thefossil Posted November 22, 2011 ID:497056 Share Posted November 22, 2011 Thanks in advance guys!Weird network stuff was going on, always seems to be trying to "acquiring network address" even though already connected. Ran AVG and it identified Trojan Horse Agent_r.ARN as the culprit, but couldn't removed it all and latest update of MBAM didn't ID any more badness. Ping.exe always starts up in my task manager and grows to over 250,000K if I don't end process manually, but it always comes back.Here's my DDS log:.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26Run by lisa at 20:09:42 on 2011-11-21Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1016.323 [GMT -6:00].AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}.============== Running Processes ===============.C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files\IObit\Advanced SystemCare 4\ASCService.exeC:\WINDOWS\System32\svchost.exe -k AkamaiC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\LxrSII1s.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Google\Update\GoogleUpdate.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\Explorer.EXEC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exeC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\Samsung\PanelMgr\ssmmgr.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\TweakMASTER\TMTray.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\lisa\Local Settings\Application Data\Lexar Media\LxrAutorun.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Documents and Settings\lisa\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exeC:\Documents and Settings\lisa\Local Settings\Application Data\Akamai\netsession_win.exeC:\Program Files\Microsoft ActiveSync\Wcescomm.exeC:\Documents and Settings\lisa\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\PROGRA~1\MI3AA1~1\rapimgr.exeC:\Program Files\NETGEAR\WG111v2\WG111v2.exeC:\Documents and Settings\lisa\Local Settings\Application Data\Akamai\netsession_win.exeC:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exesvchost.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXEC:\Program Files\Support.com\bin\tgcmd.exeC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\plugin-container.exeC:\Program Files\AVG\AVG2012\AVGIDSAgent.exeC:\Program Files\AVG\AVG2012\avgwdsvc.exeC:\Program Files\AVG\AVG2012\avgnsx.exeC:\Program Files\AVG\AVG2012\avgemcx.exeC:\Program Files\AVG\AVG2012\avgrsx.exeC:\Program Files\AVG\AVG2012\avgcsrvx.exeC:\Program Files\AVG\AVG2012\avgtray.exeC:\WINDOWS\system32\SearchProtocolHost.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.yahoo.com/uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.comuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mDefault_Page_URL = hxxp://www.yahoo.com/mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.commSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.commStart Page = hxxp://www.yahoo.com/mWindow Title = Microsoft Internet Explorer presented by ComcastmSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.commSearchAssistant = hxxp://www.google.com/ieuURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dlluURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dlluURLSearchHooks: H - No FilemURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dllmWinlogon: UIHost=c:\windows\system32\logonui.exeBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dllBHO: TweakMASTER Component: {7daac7de-9ef0-4ff0-bfa5-aff3e899054c} - c:\progra~1\tweakm~1\TweakBHO.dllBHO: ToolbarBHO Class: {9519af7e-638d-4933-bad6-d33d23c79fe5} - c:\progra~1\arcsoft\rawthu~1\EXIFToolBar.dllBHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dllBHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dllTB: RAW Thumbnail Viewer: {f301665a-12f8-4331-804a-5bcbd379668c} - c:\progra~1\arcsoft\rawthu~1\EXIFToolBar.dllTB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllTB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [LxrAutorun] c:\documents and settings\lisa\local settings\application data\lexar media\LxrAutorun.exeuRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"uRun: [Google Update] "c:\documents and settings\lisa\local settings\application data\google\update\GoogleUpdate.exe" /cuRun: [Advanced SystemCare 4] c:\program files\iobit\advanced systemcare 4\ASCTray.exeuRun: [Akamai NetSession Interface] c:\documents and settings\lisa\local settings\application data\akamai\netsession_win.exeuRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"uRunOnce: [CheckNetworkConnection] "c:\program files\support.com\providercomcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=7007eee4-8c32-4581-9e5e-a034eb033b2amRun: [AlcxMonitor] ALCXMNTR.EXEmRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deafmRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorunmRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEmRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [TweakMASTER] "c:\program files\tweakmaster\TMTray.exe"dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exeIE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar v35\ViewBar.dll/CXTSEARCH.HTMLIE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.htmlIE: Read EXIF - c:\program files\arcsoft\raw thumbnail viewer\ArcEXIFM.htmIE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htmIE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htmIE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htmIE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646}IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A}IE: {97809617-3937-4F84-B335-9BB05EF1A8D4}IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dllIE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLLSP: mswsock.dllTrusted Zone: turbotax.comDPF: RaptisoftGameLoader - hxxp://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cabDPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cabDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cabDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dllDPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} - hxxp://www.samsungdp.com/printerhelp/ActiveX/DrPrinter.cabDPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://spaces.msn.com//PhotoUpload/MsnPUpld.cabDPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cabDPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cabDPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5589/mcfscan.cabTCP: DhcpNameServer = 10.0.0.1TCP: Interfaces\{055030BA-7B69-4148-B3A1-4B8775E6877F} : DhcpNameServer = 10.0.0.1Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dllHandler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dllHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dllHandler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dllNotify: igfxcui - igfxsrvc.dllNotify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\lisa\application data\mozilla\firefox\profiles\3qln381a.default\FF - prefs.js: browser.search.selectedEngine - AVG Secure SearchFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=enFF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e47138e&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=FF - component: c:\program files\arcsoft\raw thumbnail viewer\firefox extension\components\FirefoxMenu.dllFF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dllFF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dllFF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dllFF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dllFF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dllFF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dllFF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dllFF - component: c:\program files\avg\avg2012\firefox4\components\avgssff8.dllFF - plugin: c:\documents and settings\lisa\application data\mozilla\firefox\profiles\3qln381a.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dllFF - plugin: c:\documents and settings\lisa\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dllFF - plugin: c:\documents and settings\lisa\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dllFF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dllFF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dllFF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dllFF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dllFF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dllFF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dllFF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dllFF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.comFF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtensionFF - Ext: RAW Thumbnail Viewer: RAWThumbnailViewer@arcsoft.com.cn - c:\program files\arcsoft\raw thumbnail viewer\FireFox ExtensionFF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igearedFF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ffFF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg2012\Firefox4.---- FIREFOX POLICIES ----FF - user.js: browser.cache.memory.capacity - 16000FF - user.js: browser.chrome.favicons - falseFF - user.js: browser.display.show_image_placeholders - trueFF - user.js: browser.turbo.enabled - trueFF - user.js: browser.urlbar.autocomplete.enabled - trueFF - user.js: browser.urlbar.autofill - trueFF - user.js: content.max.tokenizing.time - 3000000FF - user.js: content.maxtextrun - 4095FF - user.js: content.notify.backoffcount - 5FF - user.js: content.notify.interval - 1000000FF - user.js: content.notify.ontimer - trueFF - user.js: content.switch.threshold - 1000000FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy ServiceFF - user.js: dom.disable_window_status_change - trueFF - user.js: network.http.max-connections - 48FF - user.js: network.http.max-connections-per-server - 16FF - user.js: network.http.max-persistent-connections-per-proxy - 16FF - user.js: network.http.max-persistent-connections-per-server - 8FF - user.js: network.http.pipelining - trueFF - user.js: network.http.pipelining.firstrequest - trueFF - user.js: network.http.pipelining.maxrequests - 8FF - user.js: network.http.proxy.pipelining - trueFF - user.js: network.http.request.max-start-delay - 0FF - user.js: nglayout.initialpaint.delay - 1000FF - user.js: plugin.expose_full_path - trueFF - user.js: ui.submenuDelay - 0FF - user.js: yahoo.homepage.dontask - true.============= SERVICES / DRIVERS ===============.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-15 13496]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 230608]R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 295248]R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-5-30 328536]R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-4-25 20968]R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-11-30 66048]R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-3-9 10384]R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2008-12-9 72672]R2 PfFilter;PfFilter;c:\program files\iobit\protected folder\pffilter.sys [2011-3-30 140848]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-9-24 246600]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134608]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-8-13 1025352]S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-6-15 12672]S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-11-30 13532]S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\samsung\samsung ml-2510 series\spanel\ssmsrvc /service --> c:\program files\samsung\samsung ml-2510 series\spanel\ssmsrvc [?]S3 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336].=============== Created Last 30 ================.2011-11-21 15:01:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-11-21 13:19:16 -------- d-----w- c:\documents and settings\all users\application data\PC Tools2011-11-21 04:55:28 -------- d-----w- c:\windows\system32\wbem\repository\FS2011-11-21 04:55:28 -------- d-----w- c:\windows\system32\wbem\Repository2011-11-21 04:53:34 -------- d-----w- c:\program files\iTunes2011-11-21 03:05:30 -------- d-----w- C:\8d352e4a5375fdb323eec8ba1cae2011-11-20 12:34:53 -------- d-----w- c:\program files\iTunes(2)2011-11-17 04:09:38 -------- d-----w- c:\documents and settings\all users\application data\Hagel Technologies2011-11-17 04:09:35 -------- d-----w- c:\program files\TweakMASTER2011-11-06 18:38:25 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys2011-11-06 16:45:03 -------- d-----w- c:\windows\ASTULogTemp2011-11-04 01:30:53 -------- d-----w- c:\documents and settings\lisa\local settings\application data\Akamai2011-10-26 08:15:17 212992 ----a-w- c:\program files\CrucialScan.exe2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts.==================== Find3M ====================.2011-10-13 13:03:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll2011-09-13 11:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-08-31 04:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe2011-08-31 04:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll.============= FINISH: 20:11:57.84 ===============Is there hope for this thing?Thanks againthefossilattach2.txt Link to post Share on other sites More sharing options...
Elise Posted November 22, 2011 ID:497250 Share Posted November 22, 2011 Hello, and I see evidence of a ZeroAccess rootkit here, before starting the cleaning process, please make sure to read the following information.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.COMBOFIX---------------Please download ComboFix from one of these locations:BleepingcomputerForoSpywareDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)Double click on Combofix.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply. Link to post Share on other sites More sharing options...
thefossil Posted November 23, 2011 Author ID:497470 Share Posted November 23, 2011 Things seems a little happier now.Here is my ComboFix log and running another AVG scan, too.Thank you!ComboFix 11-11-22.03 - lisa 11/22/2011 22:00:43.1.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1016.436 [GMT -6:00]Running from: c:\documents and settings\lisa\Desktop\ComboFix.exeAV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\All Users\Application Data\TEMPc:\documents and settings\All Users\Application Data\xml99.tmpc:\documents and settings\All Users\Application Data\xml9A.tmpc:\documents and settings\All Users\Application Data\xml9B.tmpc:\documents and settings\lisa\g2mdlhlpx.exec:\documents and settings\lisa\Local Settings\Application Data\Lexar Media\LxrAutorun.exec:\documents and settings\lisa\WINDOWSc:\windows\$NtUninstallKB8494$\4249869409\@c:\windows\$NtUninstallKB8494$\4249869409\bckfg.tmpc:\windows\$NtUninstallKB8494$\4249869409\cfg.inic:\windows\$NtUninstallKB8494$\4249869409\Desktop.inic:\windows\$NtUninstallKB8494$\4249869409\keywordsc:\windows\$NtUninstallKB8494$\4249869409\kwrd.dllc:\windows\$NtUninstallKB8494$\4249869409\L\qnjoixjzc:\windows\$NtUninstallKB8494$\4249869409\lsflt7.verc:\windows\$NtUninstallKB8494$\4249869409\U\00000001.@c:\windows\$NtUninstallKB8494$\4249869409\U\00000002.@c:\windows\$NtUninstallKB8494$\4249869409\U\00000004.@c:\windows\$NtUninstallKB8494$\4249869409\U\80000000.@c:\windows\$NtUninstallKB8494$\4249869409\U\80000004.@c:\windows\$NtUninstallKB8494$\4249869409\U\80000032.@c:\windows\$NtUninstallKB8494$\934255151c:\windows\system32\RtlGina2.dllc:\windows\$NtUninstallKB8494$ . . . . Failed to delete..((((((((((((((((((((((((( Files Created from 2011-10-23 to 2011-11-23 )))))))))))))))))))))))))))))))..2011-11-21 13:19 . 2011-11-21 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools2011-11-21 04:55 . 2011-11-21 04:55 -------- d-----w- c:\windows\system32\wbem\Repository2011-11-21 04:53 . 2011-11-21 04:54 -------- d-----w- c:\program files\iTunes2011-11-21 03:05 . 2011-11-21 04:52 -------- d-----w- C:\8d352e4a5375fdb323eec8ba1cae2011-11-17 04:09 . 2011-11-18 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies2011-11-17 04:09 . 2011-11-17 04:09 -------- d-----w- c:\program files\TweakMASTER2011-11-06 18:38 . 2011-11-06 18:38 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys2011-11-06 16:45 . 2011-11-06 16:45 -------- d-----w- c:\windows\ASTULogTemp2011-11-04 01:30 . 2011-11-18 01:09 -------- d-----w- c:\documents and settings\lisa\Local Settings\Application Data\Akamai2011-10-26 08:15 . 2011-10-26 08:15 212992 ----a-w- c:\program files\CrucialScan.exe2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-10-13 13:03 . 2011-05-17 11:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-10-10 14:22 . 2005-07-06 22:55 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-10-07 11:23 . 2011-01-07 11:41 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys2011-10-04 11:21 . 2011-02-10 12:53 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys2011-09-28 07:06 . 2004-08-04 06:56 599040 ----a-w- c:\windows\system32\crypt32.dll2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll2011-09-26 16:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll2011-09-26 16:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll2011-09-13 11:30 . 2011-03-16 21:03 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys2011-09-06 13:20 . 2004-08-03 23:17 1858944 ----a-w- c:\windows\system32\win32k.sys2011-08-31 22:00 . 2009-03-08 20:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680].[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}].[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]2011-09-01 14:16 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2010-05-26 20:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}].[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-06 68856]"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-08-09 417112]"Akamai NetSession Interface"="c:\documents and settings\lisa\Local Settings\Application Data\Akamai\netsession_win.exe" [2011-11-17 3303000]"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]"TweakMASTER"="c:\program files\TweakMASTER\TMTray.exe" [2010-09-29 326544].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384].c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-9 813584]NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-5-17 2297856]WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2008-11-30 745472].[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"UIHost"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,6c,\.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]@="".[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]2009-09-01 00:55 133104 ----atw- c:\documents and settings\lisa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]2007-06-06 00:03 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe.[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\WINDOWS\\system32\\LEXPPS.EXE"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"="c:\\WINDOWS\\system32\\mmc.exe"="c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"="c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"="c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Documents and Settings\\lisa\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"="c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"="c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"="c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"67:UDP"= 67:UDP:DHCP Discovery Service"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009"5985:TCP"= 5985:TCP:Windows Remote Management "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 3:27 PM 23120]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 3:03 PM 32592]R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/15/2011 4:38 PM 13496]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 230608]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 2:49 AM 295248]R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [5/30/2011 1:16 PM 328536]R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 12:56 AM 14336]R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [4/25/2010 7:31 PM 20968]R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [11/30/2008 7:04 PM 66048]R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/9/2009 7:35 PM 10384]R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [12/9/2008 9:45 PM 72672]R2 PfFilter;PfFilter;c:\program files\IObit\Protected Folder\pffilter.sys [3/30/2011 5:53 AM 140848]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:03 PM 24652]R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [9/24/2011 6:26 PM 246600]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 8:28 PM 134608]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24272]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 16720]R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 9:09 PM 267568]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 12:35 PM 135664]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [8/13/2011 6:15 PM 1025352]S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 12:35 PM 135664]S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 12:56 AM 14336]S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [3/27/2006 5:53 PM 167808]S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [11/30/2008 9:40 PM 13532]S3 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 12:56 AM 14336].--- Other Services/Drivers In Memory ---.*Deregistered* - uphcleanhlp.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]getPlusHelper REG_MULTI_SZ getPlusHelpernosGetPlusHelper REG_MULTI_SZ nosGetPlusHelperAkamai REG_MULTI_SZ AkamaiWINRM REG_MULTI_SZ WINRM.Contents of the 'Scheduled Tasks' folder.2011-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57].2011-11-23 c:\windows\Tasks\ASC4_PerformanceMonitor.job- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-05-30 21:40].2011-11-23 c:\windows\Tasks\ConfigExec.job- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09].2011-11-23 c:\windows\Tasks\DataUpload.job- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09].2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 18:35].2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 18:35].2011-11-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-2000478354-725345543-1003Core.job- c:\documents and settings\lisa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-01 00:55].2011-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-2000478354-725345543-1003UA.job- c:\documents and settings\lisa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-01 00:55].2011-11-22 c:\windows\Tasks\SmartDefrag_Schedule.job- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-21 22:29].2011-11-23 c:\windows\Tasks\User_Feed_Synchronization-{6DF41989-522B-40C0-9BBE-E87DB8122F07}.job- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]..------- Supplementary Scan -------.uStart Page = hxxp://www.yahoo.com/uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mStart Page = hxxp://www.yahoo.com/mWindow Title = Microsoft Internet Explorer presented by ComcastmSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.comIE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTMLIE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.htmlIE: Read EXIF - c:\program files\ArcSoft\RAW Thumbnail Viewer\ArcEXIFM.htmIE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htmIE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htmIE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htmTrusted Zone: turbotax.comHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dllHandler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dllDPF: RaptisoftGameLoader - hxxp://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cabFF - ProfilePath - c:\documents and settings\lisa\Application Data\Mozilla\Firefox\Profiles\3qln381a.default\FF - prefs.js: browser.search.selectedEngine - AVG Secure SearchFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=enFF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e47138e&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.comFF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtensionFF - Ext: RAW Thumbnail Viewer: RAWThumbnailViewer@arcsoft.com.cn - c:\program files\ArcSoft\RAW Thumbnail Viewer\FireFox ExtensionFF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igearedFF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ffFF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4FF - user.js: browser.cache.memory.capacity - 16000FF - user.js: browser.chrome.favicons - falseFF - user.js: browser.display.show_image_placeholders - trueFF - user.js: browser.turbo.enabled - trueFF - user.js: browser.urlbar.autocomplete.enabled - trueFF - user.js: browser.urlbar.autofill - trueFF - user.js: content.max.tokenizing.time - 3000000FF - user.js: content.maxtextrun - 4095FF - user.js: content.notify.backoffcount - 5FF - user.js: content.notify.interval - 1000000FF - user.js: content.notify.ontimer - trueFF - user.js: content.switch.threshold - 1000000FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy ServiceFF - user.js: dom.disable_window_status_change - trueFF - user.js: network.http.max-connections - 48FF - user.js: network.http.max-connections-per-server - 16FF - user.js: network.http.max-persistent-connections-per-proxy - 16FF - user.js: network.http.max-persistent-connections-per-server - 8FF - user.js: network.http.pipelining - trueFF - user.js: network.http.pipelining.firstrequest - trueFF - user.js: network.http.pipelining.maxrequests - 8FF - user.js: network.http.proxy.pipelining - trueFF - user.js: network.http.request.max-start-delay - 0FF - user.js: nglayout.initialpaint.delay - 1000FF - user.js: plugin.expose_full_path - trueFF - user.js: ui.submenuDelay - 0FF - user.js: yahoo.homepage.dontask - true.- - - - ORPHANS REMOVED - - - -.HKCU-Run-LxrAutorun - c:\documents and settings\lisa\Local Settings\Application Data\Lexar Media\LxrAutorun.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-11-23 04:13Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]"ServiceDll"="c:\program files\common files\akamai/netsession_win_d768ebc.dll".--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(752)c:\program files\common files\logishrd\bluetooth\LBTWlgn.dllc:\program files\common files\logishrd\bluetooth\LBTServ.dll.- - - - - - - > 'explorer.exe'(3032)c:\windows\system32\WININET.dllc:\program files\Logitech\SetPoint\lgscroll.dllc:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\LEXBCES.EXEc:\windows\system32\LEXPPS.EXEc:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exec:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\LxrSII1s.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\UPHClean\uphclean.exec:\windows\system32\SearchIndexer.exec:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exec:\program files\AVG\AVG2012\avgnsx.exec:\program files\AVG\AVG2012\avgemcx.exec:\program files\AVG\AVG2012\avgrsx.exec:\program files\AVG\AVG2012\avgcsrvx.exec:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exec:\progra~1\MI3AA1~1\rapimgr.exec:\program files\iPod\bin\iPodService.exec:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE.**************************************************************************.Completion time: 2011-11-23 04:22:45 - machine was rebootedComboFix-quarantined-files.txt 2011-11-23 10:22.Pre-Run: 77,738,704,896 bytes freePost-Run: 78,469,324,800 bytes free.WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect.- - End Of File - - FF525B2C588E8DDB68A8D0FEECD39C7B Link to post Share on other sites More sharing options...
Elise Posted November 23, 2011 ID:497478 Share Posted November 23, 2011 Hello, that looks already a lot better! Do you have any problem left at this point?We need to scan the system with this special tool: * Please download and save:Junction.zip * Unzip it and place Junction.exe in the Windows directory (C:\Windows). * Go to Start => Run... => Copy and paste the following command in the Run box and click OK: cmd /c junction -s c:\ >log.txt&log.txt& del log.txtA command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply. Link to post Share on other sites More sharing options...
thefossil Posted November 23, 2011 Author ID:497635 Share Posted November 23, 2011 AVG scan showed that Windows/System32/Drivers/serial.sys was infected but whitelisted as it was necessary OS file.When the computer first displayed signs that it was infected and I attempted to restore to previous day restore point, I remember it didn't work and said that the serial.sys was the problem, if that helps. Can I start in safe mode command prompt and simply restore that one file from my XP Pro CD? Or SFC System File Checker?I'll run the tool with the link you provided and post results.Thank you Link to post Share on other sites More sharing options...
thefossil Posted November 23, 2011 Author ID:497637 Share Posted November 23, 2011 Here is my Junction Log:Junction v1.06 - Windows junction creator and reparse point viewerCopyright © 2000-2010 Mark RussinovichSysinternals - www.sysinternals.comFailed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.......Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e46896b57266e9a4671ee5518eeb67ff_c1599a1b-3328-4e00-82e1-06f86507f2e5: Access is denied............................................................................................................................Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied...........................................Failed to open \\?\c:\\WINDOWS\$NtUninstallKB8494$\4249869409: Access is denied.\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e......................................ALSO, the is the log from AVG scan in Safe Mode (command line only)AVG 2012 Anti-Virus command line scannerCopyright © 1992 - 2011 AVG TechnologiesProgram version 2012.0.1873, engine 2012.0.2101Virus Database: Version 2101/4630 2011-11-21C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e46896b57266e9a4671ee5518eeb67ff_c1599a1b-3328-4e00-82e1-06f86507f2e5 Locked file. Not tested. C:\Documents and Settings\lisa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. C:\Documents and Settings\lisa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. C:\Documents and Settings\lisa\ntuser.dat Locked file. Not tested. C:\Documents and Settings\lisa\ntuser.dat.LOG Locked file. Not tested. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested. C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested. C:\pagefile.sys Locked file. Not tested. C:\System Volume Information\ Locked file. Not tested. C:\WINDOWS\Downloaded Installations\{526DEA13-3565-48BD-BD60-F2F936C4DCB8}\URGE.msi:\Binary.NewBinary19 May be infected by unknown virus Win32/DH.00000000{00880001-00000021-00000000} C:\WINDOWS\Downloaded Installations\{526DEA13-3565-48BD-BD60-F2F936C4DCB8}\URGE.msi:\ISSetupFile.SetupFile3 May be infected by unknown virus Win32/DH.00000000{00880001-00000021-00000000} C:\WINDOWS\Downloaded Installations\{526DEA13-3565-48BD-BD60-F2F936C4DCB8}\URGE.msi May be infected by unknown virus Win32/DH.00000000{00880001-00000021-00000000} C:\WINDOWS\Installer\28a2fc5.msi:\Binary.NewBinary19 May be infected by unknown virus Win32/DH.00000000{00880001-00000021-00000000} C:\WINDOWS\Installer\28a2fc5.msi:\ISSetupFile.SetupFile3 May be infected by unknown virus Win32/DH.00000000{00880001-00000021-00000000} C:\WINDOWS\Installer\28a2fc5.msi May be infected by unknown virus Win32/DH.00000000{00880001-00000021-00000000} C:\WINDOWS\system32\config\default Locked file. Not tested. C:\WINDOWS\system32\config\default.LOG Locked file. Not tested. C:\WINDOWS\system32\config\SAM Locked file. Not tested. C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested. C:\WINDOWS\system32\config\SECURITY Locked file. Not tested. C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested. C:\WINDOWS\system32\config\software Locked file. Not tested. C:\WINDOWS\system32\config\software.LOG Locked file. Not tested. C:\WINDOWS\system32\config\system Locked file. Not tested. C:\WINDOWS\system32\config\system.LOG Locked file. Not tested. ------------------------------------------------------------Test started: 22.11.2011 12:26:34Duration of test: 2 hour(s) 55 minute(s) 48 second(s)------------------------------------------------------------Objects scanned : 820834Found infections : 6Found PUPs : 0Healed infections : 0Healed PUPs : 0Warnings : 0------------------------------------------------------------ Link to post Share on other sites More sharing options...
thefossil Posted November 24, 2011 Author ID:497653 Share Posted November 24, 2011 Also from AVG:"Object name";"C:\WINDOWS\system32\drivers\serial.sys""Detection name";"Trojan horse Hider.OKI""Object type";"file""SDK Type";"Core""Result";"Object is white-listed (critical/system file that should not be removed)""Action history";""And a warning for cookies.sqlite in firefox folder just now. Link to post Share on other sites More sharing options...
Elise Posted November 24, 2011 ID:497776 Share Posted November 24, 2011 Thank you for the additional information!Please download GrantPerms.zip and save it to your desktop.Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exeCopy and paste the following in the edit box:c:\WINDOWS\$NtUninstallKB8494$\4249869409Click Unlock. When it is done click "OK".Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.Please download SystemLook from one of the links below and save it to your Desktop.Download Mirror #1Download Mirror #2Double-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield::filefindserial.sysClick the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt Link to post Share on other sites More sharing options...
thefossil Posted November 26, 2011 Author ID:498185 Share Posted November 26, 2011 Here we go:GrantPerms by Farbar Ran by lisa (administrator) at 2011-11-25 18:25:33===============================================ERROR: Parsing the SD of <\\?\c:\WINDOWS\$NtUninstallKB8494$\4249869409> failed with: Access is denied.Operating system error message: Access is denied.SystemLook 30.07.11 by jpshortstuffLog created at 18:27 on 25/11/2011 by lisaAdministrator - Elevation successful========== filefind ==========Searching for "serial.sys"C:\WINDOWS\$NtServicePackUninstall$\serial.sys -----c- 64896 bytes [09:40 24/09/2008] [23:15 03/08/2004] CD9404D115A00D249F70A371B46D5A26C:\WINDOWS\ServicePackFiles\i386\serial.sys ------- 64512 bytes [21:38 15/09/2008] [19:15 13/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7C:\WINDOWS\system32\dllcache\serial.sys --a--c- 64512 bytes [23:15 03/08/2004] [19:15 13/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7C:\WINDOWS\system32\drivers\serial.sys --a---- 64512 bytes [23:15 03/08/2004] [19:15 13/04/2008] 337B4E3B32C7B94EF758A077C46A53BF-= EOF =- Link to post Share on other sites More sharing options...
Elise Posted November 26, 2011 ID:498296 Share Posted November 26, 2011 Hi again,CF-SCRIPT-------------We need to execute a CF-script.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:FCopy::C:\WINDOWS\ServicePackFiles\i386\serial.sys | C:\WINDOWS\system32\drivers\serial.sysSave this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Link to post Share on other sites More sharing options...
thefossil Posted November 26, 2011 Author ID:498374 Share Posted November 26, 2011 So far, so good!Here is the latest ComboFix log:ComboFix 11-11-22.03 - lisa 11/26/2011 16:25:34.2.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1016.531 [GMT -6:00]Running from: c:\documents and settings\lisa\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\lisa\Desktop\CFScript.txtAV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\windows\system32\default_user_class.dat.LOG..--------------- FCopy ---------------.c:\windows\ServicePackFiles\i386\serial.sys --> c:\windows\system32\drivers\serial.sys.((((((((((((((((((((((((( Files Created from 2011-10-26 to 2011-11-26 )))))))))))))))))))))))))))))))..2011-11-23 23:21 . 2010-09-07 21:39 150392 ----a-w- c:\windows\junction.exe2011-11-23 23:20 . 2011-11-26 22:18 -------- d-----w- C:\Utilities2011-11-21 13:19 . 2011-11-21 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools2011-11-21 04:55 . 2011-11-21 04:55 -------- d-----w- c:\windows\system32\wbem\Repository2011-11-21 04:53 . 2011-11-21 04:54 -------- d-----w- c:\program files\iTunes2011-11-21 03:05 . 2011-11-21 04:52 -------- d-----w- C:\8d352e4a5375fdb323eec8ba1cae2011-11-17 04:09 . 2011-11-18 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies2011-11-17 04:09 . 2011-11-17 04:09 -------- d-----w- c:\program files\TweakMASTER2011-11-06 18:38 . 2011-11-06 18:38 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys2011-11-06 16:45 . 2011-11-06 16:45 -------- d-----w- c:\windows\ASTULogTemp2011-11-04 01:30 . 2011-11-18 01:09 -------- d-----w- c:\documents and settings\lisa\Local Settings\Application Data\Akamai...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-11-26 12:00 . 2011-05-17 11:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-10-26 08:15 . 2011-10-26 08:15 212992 ----a-w- c:\program files\CrucialScan.exe2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts2011-10-10 14:22 . 2005-07-06 22:55 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-10-07 11:23 . 2011-01-07 11:41 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys2011-10-04 11:21 . 2011-02-10 12:53 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys2011-09-28 07:06 . 2004-08-04 06:56 599040 ----a-w- c:\windows\system32\crypt32.dll2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll2011-09-26 16:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll2011-09-26 16:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll2011-09-13 11:30 . 2011-03-16 21:03 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys2011-09-06 13:20 . 2004-08-03 23:17 1858944 ----a-w- c:\windows\system32\win32k.sys2011-08-31 22:00 . 2009-03-08 20:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680].[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}].[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]2011-09-01 14:16 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2010-05-26 20:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}].[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-06 68856]"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-08-09 417112]"Akamai NetSession Interface"="c:\documents and settings\lisa\Local Settings\Application Data\Akamai\netsession_win.exe" [2011-11-17 3303000]"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 507904]"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]"TweakMASTER"="c:\program files\TweakMASTER\TMTray.exe" [2010-09-29 326544].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384].c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-9 813584]NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-5-17 2297856]WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2008-11-30 745472].[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"UIHost"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,6c,\.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]@="".[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]2009-09-01 00:55 133104 ----atw- c:\documents and settings\lisa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]2007-06-06 00:03 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe.[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\WINDOWS\\system32\\LEXPPS.EXE"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"="c:\\WINDOWS\\system32\\mmc.exe"="c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"="c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"="c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Documents and Settings\\lisa\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"="c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"="c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"="c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"67:UDP"= 67:UDP:DHCP Discovery Service"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009"5985:TCP"= 5985:TCP:Windows Remote Management "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 3:27 PM 23120]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 3:03 PM 32592]R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/15/2011 4:38 PM 13496]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 230608]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 2:49 AM 295248]R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [5/30/2011 1:16 PM 328536]R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 12:56 AM 14336]R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [4/25/2010 7:31 PM 20968]R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [11/30/2008 7:04 PM 66048]R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/9/2009 7:35 PM 10384]R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [12/9/2008 9:45 PM 72672]R2 PfFilter;PfFilter;c:\program files\IObit\Protected Folder\pffilter.sys [3/30/2011 5:53 AM 140848]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:03 PM 24652]R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [9/24/2011 6:26 PM 246600]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 8:28 PM 134608]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24272]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 16720]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 12:35 PM 135664]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [8/13/2011 6:15 PM 1025352]S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 12:35 PM 135664]S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 9:09 PM 267568]S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 12:56 AM 14336]S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [3/27/2006 5:53 PM 167808]S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [11/30/2008 9:40 PM 13532]S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc [?]S3 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 12:56 AM 14336].--- Other Services/Drivers In Memory ---.*Deregistered* - uphcleanhlp.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]getPlusHelper REG_MULTI_SZ getPlusHelpernosGetPlusHelper REG_MULTI_SZ nosGetPlusHelperAkamai REG_MULTI_SZ AkamaiWINRM REG_MULTI_SZ WINRM.Contents of the 'Scheduled Tasks' folder.2011-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57].2011-11-26 c:\windows\Tasks\ASC4_PerformanceMonitor.job- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-05-30 21:40].2011-11-26 c:\windows\Tasks\ConfigExec.job- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09].2011-11-26 c:\windows\Tasks\DataUpload.job- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09].2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 18:35].2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 18:35].2011-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-2000478354-725345543-1003Core.job- c:\documents and settings\lisa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-01 00:55].2011-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-2000478354-725345543-1003UA.job- c:\documents and settings\lisa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-01 00:55].2011-11-22 c:\windows\Tasks\SmartDefrag_Schedule.job- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-21 22:29].2011-11-26 c:\windows\Tasks\User_Feed_Synchronization-{6DF41989-522B-40C0-9BBE-E87DB8122F07}.job- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]..------- Supplementary Scan -------.uStart Page = hxxp://www.yahoo.com/uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mStart Page = hxxp://www.yahoo.com/mWindow Title = Microsoft Internet Explorer presented by ComcastmSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.comIE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTMLIE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.htmlIE: Read EXIF - c:\program files\ArcSoft\RAW Thumbnail Viewer\ArcEXIFM.htmIE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htmIE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htmIE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htmTrusted Zone: turbotax.comHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dllHandler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dllDPF: RaptisoftGameLoader - hxxp://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cabFF - ProfilePath - c:\documents and settings\lisa\Application Data\Mozilla\Firefox\Profiles\3qln381a.default\FF - prefs.js: browser.search.selectedEngine - AVG Secure SearchFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=enFF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e47138e&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.comFF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtensionFF - Ext: RAW Thumbnail Viewer: RAWThumbnailViewer@arcsoft.com.cn - c:\program files\ArcSoft\RAW Thumbnail Viewer\FireFox ExtensionFF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igearedFF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ffFF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4FF - user.js: browser.cache.memory.capacity - 16000FF - user.js: browser.chrome.favicons - falseFF - user.js: browser.display.show_image_placeholders - trueFF - user.js: browser.turbo.enabled - trueFF - user.js: browser.urlbar.autocomplete.enabled - trueFF - user.js: browser.urlbar.autofill - trueFF - user.js: content.max.tokenizing.time - 3000000FF - user.js: content.maxtextrun - 4095FF - user.js: content.notify.backoffcount - 5FF - user.js: content.notify.interval - 1000000FF - user.js: content.notify.ontimer - trueFF - user.js: content.switch.threshold - 1000000FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy ServiceFF - user.js: dom.disable_window_status_change - trueFF - user.js: network.http.max-connections - 48FF - user.js: network.http.max-connections-per-server - 16FF - user.js: network.http.max-persistent-connections-per-proxy - 16FF - user.js: network.http.max-persistent-connections-per-server - 8FF - user.js: network.http.pipelining - trueFF - user.js: network.http.pipelining.firstrequest - trueFF - user.js: network.http.pipelining.maxrequests - 8FF - user.js: network.http.proxy.pipelining - trueFF - user.js: network.http.request.max-start-delay - 0FF - user.js: nglayout.initialpaint.delay - 1000FF - user.js: plugin.expose_full_path - trueFF - user.js: ui.submenuDelay - 0FF - user.js: yahoo.homepage.dontask - true..**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-11-26 16:40Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]"ServiceDll"="c:\program files\common files\akamai/netsession_win_d768ebc.dll".[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_sugo3_FUService]"ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service".--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(900)c:\program files\common files\logishrd\bluetooth\LBTWlgn.dllc:\program files\common files\logishrd\bluetooth\LBTServ.dll.Completion time: 2011-11-26 16:48:07ComboFix-quarantined-files.txt 2011-11-26 22:48ComboFix2.txt 2011-11-23 10:22.Pre-Run: 78,408,663,040 bytes freePost-Run: 78,487,056,384 bytes free.- - End Of File - - 890592FBD6984EE768DAB5CCB7634EC0 Link to post Share on other sites More sharing options...
Elise Posted November 27, 2011 ID:498487 Share Posted November 27, 2011 How are things running at this point? Does serial.sys still get detected with AVG (if it is detected in a subfolder of c:\qoobox, no need to worry about it). Link to post Share on other sites More sharing options...
thefossil Posted November 27, 2011 Author ID:498709 Share Posted November 27, 2011 Things running much better now.This from last AVG scan:"Object name";"C:\System Volume Information\_restore{871928A8-C217-4DEE-9A91-EDB517B5CC8B}\RP2407\A0266938.sys""Detection name";"Trojan horse Hider.OKI""Object type";"file""SDK Type";"Core""Result";"Moved to Virus Vault""Action history";"Moved to Virus Vault"This from last SystemLook:SystemLook 30.07.11 by jpshortstuffLog created at 17:22 on 26/11/2011 by lisaAdministrator - Elevation successful========== filefind ==========Searching for "serial.sys"C:\WINDOWS\$NtServicePackUninstall$\serial.sys -----c- 64896 bytes [09:40 24/09/2008] [23:15 03/08/2004] CD9404D115A00D249F70A371B46D5A26C:\WINDOWS\ServicePackFiles\i386\serial.sys ------- 64512 bytes [21:38 15/09/2008] [19:15 13/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7C:\WINDOWS\system32\dllcache\serial.sys --a--c- 64512 bytes [23:15 03/08/2004] [19:15 13/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7C:\WINDOWS\system32\drivers\serial.sys --a---- 64512 bytes [23:15 03/08/2004] [19:15 13/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7-= EOF =-I may have made my cookie detection a little too strict, but I'll adjust that later.Thanks again. Link to post Share on other sites More sharing options...
Elise Posted November 27, 2011 ID:498738 Share Posted November 27, 2011 Hi again,Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:Download the latest version of Adobe Reader Version X. and save it to your desktop.Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offeredClick the download button at the bottom. If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat. If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your ComputerThen from your desktop double-click on Adobe Reader to install the newest version. If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.When the "Adobe Setup - Welcome" window opens, click the Install > button.If offered to install a Toolbar, just uncheck the box before continuing unless you want it.Your Adobe Reader is now up to date!Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Download the latest version of Java Runtime Environment (JRE) Version 7u1.Look for "JDK 7u1 (JDK or JRE).Click the "Download JRE" button at the right.Read the License Agreement, and then check the box that says: "Accept License Agreement".Select "Windows x86 Offline" and click on jre-7-windows-i586.exe [*]Save it to your desktop[*]Close any programs you may have running - especially your web browser.[*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).[*]Reboot your computer once all Java components are removed.[*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.Finally, please launch MBAM, update it and run a full scan. Post me the resulting log. Link to post Share on other sites More sharing options...
thefossil Posted November 29, 2011 Author ID:499174 Share Posted November 29, 2011 HelloAVG did, in fact, find the serial.sys "hider" in Qoobox. The alert was on my screen when I returned home, even though I wasn't running a scan.Here is the MBAM log, that looked like it came back clean:Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8256Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870211/28/2011 12:56:54 PMmbam-log-2011-11-28 (12-56-53).txtScan type: Full scan (C:\|)Objects scanned: 339630Time elapsed: 3 hour(s), 9 minute(s), 58 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)I downloaded the new Java JRE and will install that tonight. I hadn't upgraded Adobe Reader because the new version lacked a multiple-file search feature that I needed for work. Maybe I can adjust the new one to retain that feature.Thank you for all your help on this. Link to post Share on other sites More sharing options...
Elise Posted November 29, 2011 ID:499282 Share Posted November 29, 2011 The file in qoobox will be gone as soon as everything is clean.ESET ONLINE SCANNER----------------------------I'd like us to scan your machine with ESET OnlineScanHold down Control and click on this link to open ESET OnlineScan in a new window.Click the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.Double click on the icon on your desktop.Check "YES, I accept the Terms of Use."Click the Start button.Accept any security warnings from your browser.Under scan settings, check "Scan Archives" and "Remove found threats" Click Advanced settings and select the following:Scan potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth technology[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.[*]When the scan completes, click List Threats[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.[*]Click the Back button.[*]Click the Finish button. Link to post Share on other sites More sharing options...
thefossil Posted November 30, 2011 Author ID:499631 Share Posted November 30, 2011 EliseRunning ESET now. I had tried that one on the Nov 21 after this bug appeared, but now it has updated, of course.Maybe unrelated but getting Error message on Windows event log:The MATS service encountered a failure when loading SAP. hr=0x80092003SAP folder: C:\Program Files\Microsoft Fix it Center\SAPFolder\Scheduled\DDA435FA-6E05-4DBF-80FE-C4EBE882E798.28... along with a couple of other errors on MATS. A little research shows possible update needed from MSXML4 to MSXML6.Number 4 is currently on my system. I'm not a developer or anything, should I update this to help with security?Thanks, will post ESET log when it's done.Lenny Link to post Share on other sites More sharing options...
Elise Posted November 30, 2011 ID:499695 Share Posted November 30, 2011 No, you don't need these updates. If they are required for security reasons, Windows will include them in the automatic updates anyway.I'll wait for the ESET results. Link to post Share on other sites More sharing options...
thefossil Posted December 1, 2011 Author ID:499881 Share Posted December 1, 2011 EliseESET came back clean, no report.Do we have success? Have you conquered the badness?Lenny Link to post Share on other sites More sharing options...
thefossil Posted December 1, 2011 Author ID:499882 Share Posted December 1, 2011 Found this log in the ESET folder:ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OKesets_scanner_update returned -1 esets_gle=53251# version=7# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)# OnlineScanner.ocx=1.0.0.6528# api_version=3.0.2# EOSSerial=a16e92759b68eb448d5d7ccd8663e8e5# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=true# antistealth_checked=true# utc_time=2011-10-10 04:26:22# local_time=2011-10-09 11:26:22 (-0600, Central Daylight Time)# country="United States"# lang=9# osver=5.1.2600 NT Service Pack 3# compatibility_mode=1024 16777175 100 0 383884 383884 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=105401# found=3# cleaned=3# scan_time=5273C:\Documents and Settings\lisa\My Documents\Downloads\AdvancedPCTweaker_Setup.exe a variant of Win32/Adware.AdvPCTweak application (deleted - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\lisa\My Documents\Downloads\CNET_TechTracker_1_3_1_55_Setup.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\lisa\My Documents\Downloads\KeyFinderInstaller.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 CESETSmartInstaller@High as downloader log:all ok# version=7# OnlineScannerApp.exe=1.0.0.1# OnlineScanner.ocx=1.0.0.6583# api_version=3.0.2# EOSSerial=a16e92759b68eb448d5d7ccd8663e8e5# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=true# antistealth_checked=true# utc_time=2011-11-22 04:49:49# local_time=2011-11-21 10:49:49 (-0600, Central Standard Time)# country="United States"# lang=1033# osver=5.1.2600 NT Service Pack 3# compatibility_mode=1024 16777175 100 0 4097825 4097825 0 0# compatibility_mode=8192 67108863 100 0 2795685 2795685 0 0# scanned=116761# found=3# cleaned=1# scan_time=7942C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\31\1a404d1f-38f9dc01 a variant of Win32/Kryptik.VUM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\WINDOWS\system32\drivers\serial.sys a variant of Win32/Rootkit.Kryptik.FJ trojan (unable to clean) 00000000000000000000000000000000 I${Memory} multiple threats 00000000000000000000000000000000 I# version=7# OnlineScannerApp.exe=1.0.0.1# OnlineScanner.ocx=1.0.0.6583# api_version=3.0.2# EOSSerial=a16e92759b68eb448d5d7ccd8663e8e5# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2011-11-30 02:28:37# local_time=2011-11-30 08:28:37 (-0600, Central Standard Time)# country="United States"# lang=1033# osver=5.1.2600 NT Service Pack 3# compatibility_mode=1024 16777175 100 0 4823008 4823008 0 0# compatibility_mode=8192 67108863 100 0 3520868 3520868 0 0# scanned=118588# found=0# cleaned=0# scan_time=8692 Link to post Share on other sites More sharing options...
Elise Posted December 1, 2011 ID:499966 Share Posted December 1, 2011 Yes, all looks clean. ALL CLEAN--------------Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean Please do the following to remove the remaining programs from your PC:Delete the tools used during the disinfection:Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.Please read these advices, in order to prevent reinfecting your PC:Install and update the following programs regularly:an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.A comprehensive tutorial and a list of possible firewalls can be found here.an AntiVirus SoftwareIt is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.an Anti-Spyware programMalware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.SUPERAntiSpyware is another good scanner with high detection and removal rates.Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.Spyware BlasterA tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.[*]Keep Windows (and your other Microsoft software) up to date!I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!![*]Keep your other software up to date as wellSoftware does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.[*]Stay up to date!The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.Some more links you might find of interest:Miekies' prevention suggestionsSo How did I get infected?Microsoft - 'Security at home'Calendar of Updates: See which updates have been released.How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.osalt: Find (free) open source alternatives to known commercial software.Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards. Link to post Share on other sites More sharing options...
Staff screen317 Posted December 12, 2011 Staff ID:503827 Share Posted December 12, 2011 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts