Jump to content

mr_mediocre

Members
 View Profile  See their activity

  • Posts

    7

  • Joined

  • Last visited

 Content Type 

Everything posted by mr_mediocre

  1. mr_mediocre
    Thanks! We've followed the directions and now have MS Security running. I'll get to the other forum to see about the MBAM issue later today.
  2. mr_mediocre
    OK, Eset finished sometime after I went to bed. Looks like something's still hanging around. Logfile follows: ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=01f8df1f1f5f264ab0d6681c70106d53 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-11-27 06:44:33 # local_time=2010-11-27 01:44:33 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=768 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # compatibility_mode=9217 16777214 100 77 34512631 74303641 0 0 # scanned=145272 # found=5 # cleaned=0 # scan_time=6322 C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan 00000000000000000000000000000000 I ${Memory} a variant of Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
  3. mr_mediocre
    Ran it on virscan.org. No problems found: VirSCAN.org Scanned Report : Scanned time : 2010/11/26 22:43:13 (EST) Scanner results: Scanners did not find malware! File Name : VEN2232.OLB File Size : 37376 byte File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi MD5 : e33c17f0d4c580a6874b8adf802c1058 SHA1 : 9f57fadf690ae359cd72af07510a0c0af4c500b9 Online report : http://virscan.org/report/baf455c6f059a8a9...65ddf803fe.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 5.0.0.20 20101126040816 2010-11-26 40.09 - AhnLab V3 2010.11.23.01 2010.11.23 2010-11-23 40.09 - AntiVir 8.2.4.114 7.10.14.125 2010-11-26 0.26 - Antiy 2.0.18 20101126.5945124 2010-11-26 0.02 - Arcavir 2010 201011271027 2010-11-27 0.03 - Authentium 5.1.1 201011262028 2010-11-26 1.29 - AVAST! 4.7.4 101126-1 2010-11-26 0.01 - AVG 8.5.850 271.1.1/3282 2010-11-27 0.24 - BitDefender 7.90123.6313747 7.34806 2010-11-27 5.80 - ClamAV 0.96.3 12322 2010-11-27 0.01 - Comodo 4.0 6860 2010-11-26 40.09 - CP Secure 1.3.0.5 2010.11.27 2010-11-27 0.04 - Dr.Web 5.0.2.3300 2010.11.27 2010-11-27 9.83 - F-Prot 4.4.4.56 20101126 2010-11-26 1.28 - F-Secure 7.02.73807 2010.11.26.11 2010-11-26 0.13 - Fortinet 4.2.254 12.607 2010-11-26 22.37 - GData 21.1178/21.502 20101126 2010-11-26 40.09 - ViRobot 20101126 2010.11.26 2010-11-26 0.37 - Ikarus T3.1.32.15.0 2010.11.26.77240 2010-11-26 5.35 - JiangMin 13.0.900 2010.11.20 2010-11-20 2.26 - Kaspersky 5.5.10 2010.11.26 2010-11-26 0.14 - KingSoft 2009.2.5.15 2010.11.26.18 2010-11-26 0.72 - McAfee 5400.1158 6179 2010-11-26 18.25 - Microsoft 1.6402 2010.11.26 2010-11-26 40.09 - Norman 6.06.11 6.06.00 2010-11-23 8.01 - Panda 9.05.01 2010.11.26 2010-11-26 40.10 - Trend Micro 9.120-1004 7.652.12 2010-11-26 0.03 - Quick Heal 11.00 2010.11.26 2010-11-26 40.09 - Rising 20.0 22.75.03.04 2010-11-25 13.44 - Sophos 3.14.1 4.60 2010-11-27 2.82 - Sunbelt 3.9.2459.2 7421 2010-11-26 40.09 - Symantec 1.3.0.24 20101126.003 2010-11-26 0.05 - nProtect 20101126.01 9195224 2010-11-26 40.09 - The Hacker 6.7.0.1 v00091 2010-11-25 40.09 - VBA32 3.12.14.2 20101126.1149 2010-11-26 4.21 - VirusBuster 4.5.11.10 10.130.32/1974282 2010-11-25 2.40 -
  4. mr_mediocre
    Reinstalled MBAM and updated Java per instructions. MBAM still crashed while reportedly scanning the same file, C:\WINDOWS\System32\VEN2232.OLB. No log file is produced.
