Jump to content

uvris3

Members
  • Posts

    20
  • Joined

  • Last visited

Everything posted by uvris3

  1. Hello, I was able to solve the problem by running Malwarebytes in safe mode. I thought I saved the log file to my desktop but cannot find it. It detected nine objects, asked me to restart the computer, and it seems to be running better. I appreciate the help you provided. If I find the log file I'll post it.
  2. Hello, is anyone aware of a virus that causes system shutdown while scanning with Malwarebytes?
  3. Hello, if it would help, I can re-do the quick scan, stopping it after the two detections but before I get a bluescreen and then send you the report on the two detected objects.
  4. To clarify my previous post, the computer put itself through a complete system check (disks, etc.) before starting back up after the shut down. I did not mean that I had to re-install the OS.
  5. Hello, I followed your instructions and started a Quick Scan with MBAM. It identified two objects (I think in "Documents and Settings" but am not sure), then my computer shut down due to an unexpected error (blue screen) approximately 30 minutes into the scan. This is the same thing that happened prior to running Rkill, unhide, TDSSKiller, and ESET. The computer required a complete OS restoration this time. Thank you for your continuing help.
  6. Hello. I have pasted the contents of the RKill, unhide, and ESET log files below. When I pasted the TDSSKiller log, I got an error message stating that the post was too long, so I have attached it as a file. Thank you for your continuing help! ########################################################################### RKill log: Rkill 2.6.5 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2014 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 01/12/2014 01:42:58 PM in x86 mode. Windows Version: Microsoft Windows XP Service Pack 3 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\WINDOWS\System32\WLTRYSVC.EXE (PID: 1864) [WD-HEUR] * C:\WINDOWS\System32\bcmwltry.exe (PID: 1896) [WD-HEUR] 2 proccesses terminated! Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * Windows Defender Disabled [HKLM\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware" = dword:00000001 ########################################################################### unhide log: Unhide by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2014 BleepingComputer.com More Information about Unhide.exe can be found at this link: http://www.bleepingcomputer.com/forums/topic405109.html Program started at: 01/12/2014 01:44:36 PM Windows Version: Windows XP Please be patient while your files are made visible again. Processing the C:\ drive Finished processing the C:\ drive. 303052 files processed. The C:\DOCUME~1\HAL\LOCALS~1\Temp\smtmp\ folder does not exist!! Unhide cannot restore your missing shortcuts!! Please see this topic in order to learn how to restore default Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html Searching for Windows Registry changes made by FakeHDD rogues. - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop * HidNoChangingWallPaperden policy was found and deleted! - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced * Start_ShowMyMusic was set to 0! It was set back to 1! * Start_ShowMyPics was set to 0! It was set back to 1! * Start_ShowPrinters was set to 0! It was set back to 1! * Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1! * Start_ShowRecentDocs was set to 0! It was set back to 2! * Start_ShowNetConn was set to 0! It was set back to 1! * Start_ShowNetPlaces was set to 0! It was set back to 1! Program finished at: 01/12/2014 02:04:57 PM Execution time: 0 hours(s), 20 minute(s), and 20 seconds(s) ########################################################################### ESETScan log: C:\Program Files\Avira\AntiVir Desktop\Offercast_AVIRAV7_.exe a variant of Win32/Bundled.Toolbar.Ask.D application cleaned by deleting (after the next restart) - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0075355.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0075356.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0075357.exe a variant of Win32/InstallIQ.A application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1131\A0076305.exe a variant of Win32/Bundled.Toolbar.Ask.D application cleaned by deleting - quarantined ########################################################################### TDSSKiller.3.0.0.19_12.01.2014_15.18.37_log.txt
  7. Hello, I ran ComboFix.exe and have attached the log file. After completing ComboFix, I did a quick scan with Malwarebytes, and it is still detecting two objects. I did not get a bluescreen this time, but Malwarebytes did freeze again, and I had to manually shut down the computer and re-start. I greatly appreciate your continuing help in this matter.log.txt
