    ______ C:\WINDOWS\Explorer.EXE (2108)
    ______ C:\PROGRA~1\AVG\AVG8\avgtray.exe (2744)
    ______ C:\Program Files\QuickTime\QTTask.exe (2812)
    ______ C:\Program Files\iTunes\iTunesHelper.exe (2820)
    ______ C:\Program Files\Java\jre6\bin\jusched.exe (2876)
    ______ C:\Program Files\Microsoft Works\WkDetect.exe (2928)
    ______ C:\WINDOWS\system32\ctfmon.exe (3036)
    ______ C:\Program Files\Common Files\Filseclab\FilMsg.exe (3108)
    ______ C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (3152)
    ______ C:\WINDOWS\system32\wuauclt.exe (3228)
    ______ C:\Program Files\iPod\bin\iPodService.exe (3628)
    ______ C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (2536)
    ______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (4000)
    ______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (2124)
    ______ C:\Documents and Settings\default\Desktop\Rooter.exe (3088)
    .
    ----------------------\\ Device\Harddisk0\
    .
    \Device\Harddisk0 [Sectors : 63 x 512 Bytes]
    .
    \Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:80023716864)
    .
    ----------------------\\ Scheduled Tasks
    .
    C:\WINDOWS\Tasks\DESKTOP.INI
    C:\WINDOWS\Tasks\SA.DAT
    C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
    .
    ----------------------\\ Registry
    .
    .
    ----------------------\\ Files & Folders
    .
    ----------------------\\ Scan completed at 07:11.16
    .
    C:\Rooter$\Rooter_2.txt - (22/09/2009 | 07:11.16)

  3. #53
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    That seems to be fine.

    Download at your desktop DDS from one of the links below:

    Link 1
    Link 2
    • Double click the tool to run it.
    • A black Screen will open, just read the contents and do nothing.
    • When the tool finish it will open 2 reports.
    • Copy/paste both reports back here and remove DDS from your desktop.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  4. #54
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default DDS logs

    Here is the first log:

    ===

    DDS (Ver_09-07-30.01) - FAT32x86
    Run by default at 12:45:07.45 on Tue 09/22/2009
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.145 [GMT -6:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Microsoft Works\WkDetect.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Filseclab\FilMsg.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\default\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    uURLSearchHooks: H - No File
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\YT.DLL
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    dRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
    dRunOnce: [Printing Migration] rundll32.exe c:\windows\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\filsec~1.lnk - c:\program files\common files\filseclab\FilMsg.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
    IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\SHDOCVW.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso4.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252200236875
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38864.5287731482
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-6 64160]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-23 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-26 27784]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-23 108552]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-23 908056]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-23 297752]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
    R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2009-5-25 36224]