  5. mr_mediocre
    Combofix ran as requested; log file follows. It did say that the Recovery Console had to be installed even though it was installed on the previous run. MBAM crashed at the same point as previously. I can send the crash report if that would help. ComboFix 10-11-25.06 - Meg 6/2010 Fri 17:59:23.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1033.18.1982.1491 [GMT -5:00] Running from: c:\documents and settings\Meg\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Meg\Desktop\CFScript.txt FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 ))))))))))))))))))))))))))))))) . 2010-11-25 17:09 . 2010-11-25 17:09 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes 2010-11-25 17:08 . 2010-11-25 17:08 -------- d-----w- c:\documents and settings\Dad\Application Data\AVG10 2010-11-25 14:40 . 2010-11-25 14:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-24 18:22 . 2010-11-24 18:22 -------- d-----w- c:\documents and settings\Meg\Application Data\Neopets Toolbar 2010-11-24 15:45 . 2010-11-24 15:45 0 ----a-w- c:\windows\system32\lspBF.tmp 2010-11-24 02:12 . 2010-11-24 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2010-11-24 02:12 . 2010-11-24 02:12 -------- d-----w- c:\program files\Alwil Software 2010-11-23 16:23 . 2010-11-23 16:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird 2010-11-23 16:23 . 2010-11-23 16:23 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird 2010-11-23 01:57 . 2010-11-23 01:49 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-11-23 01:47 . 2010-11-23 01:47 -------- d-----w- c:\documents and settings\Meg\Local Settings\Application Data\Sunbelt Software 2010-11-22 21:13 . 2010-11-08 21:06 54776 ----a-w- c:\windows\system32\drivers\mozy.sys 2010-11-22 21:13 . 2010-11-22 21:13 -------- d-----w- c:\program files\MozyHome 2010-11-22 19:51 . 2010-11-22 19:51 -------- d-----w- c:\documents and settings\Meg\Application Data\Malwarebytes 2010-11-22 19:51 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-22 19:51 . 2010-11-22 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-22 19:51 . 2010-11-22 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-22 19:51 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-22 16:08 . 2010-11-22 16:09 -------- d-----w- c:\documents and settings\Administrator 2010-11-22 16:00 . 2010-11-22 16:00 -------- d-----w- c:\program files\Smitfraudfix 2010-11-22 07:04 . 2010-11-22 07:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2010-11-22 07:04 . 2010-11-22 07:04 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer 2010-11-21 15:45 . 2010-11-21 15:45 -------- d-----w- c:\program files\iPod 2010-11-21 15:45 . 2010-11-21 15:46 -------- d-----w- c:\program files\iTunes 2010-11-11 21:53 . 2010-11-12 12:57 -------- d-----w- c:\program files\UTAU 2010-11-02 21:35 . 2010-11-02 21:35 -------- d-----w- c:\program files\Steinberg 2010-11-02 21:34 . 2010-11-02 21:47 -------- d-----w- c:\program files\VOCALOID2 2010-11-02 21:31 . 2010-11-02 21:31 -------- d-----w- c:\documents and settings\Meg\Application Data\InstallShield 2010-11-02 21:28 . 2006-08-21 19:58 4874240 ----a-w- c:\windows\system32\DSE2_DFT.dll 2010-11-02 21:28 . 2006-07-06 19:25 200704 ----a-w- c:\windows\system32\libguide40.dll 2010-11-02 21:13 . 2010-11-02 21:24 -------- d-----w- c:\program files\Vocaloid2 Sonika 2010-10-30 17:08 . 2010-10-30 17:08 77824 ----a-w- c:\windows\SOUNDMAN_AVG_RESTORED.EXE 2010-10-30 17:08 . 2010-10-30 17:08 77824 ----a-w- c:\windows\SOUNDMAN.EXE 2010-10-30 17:07 . 2010-10-30 17:07 -------- d-----w- c:\documents and settings\Meg\Application Data\AVG10 2010-10-30 17:02 . 2010-10-30 17:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-10-30 16:43 . 2010-11-26 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 16:23 . 2005-09-08 17:20 974848 ------w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2005-09-08 17:20 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2005-09-08 17:20 954368 ------w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2005-09-08 17:20 953856 ------w- c:\windows\system32\mfc40u.dll 2010-09-09 13:38 . 2005-09-08 17:20 832512 ----a-w- c:\windows\system32\wininet.dll 2010-09-09 13:38 . 2005-09-08 17:20 1830912 ------w- c:\windows\system32\inetcpl.cpl 2010-09-09 13:38 . 2005-09-08 17:20 78336 ------w- c:\windows\system32\ieencode.dll 2010-09-09 13:38 . 2005-09-08 17:20 17408 ------w- c:\windows\system32\corpol.dll 2010-09-08 15:57 . 2005-09-08 17:20 389120 ------w- c:\windows\system32\html.iec 2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-01 11:51 . 2005-09-08 17:20 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2005-09-08 17:20 1852800 ------w- c:\windows\system32\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2] @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}" [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}] 2010-11-08 21:06 3424056 ----a-w- c:\program files\MozyHome\mozyshell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3] @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}" [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}] 2010-11-08 21:06 3424056 ----a-w- c:\program files\MozyHome\mozyshell.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-12 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-23 339968] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632] "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160] c:\documents and settings\Meg\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] OneNote Table Of Contents.onetoc2 [2010-5-14 3656] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-11-8 3571512] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [9/8/2005 12:22 97920] R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 169312] R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [5/6/2010 16:09 4497704] R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [5/6/2010 16:10 113448] S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/22/2010 14:51 38224] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/6/2010 16:09 16168] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.neopets.com/portal/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Meg\Application Data\Mozilla\Firefox\Profiles\5u6x7tiz.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.thehungersite.com/ FF - prefs.js: keyword.URL - http%3A//search.myway.com/search/AJmain.jhtml%3Fsearchfor%3D%SEARCH_TERM%%26ptnrS%3DXB%26st%3DDNS FF - prefs.js: network.proxy.ftp - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.ftp_port - 80 FF - prefs.js: network.proxy.gopher - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.gopher_port - 80 FF - prefs.js: network.proxy.http - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.http_port - 80 FF - prefs.js: network.proxy.socks - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.socks_port - 80 FF - prefs.js: network.proxy.ssl - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.ssl_port - 80 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\Meg\Application Data\Facebook\npfbplugin_1_0_3.dll FF - plugin: c:\documents and settings\Meg\Application Data\Mozilla\Firefox\Profiles\5u6x7tiz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll FF - plugin: c:\program files\TabletPlugins\npwacom.dll FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-26 18:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2387829299-3434833934-1183773427-1007\Software\SecuROM\License information*] "datasecu"=hex:27,d1,6f,8d,0d,63,83,01,7b,d1,bd,69,7d,0c,c0,99,5f,16,60,c5,86, 84,15,9b,a3,9b,4e,92,36,4c,e6,4a,1a,0b,f4,da,f2,93,88,b4,58,61,63,4d,16,d0,\ "rkeysecu"=hex:fa,ca,e1,b8,cd,f0,cf,0b,c0,94,af,4b,9d,66,3c,d9 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(572) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2820) c:\windows\system32\WININET.dll c:\program files\MozyHome\mozyshell.dll c:\program files\MozyHome\LIBEAY32.dll c:\windows\system32\ieframe.dll . Completion time: 2010-11-26 18:06:23 ComboFix-quarantined-files.txt 2010-11-26 23:06 ComboFix2.txt 2010-11-26 15:36 Pre-Run: 99,330,203,648 bytes free Post-Run: 99,303,096,320 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 377A81E2FEF410105ACC998C6495FD1A
  6. mr_mediocre
    Thanks so much for the assistance! If I may make a request - Please update the AVG Remover link. The link you provided points to a remover for AVG v7, 8, and/or v9. I had AVG 2011 and was very frustrated when the remover said AVG was already uninstalled when it was quite obviously still running. (To be fair, the AVG uninstaller didn't work, either.) The downloads page with all removers is here. I was able to successfully remove AVG with the new remover. You may also wish to update the Combofix link as there is a more recent version available. The program's auto-update took care of it for me. I was able to run Combofix. Here's the log. ComboFix 10-11-25.05 - Meg 6/2010 Fri 10:22:13.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1033.18.1982.1569 [GMT -5:00] Running from: c:\documents and settings\Meg\Desktop\ComboFix.exe FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb c:\windows\system32\Thumbs.db c:\windows\system32\tmp.reg . \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected . ((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 ))))))))))))))))))))))))))))))) . 2010-11-25 17:09 . 2010-11-25 17:09 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes 2010-11-25 17:08 . 2010-11-25 17:08 -------- d-----w- c:\documents and settings\Dad\Application Data\AVG10 2010-11-25 14:40 . 2010-11-25 14:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-24 18:22 . 2010-11-24 18:22 -------- d-----w- c:\documents and settings\Meg\Application Data\Neopets Toolbar 2010-11-24 15:45 . 2010-11-24 15:45 0 ----a-w- c:\windows\system32\lspBF.tmp 2010-11-24 02:12 . 2010-11-24 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2010-11-24 02:12 . 2010-11-24 02:12 -------- d-----w- c:\program files\Alwil Software 2010-11-23 16:23 . 2010-11-23 16:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird 2010-11-23 16:23 . 2010-11-23 16:23 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird 2010-11-23 01:57 . 2010-11-23 01:49 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-11-23 01:47 . 2010-11-23 01:47 -------- d-----w- c:\documents and settings\Meg\Local Settings\Application Data\Sunbelt Software 2010-11-22 21:13 . 2010-11-08 21:06 54776 ----a-w- c:\windows\system32\drivers\mozy.sys 2010-11-22 21:13 . 2010-11-22 21:13 -------- d-----w- c:\program files\MozyHome 2010-11-22 19:51 . 2010-11-22 19:51 -------- d-----w- c:\documents and settings\Meg\Application Data\Malwarebytes 2010-11-22 19:51 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-22 19:51 . 2010-11-22 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-22 19:51 . 2010-11-22 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-22 19:51 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-22 16:08 . 2010-11-22 16:09 -------- d-----w- c:\documents and settings\Administrator 2010-11-22 16:00 . 2010-11-22 16:00 -------- d-----w- c:\program files\Smitfraudfix 2010-11-22 07:04 . 2010-11-22 07:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2010-11-22 07:04 . 2010-11-22 07:04 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer 2010-11-21 15:45 . 2010-11-21 15:45 -------- d-----w- c:\program files\iPod 2010-11-21 15:45 . 2010-11-21 15:46 -------- d-----w- c:\program files\iTunes 2010-11-11 21:53 . 2010-11-12 12:57 -------- d-----w- c:\program files\UTAU 2010-11-02 21:35 . 2010-11-02 21:35 -------- d-----w- c:\program files\Steinberg 2010-11-02 21:34 . 2010-11-02 21:47 -------- d-----w- c:\program files\VOCALOID2 2010-11-02 21:31 . 2010-11-02 21:31 -------- d-----w- c:\documents and settings\Meg\Application Data\InstallShield 2010-11-02 21:28 . 2006-08-21 19:58 4874240 ----a-w- c:\windows\system32\DSE2_DFT.dll 2010-11-02 21:28 . 2006-07-06 19:25 200704 ----a-w- c:\windows\system32\libguide40.dll 2010-11-02 21:13 . 2010-11-02 21:24 -------- d-----w- c:\program files\Vocaloid2 Sonika 2010-10-30 17:08 . 2010-10-30 17:08 77824 ----a-w- c:\windows\SOUNDMAN_AVG_RESTORED.EXE 2010-10-30 17:08 . 2010-10-30 17:08 77824 ----a-w- c:\windows\SOUNDMAN.EXE 2010-10-30 17:07 . 2010-10-30 17:07 -------- d-----w- c:\documents and settings\Meg\Application Data\AVG10 2010-10-30 17:02 . 2010-10-30 17:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-10-30 16:43 . 2010-11-26 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 16:23 . 2005-09-08 17:20 974848 ------w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2005-09-08 17:20 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2005-09-08 17:20 954368 ------w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2005-09-08 17:20 953856 ------w- c:\windows\system32\mfc40u.dll 2010-09-09 13:38 . 2005-09-08 17:20 832512 ----a-w- c:\windows\system32\wininet.dll 2010-09-09 13:38 . 2005-09-08 17:20 1830912 ------w- c:\windows\system32\inetcpl.cpl 2010-09-09 13:38 . 2005-09-08 17:20 78336 ------w- c:\windows\system32\ieencode.dll 2010-09-09 13:38 . 2005-09-08 17:20 17408 ------w- c:\windows\system32\corpol.dll 2010-09-08 15:57 . 2005-09-08 17:20 389120 ------w- c:\windows\system32\html.iec 2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-01 11:51 . 2005-09-08 17:20 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2005-09-08 17:20 1852800 ------w- c:\windows\system32\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2] @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}" [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}] 2010-11-08 21:06 3424056 ----a-w- c:\program files\MozyHome\mozyshell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3] @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}" [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}] 2010-11-08 21:06 3424056 ----a-w- c:\program files\MozyHome\mozyshell.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-12 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-23 339968] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632] "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160] c:\documents and settings\Meg\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] OneNote Table Of Contents.onetoc2 [2010-5-14 3656] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-11-8 3571512] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [9/8/2005 12:22 97920] R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 169312] R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [5/6/2010 16:09 4497704] R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [5/6/2010 16:10 113448] S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/22/2010 14:51 38224] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/6/2010 16:09 16168] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.neopets.com/portal/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=127.0.0.1:80;https=127.0.0.1:443 uInternet Settings,ProxyOverride = <local>;*.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Meg\Application Data\Mozilla\Firefox\Profiles\5u6x7tiz.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.thehungersite.com/ FF - prefs.js: keyword.URL - http%3A//search.myway.com/search/AJmain.jhtml%3Fsearchfor%3D%SEARCH_TERM%%26ptnrS%3DXB%26st%3DDNS FF - prefs.js: network.proxy.ftp - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.ftp_port - 80 FF - prefs.js: network.proxy.gopher - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.gopher_port - 80 FF - prefs.js: network.proxy.http - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.http_port - 80 FF - prefs.js: network.proxy.socks - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.socks_port - 80 FF - prefs.js: network.proxy.ssl - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.ssl_port - 80 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\Meg\Application Data\Facebook\npfbplugin_1_0_3.dll FF - plugin: c:\documents and settings\Meg\Application Data\Mozilla\Firefox\Profiles\5u6x7tiz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll FF - plugin: c:\program files\TabletPlugins\npwacom.dll FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll . - - - - ORPHANS REMOVED - - - - HKCU-Run-EA Core - c:\program files\EA Games\The Sims 2 Double Deluxe\EADM\Core.exe AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-26 10:34 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2387829299-3434833934-1183773427-1007\Software\SecuROM\License information*] "datasecu"=hex:27,d1,6f,8d,0d,63,83,01,7b,d1,bd,69,7d,0c,c0,99,5f,16,60,c5,86, 84,15,9b,a3,9b,4e,92,36,4c,e6,4a,1a,0b,f4,da,f2,93,88,b4,58,61,63,4d,16,d0,\ "rkeysecu"=hex:fa,ca,e1,b8,cd,f0,cf,0b,c0,94,af,4b,9d,66,3c,d9 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(572) c:\windows\system32\Ati2evxx.dll . Completion time: 2010-11-26 10:36:44 ComboFix-quarantined-files.txt 2010-11-26 15:36 Pre-Run: 96,481,107,968 bytes free Post-Run: 99,642,167,296 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 2F9880CA3FA274217B657C759004007B I will await your instructions before doing anything else.
  7. mr_mediocre
    My system has been infected by a redirect trojan described at this Malware-control page. I have loaded, updated, and run Malwarebytes, but the scan crashes each time it reaches C:\WINDOWS\System32\VEN2232.OLB. No log file is produced. I have followed the standard instructions for this forum: 1) DeFogger - Ran and reports that CD emulation is disabled but did not ask for a reboot. defogger-disable log follows defogger_disable by jpshortstuff (23.02.10.1) Log created at 09:55 on 25/11/2010 (Meg) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- 2) Ran DDS.SCR. DDS.txt follows, Attach.txt is zipped and attached. DDS (Ver_10-11-10.01) - NTFSx86 NETWORK Run by Meg at 10:29:47.53 on 11/25/2010 Thu Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1033.18.1982.1522 [GMT -5:00] AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Documents and Settings\Meg\Desktop\dds.com C:\WINDOWS\system32\conime.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.neopets.com/portal/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=127.0.0.1:80;https=127.0.0.1:443 uInternet Settings,ProxyOverride = <local>;*.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [EA Core] "c:\program files\ea games\the sims 2 double deluxe\eadm\Core.exe" -silent mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe" mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe" mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\meg\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\documents and settings\meg\start menu\programs\startup\OneNote Table Of Contents.onetoc2 StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll Notify: AtiExtEvent - Ati2evxx.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\meg\applic~1\mozilla\firefox\profiles\5u6x7tiz.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.thehungersite.com/ FF - prefs.js: keyword.URL - http%3A//search.myway.com/search/AJmain.jhtml%3Fsearchfor%3D%SEARCH_TERM%%26ptnrS%3DXB%26st%3DDNS FF - prefs.js: network.proxy.ftp - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.ftp_port - 80 FF - prefs.js: network.proxy.gopher - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.gopher_port - 80 FF - prefs.js: network.proxy.http - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.http_port - 80 FF - prefs.js: network.proxy.socks - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.socks_port - 80 FF - prefs.js: network.proxy.ssl - Sorry, you have to ask Mom or Dad FF - prefs.js: network.proxy.ssl_port - 80 FF - prefs.js: network.proxy.type - 0 FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll FF - plugin: c:\documents and settings\meg\application data\facebook\npfbplugin_1_0_3.dll FF - plugin: c:\documents and settings\meg\application data\mozilla\firefox\profiles\5u6x7tiz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll FF - plugin: c:\program files\tabletplugins\npwacom.dll FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified ============= SERVICES / DRIVERS =============== R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064] R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-22 64288] R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [2005-9-8 97920] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-12-28 353672] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424] S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384] S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312] S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184] S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400] S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-5-6 4497704] S2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-5-6 113448] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288] S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15264] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-22 38224] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-5-6 16168] =============== Created Last 30 ================ 2010-11-24 18:22:16 -------- d-----w- c:\docume~1\meg\applic~1\Neopets Toolbar 2010-11-24 15:45:17 0 ----a-w- c:\windows\system32\lspBF.tmp 2010-11-24 02:12:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software 2010-11-23 02:14:08 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-11-23 01:57:33 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-11-23 01:50:06 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-11-23 01:47:07 -------- d-----w- c:\docume~1\meg\locals~1\applic~1\Sunbelt Software 2010-11-23 01:38:12 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097} 2010-11-22 21:13:02 54776 ----a-w- c:\windows\system32\drivers\mozy.sys 2010-11-22 21:13:00 -------- d-----w- c:\program files\MozyHome 2010-11-22 19:51:32 -------- d-----w- c:\docume~1\meg\applic~1\Malwarebytes 2010-11-22 19:51:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-22 19:51:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-11-22 19:51:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-22 19:51:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-22 16:03:11 3616 ----a-w- c:\windows\system32\tmp.reg 2010-11-22 16:00:59 -------- d-----w- c:\program files\Smitfraudfix 2010-11-21 15:45:51 -------- d-----w- c:\program files\iPod 2010-11-21 15:45:48 -------- d-----w- c:\program files\iTunes 2010-11-11 21:53:41 -------- d-----w- c:\program files\UTAU 2010-11-02 21:35:08 -------- d-----w- c:\program files\Steinberg 2010-11-02 21:34:50 -------- d-----w- c:\program files\VOCALOID2 2010-11-02 21:28:47 4874240 ----a-w- c:\windows\system32\DSE2_DFT.dll 2010-11-02 21:28:47 200704 ----a-w- c:\windows\system32\libguide40.dll 2010-11-02 21:13:46 -------- d-----w- c:\program files\Vocaloid2 Sonika 2010-10-30 17:08:20 77824 ----a-w- c:\windows\SOUNDMAN_AVG_RESTORED.EXE 2010-10-30 17:08:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE 2010-10-30 17:07:00 -------- d-----w- c:\docume~1\meg\applic~1\AVG10 2010-10-30 17:02:36 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files 2010-10-30 17:00:43 -------- d-----w- c:\windows\system32\drivers\AVG 2010-10-30 17:00:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10 2010-10-30 16:50:53 -------- d--h--w- C:\$AVG 2010-10-30 16:43:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData 2010-10-26 22:40:12 -------- d-----w- c:\program files\HyCam2 ==================== Find3M ==================== 2010-09-18 16:23:26 974848 ------w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll 2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll 2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl 2010-09-09 13:38:00 78336 ------w- c:\windows\system32\ieencode.dll 2010-09-09 13:38:00 17408 ------w- c:\windows\system32\corpol.dll 2010-09-08 15:57:57 389120 ------w- c:\windows\system32\html.iec 2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42:52 1852800 ------w- c:\windows\system32\win32k.sys =================== ROOTKIT ==================== Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: SAMSUNG_SP2014N rev.VC100-33 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3 device: opened successfully user: MBR read successfully Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A587446]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a58d504]; MOV EAX, [0x8a58d580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A59F148] 3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000061[0x8A5B4968] 5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A5B3940] \Driver\atapi[0x8A5A8190] -> IRP_MJ_CREATE -> 0x8A587446 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; } detected disk devices: \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_SP2014N_________________________VC100-33#30533838314a5930304133333737202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x8A587292 user != kernel MBR !!! sectors 390721966 (+255): user != kernel Warning: possible TDL4 rootkit infection ! TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix. ============= FINISH: 10:31:31.51 =============== 3) Ran GMER Rootkit Scanner. Ark.txt is zipped and attached. Many thanks in advance for the work being done by the volunteers here. Attach.zip ark.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.