  8. Hello. I include the contents of the ESET scan below. I chose to have ESET remove the quarantined objects after the scan. I know you did not instruct me to do this, but I did a quick scan with Malwarebytes following the ESET scan and had the same problem: Malwarebytes detected two objects, it stopped, and then I got the blue screen. So, I guess something is still on the computer. Thank you in advance for any follow-on help. :\RECYCLER\S-1-5-21-3106242995-1852642597-4043359429-1006\Dc46.exe a variant of Win32/InstallCore.D application C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\extensions\firefox@jumpflip.net.xpi Win32/BrowseFox.B application deleted - quarantined C:\Documents and Settings\HAL\Local Settings\temp\+uSWTWrT.exe.part Win32/DownloadAdmin.G application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\13CLMTLq.exe.part Win32/AdWare.1ClickDownload.AQ application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\G6boqvUW.exe.part Win32/DownloadAdmin.G application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\ia7bgByC.exe.part Win32/DownWare.I application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\P3VwCVM0.exe.part Win32/AdWare.1ClickDownload.AQ application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\T8qkdHWD.exe.part Win32/Adware.1ClickDownload.AM application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\tbRad0.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\xz_+frUK.exe.part multiple threats cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\ZHpWgoiy.exe.part Win32/Adware.1ClickDownload.AM application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\temp\is1590112554\5094600_stp\Mysearchdial.exe a variant of Win32/Toolbar.Funmoods.D application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\Temporary Internet Files\Content.IE5\78KPN2P6\Setup[1].exe multiple threats cleaned by deleting - quarantined C:\Documents and Settings\LocalService\Local Settings\Application Data\Radio_1.1\ldrtbRad2.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\Documents and Settings\LocalService\Local Settings\Application Data\Radio_1.1\tbRad2.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\Program Files\Avira\AntiVir Desktop\offercast_avirav7_.exe a variant of Win32/Bundled.Toolbar.Ask.D application cleaned by deleting (after the next restart) - quarantined C:\RECYCLER\S-1-5-21-3106242995-1852642597-4043359429-1006\Dc47.exe a variant of Win32/InstallIQ.A application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074134.exe multiple threats cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074140.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074141.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074142.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074143.dll a variant of Win32/PriceGong.A application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074144.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074146.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074147.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074153.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074154.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074155.dll a variant of Win32/Toolbar.Conduit.P application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074158.dll Win32/Toolbar.Conduit.O application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074161.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074162.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1129\A0074163.dll a variant of Win32/Toolbar.Conduit.B application cleaned by deleting - quarantined C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1130\A0074207.rbf a variant of Win32/Bundled.Toolbar.Ask.E application cleaned by deleting - quarantined C:\WINDOWS\temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined C:\WINDOWS\temp\avnwldrtemp\setup\Offercast_AVIRAV7_.exe a variant of Win32/Bundled.Toolbar.Ask.D application cleaned by deleting - quarantined
  9. Hello, I followed the instructions and have pasted the contents of JRT.txt and AdwCleaner.txt below. I encountered my original problem in Step 4: Malwarebytes detected two objects and then froze, and I got a blue screen when I tried to unfreeze or exit Malwarebytes. Previously, the same thing happened, but Malwarebytes had detected eight objects. So, I think the computer is still infected. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.1.0 (01.07.2014:1) OS: Microsoft Windows XP x86 Ran by HAL on Thu 01/09/2014 at 13:37:45.14 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{3004627E-F8E9-4E8B-909D-316753CBA923} Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-3106242995-1852642597-4043359429-1006\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs\\Tabs ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escort.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortapp.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escorteng.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\escortlbr.dll Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\esrv.exe Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\dsiteproducts Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\installcore Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\mysearchdial Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\installcore Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\esrv.mysearchdialesrvc Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\esrv.mysearchdialesrvc.1 Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialappcore Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialappcore.1 Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialdskbnd Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialdskbnd.1 Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialhlpr Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\mysearchdial.mysearchdialhlpr.1 Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6db9fdfe-b718-4962-be0c-0a5fce7f7f7b} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{6db9fdfe-b718-4962-be0c-0a5fce7f7f7b} ~~~ Files ~~~ Folders Successfully deleted: [Folder] "C:\Documents and Settings\HAL\Application Data\mysearchdial" Successfully deleted: [Folder] "C:\Program Files\jump flip" Successfully deleted: [Folder] "C:\Program Files\mysearchdial" Successfully deleted: [Folder] "C:\Program Files\openit" Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\open it!" ~~~ FireFox Successfully deleted: [File] C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\user.js Successfully deleted: [File] C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\searchplugins\mysearchdial.xml Successfully deleted: [Folder] C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8} Successfully deleted the following from C:\Documents and Settings\HAL\Application Data\mozilla\firefox\profiles\6m7ci4cn.default\prefs.js user_pref("browser.search.defaultenginename", "Mysearchdial"); user_pref("browser.search.selectedEngine", "Mysearchdial"); user_pref("extensions.mysearchdial.aflt", "dsites0101"); user_pref("extensions.mysearchdial.appId", "{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}"); user_pref("extensions.mysearchdial.cd", "2XzuyEtN2Y1L1QzutDtDtC0EyE0CyByCtC0A0BzytC0DyBtDtN0D0Tzu0SyByEtDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutDzytDtC0B"); user_pref("extensions.mysearchdial.cr", "1877023167"); user_pref("extensions.mysearchdial.dfltLng", ""); user_pref("extensions.mysearchdial.dfltSrch", true); user_pref("extensions.mysearchdial.dnsErr", true); user_pref("extensions.mysearchdial.excTlbr", false); user_pref("extensions.mysearchdial.hmpg", true); user_pref("extensions.mysearchdial.id", "001E4C761AB91D70"); user_pref("extensions.mysearchdial.instlDay", "16079"); user_pref("extensions.mysearchdial.instlRef", ""); user_pref("extensions.mysearchdial.prdct", "mysearchdial"); user_pref("extensions.mysearchdial.prtnrId", "mysearchdial"); user_pref("extensions.mysearchdial.srchPrvdr", "Mysearchdial"); user_pref("extensions.mysearchdial.tlbrId", "base"); user_pref("extensions.mysearchdial.vrsn", "1.8.21.0"); user_pref("extensions.mysearchdial.vrsni", "1.8.21.0"); user_pref("extensions.mysearchdial_i.hmpg", true); user_pref("extensions.mysearchdial_i.newTab", false); user_pref("extensions.mysearchdial_i.smplGrp", "none"); user_pref("extensions.mysearchdial_i.vrsnTs", "1.8.21.013:31:50"); ~~~ Chrome Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Thu 01/09/2014 at 13:44:42.82 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # AdwCleaner v3.016 - Report created 09/01/2014 at 13:55:44 # Updated 23/12/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : HAL - LAPTOP2007 # Running from : C:\Documents and Settings\HAL\My Documents\Downloads\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Documents and Settings\LocalService\Local Settings\Application Data\Conduit Folder Deleted : C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} Folder Deleted : C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\Extensions\ffxtlbr@mysearchdial.com File Deleted : C:\Documents and Settings\HAL\Local Settings\Application Data\mysearchdial-speeddial.crx File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v41ure3k.default\searchplugins\Mysearchdial.xml File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v41ure3k.default\user.js File Deleted : C:\Documents and Settings\HAL\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pflphaooapbgpeakohlggbpidpppgdff_0.localstorage ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\conduit.com Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3004627E-F8E9-4E8B-909D-316753CBA923} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4ED063C9-4A0B-4B44-A9DC-23AFF424A0D3} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C358B3D0-B911-41E3-A276-E7D43A6BA56D} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D40753C7-8A59-4C1F-BE88-C300F4624D5B} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C292AD0A-C11F-479B-B8DB-743E72D283B0} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF5625A3-37AB-4BDB-9875-2A3D91CD0DFD} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{219046AE-358F-4CF1-B1FD-2B4DE83642A8} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094 Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536 ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 -\\ Mozilla Firefox v26.0 (en-US) [ File : C:\Documents and Settings\HAL\Application Data\Mozilla\Firefox\Profiles\6m7ci4cn.default\prefs.js ] [ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v41ure3k.default\prefs.js ] Line Deleted : user_pref("browser.search.selectedEngine", "Mysearchdial"); Line Deleted : user_pref("browser.search.defaultenginename", "Mysearchdial"); -\\ Google Chrome v32.0.1700.72 [ File : C:\Documents and Settings\HAL\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ] Deleted : homepage Deleted : urls_to_restore_on_startup ************************* AdwCleaner[R0].txt - [4487 octets] - [09/01/2014 13:52:02] AdwCleaner[s0].txt - [4474 octets] - [09/01/2014 13:55:44] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4534 octets] ##########
  10. Hello, my original problem was that Malwarebytes detected eight infected objects and then froze, followed by bluescreen. I have followed the instructions, run dds.scr, and attached attach.txt and dds.txt. Thank you. attach.txt dds.txt
  11. Hello, I suspected infection of my computer (OS: WinXP) and so updated Malwarebytes and performed a quick scan. It finds 8 infected objects quickly, but then freezes. The first time it happened, I got a blue screen and had to remove the battery to reboot. The second time, it just froze, and I had to depress the power button to force a shutdown. Any help would be greatly appreciated. Thanks, HC.
  12. Hello, I received an email from a family member with an attachment that I opened (shouldn't have, I know). The family member's email account was obviously infected and was mailing the malware. A short time later, a pop-up appeared on my computer announcing that my computer was infected. I ran Malwarebytes, but it didn't find anything, so I performed your recommended procedure. Below are the contents of DDS.txt, and I have attached a zip file containing Attach.txt and ark.txt. Thank you very much for your help! . DDS (Ver_11-03-05.01) - NTFSx86 Run by HAL at 20:24:52.03 on Wed 05/18/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1243 [GMT -4:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Dell Network Assistant\hnm_svc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\STacSV.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\vVX6000.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\program files\real\realplayer\update\realsched.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TouchFreeze\TouchFreeze.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\BELKIN\Video Dock Power Applet\PowerApp.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Documents and Settings\HAL\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [TouchFreeze] c:\program files\touchfreeze\TouchFreeze.exe mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [VX6000] c:\windows\vVX6000.exe mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\hal\startm~1\programs\startup\videod~1.lnk - c:\program files\belkin\video dock power applet\PowerApp.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\hal\applic~1\mozilla\firefox\profiles\6m7ci4cn.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 51939 FF - prefs.js: network.proxy.type - 0 FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-17 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-17 136360] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-17 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-17 61960] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-23 135664] S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys --> c:\windows\system32\drivers\ADM851X.SYS [?] S3 cmudau32;C-Media USB UDA Sound Interface;c:\windows\system32\drivers\cmudaxu.sys --> c:\windows\system32\drivers\cmudaxu.sys [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-23 135664] S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2010-8-5 29952] S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2010-8-5 41856] S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2010-8-5 39936] S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2010-8-5 59520] S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2006-6-29 2383152] . =============== Created Last 30 ================ . 2011-05-17 13:53:43 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{0794b6aa-a5f6-42b6-82ae-17426b7522eb}\mpengine.dll 2011-05-02 00:40:05 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS 2011-05-02 00:32:17 -------- d-----w- C:\Netgear 2011-05-01 16:44:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Skype Extras . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec . ============= FINISH: 20:25:15.12 =============== Attach.zip
  13. OK, understood. I guess that's it. Thanks again for all your help!
  14. I followed the last steps. Your recommendations advise using a third-party firewall rather than Windows'. I've been using Windows'. I downloaded Outpost but haven't yet installed it. If I do, do you know whether I should then disable the Windows firewall? Thank you very much for your help in all of this!
  15. I had to run ComboFix twice, because I somehow failed to save the log the first time. After the first time, I did get the smartwebusb error message upon startup, but the second time, I didn't. Before failing to save the log file, I did notice that it listed smartwebusb as an orphan at the end of the file. The second log does not include any mention of this (please see the full log file pasted below). My computer appears to be running well. ComboFix 11-01-18.03 - Administrator 01/18/2011 23:50:31.2.2 - x86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1760 [GMT -5:00] Running from: c:\cshare\Virus_Management\01-18-11\ComboFix.exe AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((( Files Created from 2010-12-19 to 2011-01-19 ))))))))))))))))))))))))))))))) . 2011-01-18 16:45 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{125B28E6-ED64-417D-ADE2-EC6857783C73}\mpengine.dll 2011-01-18 03:49 . 2011-01-18 03:49 -------- d-----w- c:\documents and settings\HAL\Application Data\Avira 2011-01-18 03:39 . 2010-12-13 13:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-01-18 03:39 . 2010-12-13 13:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-01-18 03:39 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-01-18 03:39 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-01-18 03:39 . 2011-01-18 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-01-18 03:39 . 2011-01-18 03:39 -------- d-----w- c:\program files\Avira 2011-01-17 17:57 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-01-17 17:57 . 2011-01-17 17:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-01-17 17:57 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-25 20:25 . 2011-01-19 03:31 -------- d-----w- c:\windows\system32\NtmsData 2010-12-25 20:15 . 2010-12-25 20:15 -------- d-----w- c:\documents and settings\HAL\Application Data\Malwarebytes 2010-12-25 20:15 . 2010-12-25 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-12-25 01:14 . 2010-12-25 01:15 -------- d-----w- c:\documents and settings\Administrator 2010-12-21 06:33 . 2010-12-21 06:34 -------- d-----w- c:\windows\ie8updates 2010-12-20 15:37 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2010-12-20 15:37 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-12-20 15:37 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2010-12-20 05:17 . 2010-12-20 05:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-10 04:33 . 2008-03-02 18:57 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-14 1862144] "VX6000"="c:\windows\vVX6000.exe" [2006-10-13 994096] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] c:\documents and settings\HAL\Start Menu\Programs\Startup\ Video Dock Power Applet.lnk - c:\program files\BELKIN\Video Dock Power Applet\PowerApp.exe [2006-10-27 188416] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2008-06-27 15:44 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCT_HID_PATCH] [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] 2007-09-24 00:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI] 2007-05-09 20:59 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 11:00 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] 2007-09-07 23:49 1236992 ----a-w- c:\program files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter] 2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate] 2007-10-10 00:57 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KADxMain] 2006-11-02 18:05 282624 ----a-w- c:\windows\system32\KADxMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)] 2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2007-11-17 07:03 8495104 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey] 2007-11-17 07:03 86016 ----a-w- c:\windows\system32\nvhotkey.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2007-11-17 07:03 81920 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2007-11-17 07:03 1626112 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2] 2003-05-08 15:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] 2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection] 2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-02-16 23:04 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2010-03-15 13:47 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] 2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection] 2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Documents and Settings\\HAL\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC "5353:TCP"= 5353:TCP:Adobe CSI CS4 R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/17/2011 10:39 PM 135336] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/23/2010 4:47 PM 135664] S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ADM851X.SYS --> c:\windows\system32\DRIVERS\ADM851X.SYS [?] S3 cmudau32;C-Media USB UDA Sound Interface;c:\windows\system32\drivers\cmudaxu.sys --> c:\windows\system32\drivers\cmudaxu.sys [?] S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [8/5/2010 11:51 AM 29952] S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [8/5/2010 11:51 AM 41856] S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [8/5/2010 11:51 AM 39936] S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [8/5/2010 11:51 AM 59520] S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/29/2006 6:56 PM 2383152] --- Other Services/Drivers In Memory --- *NewlyCreated* - MDMXSDK . Contents of the 'Scheduled Tasks' folder 2011-01-19 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-15 05:51] 2011-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 21:47] 2011-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 21:47] 2011-01-19 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20] 2011-01-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3106242995-1852642597-4043359429-1006.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09] 2011-01-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3106242995-1852642597-4043359429-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09] 2011-01-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3106242995-1852642597-4043359429-1006.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09] 2011-01-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3106242995-1852642597-4043359429-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09] . . ------- Supplementary Scan ------- . uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071214 FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\v41ure3k.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-01-18 23:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(808) c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll c:\windows\System32\BCMLogon.dll - - - - - - - > 'explorer.exe'(1620) c:\windows\system32\WININET.dll . Completion time: 2011-01-19 00:00:20 ComboFix-quarantined-files.txt 2011-01-19 05:00 ComboFix2.txt 2011-01-19 03:46 Pre-Run: 41,044,963,328 bytes free Post-Run: 41,029,185,536 bytes free - - End Of File - - 444EB994D3B28710FA38B3CA1B660917
  16. It's weird that SmartWebusb is in neither my Add/Remove Programs list nor pinned to my Startup (either checked or unchecked). As far as I know, I don't use it. After searching in the places you suggested, I rebooted to see if the "can't find" error is still there, and it is. Might there be another name for the program? I also looked in my "Program Files" directory and saw nothing. Thanks.
  17. I ran a new DDS scan as administrator in safe mode (I think there may be script blockers in my regular account) and received the results pasted below. I have also attached the Attach.txt file as Attach.zip. Thanks. DDS (Ver_10-12-12.02) - NTFSx86 NETWORK Run by Administrator at 15:32:42.59 on Tue 01/18/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1744 [GMT -5:00] AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\CSHARE\Virus_Management\01-18-11\dds.scr ============== Pseudo HJT Report =============== uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071214 uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071214 uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [VX6000] c:\windows\vVX6000.exe mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\v41ure3k.default\ FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} ============= SERVICES / DRIVERS =============== R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-17 11608] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-17 135336] S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-17 267944] S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-17 61960] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-23 135664] S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys --> c:\windows\system32\drivers\ADM851X.SYS [?] S3 cmudau32;C-Media USB UDA Sound Interface;c:\windows\system32\drivers\cmudaxu.sys --> c:\windows\system32\drivers\cmudaxu.sys [?] S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2010-8-5 29952] S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2010-8-5 41856] S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2010-8-5 39936] S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2010-8-5 59520] S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2006-6-29 2383152] =============== Created Last 30 ================ 2011-01-18 16:45:52 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{125b28e6-ed64-417d-ade2-ec6857783c73}\mpengine.dll 2011-01-18 03:39:33 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-01-18 03:39:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-01-18 03:39:31 -------- d-----w- c:\program files\Avira 2011-01-17 17:57:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-01-17 17:57:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-01-17 17:57:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-01-15 17:54:08 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2010-12-25 20:25:05 -------- d-----w- c:\windows\system32\NtmsData 2010-12-25 20:15:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-12-25 01:15:51 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla 2010-12-25 01:15:14 -------- d-sh--w- c:\documents and settings\administrator\IETldCache 2010-12-21 06:33:36 -------- d-----w- c:\windows\ie8updates 2010-12-20 15:37:35 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2010-12-20 15:37:34 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-12-20 15:37:33 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2010-12-19 20:54:25 -------- dc-h--w- c:\windows\ie8 ==================== Find3M ==================== ============= FINISH: 15:33:59.09 =============== Attach.zip
  18. Thank you for your prompt response. I should have waited for it and apologize for not doing so, but before I proceed with your instructions, I want to let you know that I found a malewarebytes forum log (after posting my first message and before receiving your response) that matched my symptoms so closely that I followed its instructions. I downloaded and ran eset. It returned the following: C:\Documents and Settings\HAL\Local Settings\Application Data\SmartWebusb\ClipmapSupport.dll a variant of Win32/Sefnit.AS trojan cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\Temporary Internet Files\Content.IE5\9M8MY3U0\status[1].txt Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined C:\Documents and Settings\HAL\Local Settings\Temporary Internet Files\Content.IE5\FUCISZGS\pub[1].crt Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined I haven't had malware symptoms since doing so. I do receive the following message upon starting my computer: Error loading C:\Documents and Settings\JAK\Local Settings\Application Data\SmartWebusb/ClipmapSupport.dll Please advise whether I should proceed with your set of instructions (again, I'm sorry I didn't wait for your posting). I realize now that what I did was risky, because I wasn't even sure if the posting steps I followed are applicable to my OS, etc. Thanks
  19. I have had the same symptoms described in a previous posting ("I'm infected - What do I do now?, Please follow these instructions to clean your system" from Jan 9 2009). These include the inability to update Avira and Malwarebytes and re-direction of google searches to unwanted sites. I also have had windows appear indicating that my computer is infected with a password stealing virus. The problem first occurred December 24, 2010. Malwarebytes found infections that Avir hadn't. However, in the intervening time, I've had recurring problems (like those previously mentioned), leading me to believe there is still an undetected infection present. Today, I followed the instructions in the Jan 9 2009 posting. The results from a recent Malwarebytes quick scan and from DDS are included below. The files named ark.txt and Attach.txt are attached as a zipped file. Thank you in advance for your time and help. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5541 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 1/17/2011 6:50:07 PM mbam-log-2011-01-17 (18-50-07).txt Scan type: Quick scan Objects scanned: 153525 Time elapsed: 10 minute(s), 57 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS (Ver_10-12-12.02) - NTFSx86 NETWORK Run by JAK at 13:21:43.93 on Mon 01/17/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1664 [GMT -5:00] AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir Desktop\avcenter.exe C:\Program Files\Avira\AntiVir Desktop\avscan.exe C:\Documents and Settings\JAK\Desktop\Defogger.exe C:\Documents and Settings\JAK\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=127.0.0.1:8075 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [ClipmapSupport] rundll32.exe "c:\documents and settings\jak\local settings\application data\smartwebusb\ClipmapSupport.dll",WinUserARM advmapapi uRunOnce: [scan_after_setup] "c:\program files\avira\antivir desktop\avcenter.exe" /SCANAFTERSETUP="scan wait newprocess" mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [VX6000] c:\windows\vVX6000.exe mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\jak\startm~1\programs\startup\videod~1.lnk - c:\program files\belkin\video dock power applet\PowerApp.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\jak\applic~1\mozilla\firefox\profiles\6m7ci4cn.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 51939 FF - prefs.js: network.proxy.type - 0 FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true ============= SERVICES / DRIVERS =============== R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-17 11608] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-17 135336] S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-17 267944] S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-17 61960] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-23 135664] S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\adm851x.sys --> c:\windows\system32\drivers\ADM851X.SYS [?] S3 cmudau32;C-Media USB UDA Sound Interface;c:\windows\system32\drivers\cmudaxu.sys --> c:\windows\system32\drivers\cmudaxu.sys [?] S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2010-8-5 29952] S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2010-8-5 41856] S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2010-8-5 39936] S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2010-8-5 59520] S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2006-6-29 2383152] =============== Created Last 30 ================ 2011-01-17 18:12:46 -------- d-----w- c:\docume~1\jak\applic~1\Avira 2011-01-17 18:05:04 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-01-17 18:05:04 -------- d-----w- c:\program files\Avira 2011-01-17 18:05:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-01-17 17:57:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-01-17 17:57:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-01-17 17:57:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-01-14 15:57:43 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{69783d37-90af-49f6-81be-988b89cfd2d4}\mpengine.dll 2010-12-25 20:25:05 -------- d-----w- c:\windows\system32\NtmsData 2010-12-25 20:15:59 -------- d-----w- c:\docume~1\jak\applic~1\Malwarebytes 2010-12-25 20:15:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-12-21 06:33:36 -------- d-----w- c:\windows\ie8updates 2010-12-20 15:37:35 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2010-12-20 15:37:34 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-12-20 15:37:33 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2010-12-19 23:12:12 -------- d-sh--w- c:\documents and settings\jak\IECompatCache 2010-12-19 23:00:25 -------- d-----w- c:\docume~1\jak\locals~1\applic~1\SmartWebusb 2010-12-19 22:58:15 -------- d-sh--w- c:\documents and settings\jak\PrivacIE 2010-12-19 22:38:39 -------- d-sh--w- c:\documents and settings\jak\IETldCache 2010-12-19 20:54:25 -------- dc-h--w- c:\windows\ie8 ==================== Find3M ==================== ============= FINISH: 13:24:58.56 =============== attachments.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.