    =============== Created Last 30 ================

    2009-09-22 07:10 <DIR> --d----- C:\Rooter$
    2009-09-18 13:18 <DIR> --d----- c:\program files\ESET
    2009-09-17 12:31 4,224 a------- c:\windows\system32\dllcache\beep.sys
    2009-09-17 12:31 4,224 -------- c:\windows\system32\drivers\beep.sys
    2009-09-15 23:17 <DIR> a-dshr-- C:\cmdcons
    2009-09-15 12:29 229,888 a------- c:\windows\PEV.exe
    2009-09-15 12:29 161,792 a------- c:\windows\SWREG.exe
    2009-09-15 12:29 98,816 a------- c:\windows\sed.exe
    2009-09-15 12:29 <DIR> --d----- C:\Combo-Fix
    2009-09-15 11:54 18,504 a------- c:\windows\gohy._sy
    2009-09-15 11:54 12,379 a------- c:\docume~1\default\applic~1\bifupexa.dat
    2009-09-14 19:05 16,467 a------- c:\windows\vysanad._sy
    2009-09-14 19:05 15,214 a------- c:\windows\oxymoto.db
    2009-09-14 19:05 14,268 a------- c:\windows\system32\pepo.dat
    2009-09-14 19:05 10,574 a------- c:\docume~1\default\applic~1\mykade.dat
    2009-09-10 00:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
    2009-09-10 00:04 <DIR> --d----- c:\docume~1\default\applic~1\AVG8
    2009-09-08 13:28 153,088 -------- c:\windows\system32\dllcache\triedit.dll
    2009-09-08 00:01 73,728 a------- c:\windows\system32\javacpl.cpl
    2009-09-07 23:45 411,368 a------- c:\windows\system32\deploytk.dll
    2009-09-06 22:28 <DIR> --dsh--- c:\documents and settings\default\IECompatCache
    2009-09-06 20:31 15,688 a------- c:\windows\system32\lsdelete.exe
    2009-09-06 19:52 64,160 a------- c:\windows\system32\drivers\Lbd.sys
    2009-09-06 19:51 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
    2009-09-06 19:50 <DIR> --d----- c:\program files\Lavasoft
    2009-09-06 16:51 <DIR> --d----- c:\program files\Trend Micro
    2009-09-06 14:23 16,439 a------- c:\windows\ygofipoxip._sy
    2009-09-06 14:23 16,342 a------- c:\docume~1\default\applic~1\cixadura.dat
    2009-09-06 14:23 14,766 a------- c:\docume~1\alluse~1\applic~1\vahu.dat
    2009-09-06 13:35 <DIR> --d----- c:\windows\system32\scripting
    2009-09-06 13:35 <DIR> --d----- c:\windows\l2schemas
    2009-09-06 13:35 <DIR> --d----- c:\windows\system32\en
    2009-09-06 13:35 <DIR> --d----- c:\windows\system32\bits
    2009-09-06 13:31 <DIR> --d----- c:\windows\network diagnostic
    2009-09-06 13:26 <DIR> --d----- c:\windows\EHome
    2009-09-06 12:22 <DIR> --dsh--- c:\documents and settings\default\PrivacIE
    2009-09-06 12:21 <DIR> --dsh--- c:\documents and settings\default\IETldCache
    2009-09-06 12:19 <DIR> --d----- c:\windows\ie8updates
    2009-09-06 12:18 <DIR> --d-h--- c:\windows\ie8
    2009-09-06 12:17 100,352 -------- c:\windows\system32\dllcache\iecompat.dll
    2009-09-06 12:17 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
    2009-09-06 12:17 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
    2009-09-06 12:17 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
    2009-09-06 12:17 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
    2009-09-06 12:17 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
    2009-09-06 12:03 27,496 a------- c:\windows\system32\mucltui.dll.mui
    2009-09-06 12:03 268,648 a------- c:\windows\system32\mucltui.dll
    2009-09-05 19:11 268,435,456 a--sh--- c:\windows\system32\temppf.sys
    2009-09-03 17:16 45 a------- c:\documents and settings\default\jagex_runescape_preferences2.dat

    ==================== Find3M ====================

    2009-09-15 12:03 19,763 a------- c:\program files\common files\ejujuraryj.lib
    2009-09-06 14:00 71,864 a------- c:\docume~1\default\applic~1\GDIPFONTCACHEV1.DAT
    2009-09-06 13:38 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
    2009-09-03 18:28 37 a------- c:\documents and settings\default\jagex_runescape_preferences.dat
    2009-08-16 13:04 11,952 a------- c:\windows\system32\avgrsstx.dll
    2009-08-16 13:04 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
    2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
    2009-08-05 03:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
    2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
    2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
    2009-07-19 07:19 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
    2009-07-17 13:01 58,880 a------- c:\windows\system32\dllcache\atl.dll
    2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
    2009-07-12 12:21 4,874,240 a------- c:\windows\system32\dllcache\wmp.dll
    2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
    2009-07-12 12:21 233,472 a------- c:\windows\system32\dllcache\wmpdxm.dll
    2009-07-10 07:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
    2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
    2009-07-03 11:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
    2009-07-03 11:09 915,456 -------- c:\windows\system32\wininet.dll
    2009-07-03 11:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
    2009-07-03 11:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
    2009-07-03 11:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
    2009-07-03 11:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
    2009-07-03 11:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
    2009-07-03 05:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
    2009-06-25 02:25 730,112 a------- c:\windows\system32\lsasrv.dll
    2009-06-25 02:25 301,568 a------- c:\windows\system32\kerberos.dll
    2009-06-25 02:25 147,456 a------- c:\windows\system32\schannel.dll
    2009-06-25 02:25 136,192 a------- c:\windows\system32\msv1_0.dll
    2009-06-25 02:25 56,832 a------- c:\windows\system32\secur32.dll
    2009-06-25 02:25 54,272 a------- c:\windows\system32\wdigest.dll
    2009-06-25 02:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
    2009-06-25 02:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
    2009-06-25 02:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
    2009-06-25 02:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
    2009-06-25 02:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
    2009-06-25 02:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
    2000-10-13 16:56 23,357 a------- c:\program files\folder.htt
    2000-10-13 16:56 271 ---sh--- c:\program files\desktop.ini

    ============= FINISH: 12:47:39.06 ===============

  5. #55
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default Dds

    and here is the second log:

    ====

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-07-30.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/22/2008 10:20:17 PM
    System Uptime: 9/22/2009 11:58:37 AM (1 hours ago)

    Motherboard: Dell Computer Corporation | | Dimension 8200
    Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz | Microprocessor | 1794/100mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (FAT32) - 74 GiB total, 3.325 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    3D Groove Playback Engine
    Action Replay Code Manager
    Ad-Aware
    Adobe Download Manager (Remove Only)
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player Plugin
    Adobe Reader 7.0
    Adobe Shockwave Player 11
    Apple Mobile Device Support
    Apple Software Update
    AVG Free 8.5
    Bonjour
    CCScore
    Comcast High-Speed Internet Install Wizard
    Conexant HSF V92 56K RTAD Speakerphone PCI Modem
    Dell Solution Center
    DellTouch
    Easy CD Creator 5 Basic
    ESET Online Scanner v3
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSSONIC
    ESSTOOLS
    essvatgt
    fflink
    Filseclab Personal Firewall
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hoyle Card Games 2003
    HP OfficeJet G Series
    InterActual Player
    iTunes
    Java(TM) 6 Update 16
    kgcbaby
    kgcbase
    kgchday
    kgchlwn
    kgcinvt
    kgckids
    kgcmove
    kgcvday
    Kodak EasyShare software
    Malwarebytes' Anti-Malware
    McAfee Firewall
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Encarta Encyclopedia Standard 2001
    Microsoft Money 2001
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Picture It! Publishing 2001
    Microsoft Streets and Trips 2001
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Word 2000 SR-1
    Microsoft Works 2001 Setup Launcher
    Microsoft Works 6.0
    Microsoft Works Suite Add-in for Microsoft Word
    Modem Helper
    MSN Explorer
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 6 Service Pack 2 (KB954459)
    netbrdg
    OfotoXMI
    PCDADDIN
    PCDHELP
    PhoneTools
    PowerDVD
    QuickTime
    RealPlayer Basic
    Rescue Disk
    RioPort Audio Manager
    Secure Game Player
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    SFR
    SFR2
    SHASTA
    Shockwave
    skin0001
    SKINXSDK
    Sony USB Driver
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.5.2.20
    staticcr
    tooltips
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973815)
    User's Guides
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VPRINTOL
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows XP Service Pack 3
    Windows XP Uninstall
    WIRELESS
    Works Suite OS Pack
    Works Synchronization
    Yahoo! Anti-Spy
    Yahoo! Toolbar
    Yahoo! Toolbar for Internet Explorer

    ==== Event Viewer Messages From Past Week ========

    9/21/2009 7:04:03 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    9/16/2009 12:30:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
    9/16/2009 12:30:16 PM, error: Service Control Manager [7000] - The ASCTRM service failed to start due to the following error: The system cannot find the file specified.
    9/15/2009 12:39:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Free8 E-mail Scanner service to connect.
    9/15/2009 12:39:32 PM, error: Service Control Manager [7000] - The AVG Free8 E-mail Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    9/15/2009 12:39:16 PM, error: Service Control Manager [7000] - The AntipyProex service failed to start due to the following error: The system cannot find the file specified.
    9/15/2009 12:37:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/15/2009 12:36:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    9/15/2009 12:36:27 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    9/15/2009 12:34:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
    9/15/2009 12:34:23 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    9/15/2009 12:34:23 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/15/2009 12:34:23 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/15/2009 12:34:23 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    9/15/2009 12:34:23 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/15/2009 12:34:23 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/15/2009 11:38:12 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
    9/15/2009 11:24:18 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    9/15/2009 11:23:14 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
    9/15/2009 1:01:38 PM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\beep.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.

    ==== End Of File ===========================

  6. #56
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please rerun combofix and post back fresh logs.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #57
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default Combofix

    Ran combofix, and got all the chkdsk popup windows same as in my post #21.

    Combofix initially rebooted my PC, and stated the following:

    Combofix has detected rootkit activity and must close. Please make note of the file: c:\windows\system32\sdra64.exe.

    Here is the log file:

    ComboFix 09-09-22.02 - default 09/22/2009 22:59.5.1 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.144 [GMT -6:00]
    Running from: c:\documents and settings\default\Desktop\Combo-Fix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\lowsec
    c:\windows\system32\lowsec\local.ds
    c:\windows\system32\lowsec\user.ds
    c:\windows\system32\sdra64.exe

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
    .

    2009-09-22 13:10 . 2009-09-22 13:10 -------- d-----w- C:\Rooter$
    2009-09-18 19:18 . 2009-09-18 19:18 -------- d-----w- c:\program files\ESET
    2009-09-17 18:31 . 2009-09-17 18:31 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
    2009-09-17 18:31 . 2009-09-17 18:30 4224 ------w- c:\windows\system32\drivers\beep.sys
    2009-09-15 18:29 . 2009-09-15 18:29 -------- d-----w- C:\Combo-Fix
    2009-09-15 17:57 . 2009-09-15 17:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2009-09-15 17:54 . 2009-09-15 17:54 12379 ----a-w- c:\documents and settings\default\Application Data\bifupexa.dat
    2009-09-15 13:02 . 2009-09-15 13:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
    2009-09-15 01:05 . 2009-09-15 01:05 14268 ----a-w- c:\windows\system32\pepo.dat
    2009-09-15 01:05 . 2009-09-15 01:05 10574 ----a-w- c:\documents and settings\default\Application Data\mykade.dat
    2009-09-15 00:01 . 2009-09-15 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2009-09-10 06:09 . 2009-09-10 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
    2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
    2009-09-08 19:28 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
    2009-09-08 05:45 . 2009-09-08 06:01 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-09-07 04:28 . 2009-09-07 04:28 -------- d-sh--w- c:\documents and settings\default\IECompatCache
    2009-09-07 02:42 . 2009-09-07 02:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2009-09-07 02:31 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
    2009-09-07 01:52 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2009-09-07 01:51 . 2009-09-07 01:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
    2009-09-07 01:50 . 2009-09-07 01:50 -------- d-----w- c:\program files\Lavasoft
    2009-09-06 22:51 . 2009-09-06 22:51 -------- d-----w- c:\program files\Trend Micro
    2009-09-06 20:23 . 2009-09-06 20:23 16342 ----a-w- c:\documents and settings\default\Application Data\cixadura.dat
    2009-09-06 19:57 . 2009-09-06 19:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\scripting
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\l2schemas
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\en
    2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\bits
    2009-09-06 19:26 . 2009-09-06 19:27 -------- d-----w- c:\windows\EHome
    2009-09-06 18:31 . 2009-09-06 18:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\default\PrivacIE
    2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2009-09-06 18:21 . 2009-09-06 18:21 -------- d-sh--w- c:\documents and settings\default\IETldCache
    2009-09-06 18:19 . 2009-09-06 18:19 -------- d-----w- c:\windows\ie8updates
    2009-09-06 18:18 . 2009-09-06 18:18 -------- d--h--w- c:\windows\ie8
    2009-09-06 18:17 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
    2009-09-06 18:17 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2009-09-06 18:17 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2009-09-06 18:17 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2009-09-06 18:17 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2009-09-06 18:17 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
    2009-09-06 18:03 . 2008-10-16 20:06 268648 ----a-w- c:\windows\system32\mucltui.dll
    2009-09-06 01:11 . 2009-09-23 04:56 268435456 --sha-w- c:\windows\system32\temppf.sys
    2009-09-03 23:16 . 2009-09-03 23:17 45 ----a-w- c:\documents and settings\default\jagex_runescape_preferences2.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-15 18:03 . 2009-09-15 18:03 19763 ----a-w- c:\program files\Common Files\ejujuraryj.lib
    2009-09-06 20:23 . 2009-09-06 20:23 14766 ----a-w- c:\documents and settings\All Users\Application Data\vahu.dat
    2009-09-04 00:28 . 2008-07-01 21:59 37 ----a-w- c:\documents and settings\default\jagex_runescape_preferences.dat
    2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iPod
    2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iTunes
    2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-08-18 02:51 . 2009-08-18 02:51 -------- d-----w- c:\program files\Bonjour
    2009-08-18 02:50 . 2009-08-18 02:50 -------- d-----w- c:\program files\QuickTime
    2009-08-16 19:04 . 2009-05-23 14:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-08-16 19:04 . 2008-01-27 03:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-08-16 19:04 . 2009-05-23 14:43 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\MSBuild
    2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\Reference Assemblies
    2009-08-08 05:44 . 2009-08-08 05:43 -------- d-----w- c:\program files\MSXML 6.0
    2009-08-05 09:01 . 2008-01-23 03:28 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-08-03 19:36 . 2008-08-29 04:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 19:36 . 2008-08-29 04:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-07-17 19:01 . 2008-01-23 03:25 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-12 18:21 . 2008-01-23 03:34 233472 ----a-w- c:\windows\system32\wmpdxm.dll
    2009-07-09 18:16 . 2009-08-18 02:47 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
    2009-07-09 18:16 . 2008-01-29 04:22 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2009-07-03 17:09 . 2008-01-23 03:31 915456 ------w- c:\windows\system32\wininet.dll
    2009-06-25 08:25 . 2008-01-23 03:30 54272 ----a-w- c:\windows\system32\wdigest.dll
    2009-06-25 08:25 . 2008-01-23 03:29 56832 ----a-w- c:\windows\system32\secur32.dll
    2009-06-25 08:25 . 2008-01-23 03:29 147456 ----a-w- c:\windows\system32\schannel.dll
    2009-06-25 08:25 . 2008-01-23 03:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-06-25 08:25 . 2008-01-23 03:27 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2009-06-25 08:25 . 2008-01-23 03:27 301568 ----a-w- c:\windows\system32\kerberos.dll
    2000-10-13 22:56 . 2000-10-13 22:56 23357 ----a-w- c:\program files\folder.htt
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-09-15_19.04.36 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-23 04:22 . 2009-09-23 04:56 49152 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-01-23 04:22 . 2009-09-15 18:38 49152 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-09-06 18:31 . 2009-09-15 18:38 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat
    + 2009-09-06 18:31 . 2009-09-23 04:56 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat
    + 2008-01-23 04:22 . 2009-09-23 04:56 49152 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
    - 2008-01-23 04:22 . 2009-09-15 18:38 49152 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
    + 2008-01-23 04:22 . 2009-09-23 04:56 360448 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-23 04:22 . 2009-09-15 18:38 360448 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-08 149280]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Printing Migration"="c:\windows\system32\spool\migrate.dll" [2004-08-04 30208]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Filseclab Messenger.lnk - c:\program files\Common Files\Filseclab\FilMsg.exe [2007-7-30 315652]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-16 19:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk /p \??\c:\0autocheck autochk *\0lsdelete

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MSMSGS"=c:\progra~1\MESSEN~1\msmsgs.exe /background
    "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
    "Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
    "CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    "RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    "TaskMonitor"=c:\windows\taskmon.exe
    "PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
    "WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
    "Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
    "Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
    "MULTIMEDIA KEYBOARD"=c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe
    "LoadQM"=loadqm.exe
    "HPAIO_PrintFolderMgr"=c:\windows\SYSTEM\hpoopm07.exe
    "DownloadWare"="c:\program files\DownloadWare\dw.exe" /H
    "SearchEnhancement"="c:\program files\SCBAR\V1\SCBAR.EXE" /U
    "KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    "NAV Agent"=c:\progra~1\NORTON~1\NAVAPW32.EXE
    "RecoverFromReboot"=c:\windows\TEMP\RECOVE~1.EXE
    "BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
    "QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
    "xfilter"="c:\program files\Filseclab\xfilter\xfilter.exe" -a

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
    "SchedulingAgent"=mstask.exe
    "StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/6/2009 7:52 PM 64160]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/23/2009 8:43 AM 335240]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/23/2009 8:43 AM 108552]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2009 8:42 AM 908056]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 8:42 AM 297752]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1029456]
    R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [5/25/2009 7:49 PM 36224]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
    rundll rnasetup.dll,installoptionalcomponent rna
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

    2009-09-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-22 23:12
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(368)
    c:\windows\system32\vct3216.acm
    c:\windows\system32\vct3216.dll
    c:\windows\system32\MVOICE.VWP

    - - - - - - - > 'lsass.exe'(424)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2009-09-23 23:17
    ComboFix-quarantined-files.txt 2009-09-23 05:17
    ComboFix2.txt 2009-09-20 17:24
    ComboFix3.txt 2009-09-17 19:01
    ComboFix4.txt 2009-09-16 05:43
    ComboFix5.txt 2009-09-23 04:50

    Pre-Run: 3,540,664,320 bytes free
    Post-Run: 3,576,905,728 bytes free

    241 --- E O F --- 2009-09-08 20:07

  8. #58
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default

    ...and the latest HJT log:

    ===
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:25:31 PM, on 9/22/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
    O4 - Global Startup: Filseclab Messenger.lnk = C:\Program Files\Common Files\Filseclab\FilMsg.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1252200236875
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

    --
    End of file - 7145 bytes

  9. #59
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Download to the desktop: Dr.Web CureIt
    • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, Click Options > Change settings
    • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
    • Back at the main window, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found:

      If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

      This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  10. #60
    Member
    Join Date
    Sep 2009
    Posts
    59

    Default

    Shaba:

    It took a while, but Dr. Web Cureit did run.

    Here is the log:

    =====
    vsfocetkopabwq.dll;C:\WINDOWS\SYSTEM32;Trojan.Packed.2788;Deleted.;
    vsfocenivmtvpegq.tmp;C:\WINDOWS\TEMP;Trojan.Packed.2788;Deleted.;
    =====

    and another HJT Log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:16:27 PM, on 9/23/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Microsoft Works\WkDetect.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Filseclab\FilMsg.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\system32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
    O4 - Global Startup: Filseclab Messenger.lnk = C:\Program Files\Common Files\Filseclab\FilMsg.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1252200236875
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

    --
    End of file - 7608 bytes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •