Jump to content

Recommended Posts

Thankyou for the invite to post here, I will be as clear and specific as I can, your help is immeasurably appreciated. After scanning as instructed I continue to be massively hindered by the infection.

Contents of DDS.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by Mike Field at 11:41:37 on 2011-12-04

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2241 [GMT -8:00]

.

AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: AVG Firewall *Enabled*

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG2012\avgrsx.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG2012\avgfws.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe

C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\PCSafeDoctor\pcsafedoctor.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

mSearchAssistant = hxxp://www.google.com

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.40\AVG Secure Search_toolbar.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll

BHO: Yontoo Layers (Drop Down Deals): {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime (drop down deals)\YontooIEClient.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn2\YTSingleInstance.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: @c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.40\AVG Secure Search_toolbar.dll

TB: SeaGarden: {11d43b59-21ad-4f3f-8706-d3d7a5e7a5ee} - c:\program files\seagarden\Toolbar.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [ATICustomerCare] Disable_By_"c:\program files\ati\aticustomercare\ATICustomerCare.exe"

mRun: [MSConfig] Disable_By_c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Acrobat Assistant 8.0] Disable_By_"c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [Monitor] Disable_By_"c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [pcsafedoctor.exe] c:\program files\pcsafedoctor\pcsafedoctor.exe

dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116973534875

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4810/mcfscan.cab

DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

TCP: Interfaces\{2E2F09C9-FE8F-4C60-9A9F-5C54688ABE62} : NameServer = 192.168.1.1,8.8.8.8

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: AutorunsDisabled - WgaLogon.dll

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\chris kline.your-08yyf3bcgb\application data\mozilla\firefox\profiles\vcu64goz.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=

FF - prefs.js: browser.search.selectedEngine - Search

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z192&install_date=20111202

FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=aX4GpGWG&q=

FF - component: c:\documents and settings\chris kline.your-08yyf3bcgb\application data\mozilla\firefox\profiles\vcu64goz.default\extensions\{eb3f692d-e0fc-40d6-ab48-b35c771e9cd6}\components\Engine.dll

FF - component: c:\documents and settings\chris kline.your-08yyf3bcgb\application data\mozilla\firefox\profiles\vcu64goz.default\extensions\piclens@cooliris.com\components\cooliris.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\all users.windows\application data\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\documents and settings\chris kline.your-08yyf3bcgb\application data\electronic arts\game face\npGameFacePlugin.dll

FF - plugin: c:\documents and settings\chris kline.your-08yyf3bcgb\application data\facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\chris kline.your-08yyf3bcgb\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\chris kline.your-08yyf3bcgb\application data\mozilla\firefox\profiles\vcu64goz.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

FF - plugin: c:\documents and settings\chris kline.your-08yyf3bcgb\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\documents and settings\chris kline.your-08yyf3bcgb\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll

FF - plugin: c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\sony online entertainment\npsoe.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Care2 Toolbar: {eb3f692d-e0fc-40d6-ab48-b35c771e9cd6} - %profile%\extensions\{eb3f692d-e0fc-40d6-ab48-b35c771e9cd6}

FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com

FF - Ext: Better Facebook!: betterfacebook@mattkruse.com - %profile%\extensions\betterfacebook@mattkruse.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: McAfee SiteAdvisor: {4ED1F68A-5463-4931-9384-8FFF5ED91D92} - c:\program files\mcafee\SiteAdvisor

FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF

.

---- FIREFOX POLICIES ----

.

FF - user.js: browser.search.selectedEngine - Search

FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=aX4GpGWG&q=

FF - user.js: extentions.y2layers.installId - 0dfee6c5-682d-495d-98d4-1c791bb9fc79

FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,BuzzdockTease,DropDownDeals,

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-2 435032]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-2 314456]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]

R1 AvgTdiX;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-23 201320]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-2 20568]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-12-2 44768]

R2 avgfws;AVG Firewall;c:\program files\avg\avg2012\avgfws.exe [2011-10-24 2398512]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [2005-6-21 3584]

R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-12-2 246624]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2011-5-23 30944]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]

R3 RkHit;RkHit;c:\windows\system32\drivers\RKHit.sys [2011-12-3 34736]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-3-5 15656]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\chrisk~1.you\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\chrisk~1.you\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\chrisk~1.you\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\chrisk~1.you\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]

S2 McShield;McAfee Real-time Scanner; [x]

S2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit; [x]

S2 PEVSystemStart;PEVSystemStart;c:\combofix\pev.3XE [2011-6-25 256000]

S2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar; [x]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2011-5-23 30944]

S3 Cmdmhip;Cmdmhip; [x]

S3 DITOUSB;%DITOUSB.SvcDesc%;c:\windows\system32\drivers\DITOUSB.sys [2006-10-26 174336]

S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]

S3 EWAVE;EWAVE;\??\c:\windows\system32\drivers\ew.sys --> c:\windows\system32\drivers\ew.sys [?]

S3 EXITOUSB;%EXITOUSB.SvcDesc%;c:\windows\system32\drivers\EXITOUSB.sys [2006-8-21 181760]

S3 FILESPY;FILESPY;\??\c:\windows\system32\drivers\filespy.sys --> c:\windows\system32\drivers\FILESPY.sys [?]

S3 IDEUSB;Sunplus USB Probe;c:\windows\system32\drivers\IDEUSB.sys [2006-1-13 10931]

S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; [x]

S3 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-23 359248]

S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-23 695624]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-23 79304]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-23 35240]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-23 33832]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-23 40488]

S3 NSTATION;NSTATION;\??\c:\windows\system32\drivers\nstation.sys --> c:\windows\system32\drivers\nstation.sys [?]

.

=============== Created Last 30 ================

.

2011-12-04 04:07:45 -------- d-sha-r- C:\cmdcons

2011-12-04 04:06:20 -------- d-s---w- C:\ComboFix

2011-12-04 03:46:44 -------- d-----w- c:\documents and settings\chris kline.your-08yyf3bcgb\application data\SUPERAntiSpyware.com

2011-12-04 03:46:44 -------- d-----w- c:\documents and settings\all users.windows\application data\SUPERAntiSpyware.com

2011-12-04 00:17:57 34736 ----a-w- c:\windows\system32\drivers\RKHit.sys

2011-12-04 00:17:48 -------- d-----w- c:\program files\PCSafeDoctor

2011-12-03 23:48:10 -------- d-----w- c:\program files\Exterminate It!

2011-12-03 22:01:22 -------- d-sh--w- c:\documents and settings\chris kline.your-08yyf3bcgb\IECompatCache

2011-12-03 10:18:33 98816 ----a-w- c:\windows\sed.exe

2011-12-03 10:18:33 518144 ----a-w- c:\windows\SWREG.exe

2011-12-03 10:18:33 256000 ----a-w- c:\windows\PEV.exe

2011-12-03 10:18:33 208896 ----a-w- c:\windows\MBR.exe

2011-12-03 09:59:20 -------- d-----w- c:\documents and settings\all users.windows\application data\PC Tools

2011-12-03 07:59:20 -------- d--h--w- C:\$AVG

2011-12-03 07:33:11 -------- d-----w- c:\documents and settings\chris kline.your-08yyf3bcgb\application data\AVG2012

2011-12-03 07:31:49 -------- d-----w- c:\documents and settings\chris kline.your-08yyf3bcgb\application data\AVG Secure Search

2011-12-03 07:31:37 -------- d-----w- c:\program files\common files\AVG Secure Search

2011-12-03 07:31:34 -------- d-----w- c:\program files\AVG Secure Search

2011-12-03 07:31:22 -------- d--h--w- c:\documents and settings\all users.windows\application data\Common Files

2011-12-03 07:29:55 -------- d-----w- c:\windows\system32\drivers\AVG

2011-12-03 07:29:55 -------- d-----w- c:\documents and settings\all users.windows\application data\AVG2012

2011-12-03 07:29:07 -------- d-----w- c:\program files\AVG

2011-12-03 07:17:24 -------- d-sh--w- C:\found.000

2011-12-03 06:49:03 -------- d-----w- c:\documents and settings\all users.windows\application data\MFAData

2011-12-02 18:36:15 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-12-02 18:35:41 41184 ----a-w- c:\windows\avastSS.scr

2011-12-02 18:32:57 -------- d-----w- c:\program files\AVAST Software

2011-12-02 18:32:57 -------- d-----w- c:\documents and settings\all users.windows\application data\AVAST Software

2011-12-02 04:23:01 -------- d-----w- c:\documents and settings\chris kline.your-08yyf3bcgb\application data\AnvSoft

2011-12-02 04:22:35 -------- d-----w- c:\program files\AnvSoft

2011-12-02 04:21:35 -------- d-----w- c:\program files\Yontoo Layers Runtime (Drop Down Deals)

2011-12-02 04:21:34 -------- d-----w- c:\documents and settings\all users.windows\application data\Tarma Installer

2011-12-02 00:58:33 -------- d-----w- C:\DVDMovie

2011-12-02 00:53:26 -------- d-sh--w- c:\documents and settings\chris kline.your-08yyf3bcgb\local settings\application data\b1463bda

2011-12-02 00:50:59 819200 ----a-w- c:\windows\system32\xvidcore.dll

2011-12-02 00:50:59 77824 ----a-w- c:\windows\system32\xvid.ax

2011-12-02 00:50:58 180224 ----a-w- c:\windows\system32\xvidvfw.dll

2011-12-02 00:50:56 -------- d-----w- c:\program files\Xvid

2011-12-02 00:50:52 -------- d-----w- c:\program files\AoA DVD Ripper

2011-11-30 05:18:14 -------- d-----w- C:\Inetpub

2011-11-24 03:36:43 -------- d-----w- c:\program files\Free M4a to MP3 Converter

.

==================== Find3M ====================

.

2011-12-02 17:42:02 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-11-23 17:14:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-07 14:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2011-10-04 14:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys

2011-10-03 13:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-03 10:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-13 14:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 11:48:22.87 ===============

attach.txt attached

attach.txt

Thanks, Mike

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

    [*]Then click Finish.

    [*]If an update is found, it will download and install the latest version.

    [*]Once the program has loaded, select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad and if required the program will ask you to reboot to remove locked files.

Post the scan results using Copy/Paste

Link to post
Share on other sites

I followed the intructions to the letter. At a point perhaps 6 minutes into the scan an error dialogue appeared, indicating that the log file could not be created: not enough quota available for this comand (something to that effect). I reviewed the contents of the logs tab and indeed nothing was created this morning. Now the internet is not working again, I must reboot. I await a next step. Thanks man.

Link to post
Share on other sites

AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

First you need to uninstall 2 of the 3 anti-virus programs you have.

Looks like McAfee and Avast are outdated.

Link to post
Share on other sites

I uninstalled McAfee and Avast, reran the MBAM, got the same quota error. I used task manager to stop explorer.exe and then relaunch it which enabled me to explore to the logs folder and find the output file which is below.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8334

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/8/2011 5:12:35 PM

mbam-log-2011-12-08 (17-12-35).txt

Scan type: Quick scan

Objects scanned: 343216

Time elapsed: 12 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

ComboFix 11-12-08.01 - Mike Field 12/08/2011 17:57:03.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2561 [GMT -8:00]

Running from: C:\Documents and Settings\Chris Kline.YOUR-08YYF3BCGB\My Documents\Downloads\ComboFix.exe

AV: AVG Internet Security 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

/wow section - STAGE 4

SED: can't read Desktop.Folder.dat: Not enough space

Not enough quota is available to process this command.

/wow section - STAGE 23

Not enough quota is available to process this command.

/wow section - STAGE 25

Not enough quota is available to process this command.

/wow section - STAGE 27

Not enough quota is available to process this command.

/wow section - STAGE 32

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

The system cannot execute the specified program.

Not enough quota is available to process this command.

The system cannot open the device or file specified.

/wow section - STAGE 32A

pevFind, by Billy O'Neal III, version 1.5.6 ComboFix Edition. Syntax Error.

Pass LEGAL for license information. Built Sat Jun 25 23:20:28 2011The system cannot execute the specified program.

Not enough quota is available to process this command.

The system cannot open the device or file specified.

/wow section - STAGE 33

Not enough quota is available to process this command.

/wow section - STAGE 34

Not enough quota is available to process this command.

/wow section - STAGE 37

SED: can't read SvcDump: Not enough space

The system cannot execute the specified program.

Not enough quota is available to process this command.

/wow section - STAGE 38

/wow section - STAGE 43

Not enough quota is available to process this command.

Not enough quota is available to process this command.

/wow section - STAGE 47

The system cannot execute the specified program.

Not enough quota is available to process this command.

The system cannot execute the specified program.

The system cannot open the device or file specified.

/wow section - STAGE 48

/wow section - STAGE 49

The system cannot execute the specified program.

/wow section - STAGE 50

/wow section not completed

Link to post
Share on other sites

You can use windows sfc (system file checker) You'd need your XP CD to make this work.

Click Start> Run> type sfc /scannow Note the space.

(Note that there is a space between sfc and /scannow)

If that didn't help, try check disk

How to run Chkdsk /r at the command prompt

1.Click Start, and then click Run.

2.In Open, type cmd, and then press ENTER.

3.type in: Chkdsk /r

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.