Jump to content

Recommended Posts

Hi Guys,

I caught a virus which stopped internet access by removing registry entry for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT

I restored the regkey from another pc and also copied netbt.sys - this got things going temporarily.

Redirects then appeared with further netbt issues so I ran malwarebytes (log attached)

dds then ran and logs attached (I couldn't disable avg)

Currently, computer is waiting for ip address on wifi, but connects to router with cable, although some redirects of browsers is still occuring.

Any sugggestions would be greatly appreciated.

Best Regards

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by Geoff at 15:07:35 on 2011-12-30

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1456 [GMT 0:00]

.

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG2012\avgrsx.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe

C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe

C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe

C:\Program Files\Samsung\Samsung Recovery Solution II\WCScheduler.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Program Files\AVG Secure Search\vprot.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\program files\real\realplayer\update\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe

C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\WINDOWS\System32\ping.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/advanced_search?hl=en

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.22\AVG Secure Search_toolbar.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.22\AVG Secure Search_toolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [kdx] c:\program files\kontiki\KHost.exe -all

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe

mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe

mRun: [batteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe

mRun: [samsungWInClon] c:\program files\samsung\samsung recovery solution ii\WCScheduler

mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all

mRun: [sUPBackGround] c:\program files\samsung\samsung update plus\SUPBackGround.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [vProt] "c:\program files\avg secure search\vprot.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

LSP: mswsock.dll

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab

DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://remote.parliament.uk/InternalSite/WhlCompMgr.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game09.zylom.com/activex/zylomgamesplayer.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.2e2.com/dana-cached/sc/JuniperSetupClient.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\9.0.1\ViProtocol.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\geoff\application data\mozilla\firefox\profiles\z12h76ed.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll

FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 295248]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-1-18 4300]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-23 652872]

R2 SNM WLAN Service;SNM WLAN Service;c:\program files\samsung\samsung network manager\SNMWLANService.exe [2005-5-28 36864]

R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\srs labs\wowxt and tsxt driver\SRS_PostInstaller.exe [2006-11-9 69632]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-3-9 92592]

R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\uagqecsvc.exe [2011-4-13 149904]

R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\9.0.1\ToolbarUpdater.exe [2011-12-24 869216]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-1-18 36608]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-23 20464]

R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2006-11-9 20608]

S2 gupdate1ca30667189a908;Google Update Service (gupdate1ca30667189a908);c:\program files\google\update\GoogleUpdate.exe [2009-9-8 133104]

S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\downlo~1\DMService.exe [2011-4-13 468368]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-9-8 133104]

.

=============== Created Last 30 ================

.

2011-12-24 12:53:27 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search

2011-12-23 22:31:35 -------- d-----w- c:\documents and settings\geoff\application data\Malwarebytes

2011-12-23 22:31:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-12-23 22:31:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-23 22:31:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2011-11-25 13:49:22 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-12 17:44:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-07 06:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2011-10-04 06:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys

2011-10-03 04:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-03 01:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl

.

============= FINISH: 15:07:50.25 ===============

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 911122309

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

24/12/2011 00:05:44

mbam-log-2011-12-24 (00-05-44).txt

Scan type: Quick scan

Objects scanned: 287142

Time elapsed: 43 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A072EC12-A40B-41DD-9A1A-CDB848B70F3C} (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD4F7A6D-0107-4BDF-B72B-021B717B06CE} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00A9BE8 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A00FC8E2C.exe (Trojan.Agent) -> Value: A00FC8E2C.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Value: Regedit32 -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\RECYCLER\s-1-5-21-125603796-1285412916-2827224456-1004\Dc119.exe (PUP.SpyBoss) -> Quarantined and deleted successfully.

c:\temp\abcexplorer_1_3_8_setup.exe (PUP.SpyBoss) -> Quarantined and deleted successfully.

attach.txt

mbam-log-2011-12-24 (00-05-44).txt

dds.txt

Link to post
Share on other sites

Welcome to the forum.

Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

Please download and run RogueKiller.

Choose 1 to scan the system

Post back the report.

MrC

Link to post
Share on other sites

OK, those files are fine.

ComboFix is capable of cleaning this infection but it may take a couple of reboots.

Please make sure you download and run it from your desktop and make sure you disable all malware programs!!

______________________________

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Please post the log, don't attach it.

MrC

Link to post
Share on other sites

ComboFix 12-01-04.02 - Geoff 04/01/2012 20:54:02.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1553 [GMT 0:00]

Running from: c:\documents and settings\Geoff\My Documents\My Downloads\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Geoff\Recent\Thumbs.db

c:\windows\$NtUninstallKB37643$

c:\windows\$NtUninstallKB37643$\211314198

c:\windows\$NtUninstallKB37643$\531860664\@

c:\windows\$NtUninstallKB37643$\531860664\bckfg.tmp

c:\windows\$NtUninstallKB37643$\531860664\cfg.ini

c:\windows\$NtUninstallKB37643$\531860664\Desktop.ini

c:\windows\$NtUninstallKB37643$\531860664\keywords

c:\windows\$NtUninstallKB37643$\531860664\kwrd.dll

c:\windows\$NtUninstallKB37643$\531860664\L\nsuyzeji

c:\windows\$NtUninstallKB37643$\531860664\U\00000001.@

c:\windows\$NtUninstallKB37643$\531860664\U\00000002.@

c:\windows\$NtUninstallKB37643$\531860664\U\00000004.@

c:\windows\$NtUninstallKB37643$\531860664\U\80000000.@

c:\windows\$NtUninstallKB37643$\531860664\U\80000004.@

c:\windows\$NtUninstallKB37643$\531860664\U\80000032.@

c:\windows\system32\Cache

c:\windows\system32\Cache\16abb40014c12fc8.fb

c:\windows\system32\Cache\272512937d9e61a4.fb

c:\windows\system32\Cache\287204568329e189.fb

c:\windows\system32\Cache\28bc8f716fd76a47.fb

c:\windows\system32\Cache\2c53092c95605355.fb

c:\windows\system32\Cache\3917078cb68ec657.fb

c:\windows\system32\Cache\590ba23ce359fd0c.fb

c:\windows\system32\Cache\5feee74b237259e7.fb

c:\windows\system32\Cache\610289e025a3ee9a.fb

c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb

c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb

c:\windows\system32\Cache\ad10a52aff5e038d.fb

c:\windows\system32\Cache\c4d28dca2e7648be.fb

c:\windows\system32\Cache\d201ef9910cd39de.fb

c:\windows\system32\Cache\d2e94710a5708128.fb

c:\windows\system32\Cache\d79b9dfe81484ec4.fb

c:\windows\system32\Cache\e0de16f883bea794.fb

c:\windows\Temp\scsE.tmp

c:\windows\Temp\scsF.tmp

.

.

((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))

.

.

2012-01-04 19:06 . 2012-01-04 19:08 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-01-02 15:21 . 2012-01-02 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2012-01-02 15:21 . 2012-01-02 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2012-01-02 15:20 . 2012-01-02 15:20 -------- d-----w- c:\program files\McAfee Security Scan

2011-12-28 11:54 . 2011-12-28 11:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-12-24 12:53 . 2011-12-24 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search

2011-12-23 22:31 . 2011-12-23 22:31 -------- d-----w- c:\documents and settings\Geoff\Application Data\Malwarebytes

2011-12-23 22:31 . 2011-12-23 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-12-23 22:31 . 2011-12-28 15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-23 22:31 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-15 18:41 . 2011-12-15 18:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-02 15:21 . 2011-05-19 08:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-25 13:49 . 2003-03-19 06:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-11-23 13:25 . 2007-01-18 17:08 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-04 19:20 . 2007-01-18 17:08 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20 . 2007-01-18 17:08 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20 . 2007-01-18 17:08 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23 . 2007-01-18 17:08 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07 . 2007-01-18 17:08 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31 . 2007-01-18 17:08 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2007-01-18 17:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-18 11:13 . 2007-01-18 17:08 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22 . 2008-01-18 18:26 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-07 06:23 . 2010-09-07 02:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2006-10-11 08:04 . 2008-10-18 14:35 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2006-10-11 08:04 . 2008-10-18 14:35 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2006-10-11 08:05 . 2008-10-18 14:35 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2006-10-11 08:05 . 2008-10-18 14:35 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2006-10-11 08:04 . 2008-10-18 14:35 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]

2011-12-24 12:53 1574240 ----a-w- c:\program files\AVG Secure Search\9.0.0.22\AVG Secure Search_toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\9.0.0.22\AVG Secure Search_toolbar.dll" [2011-12-24 1574240]

.

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-16 68856]

"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SamsungWInClon"="c:\program files\Samsung\Samsung Recovery Solution II\WCScheduler" [X]

"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]

"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 89542]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-08-17 45056]

"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]

"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]

"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2006-12-15 2764800]

"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2010-04-20 300912]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-19 13549568]

"nwiz"="nwiz.exe" [2008-11-19 1630208]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]

"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2011-12-24 892768]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-25 273528]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-11 561213]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Microsoft Forefront UAG\\Endpoint Components\\3.1.0\\WhlClnt3.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 15:27 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 02:48 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 02:48 230608]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [07/09/2010 02:49 295248]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 05:09 192776]

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [18/01/2008 18:32 4300]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [23/12/2011 22:31 652872]

R2 SNM WLAN Service;SNM WLAN Service;c:\program files\Samsung\Samsung Network Manager\SNMWLANService.exe [28/05/2005 16:35 36864]

R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe [09/11/2006 18:32 69632]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [09/03/2011 12:30 92592]

R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [13/04/2011 11:12 149904]

R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe [24/12/2011 12:53 869216]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 20:42 134608]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 20:42 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 20:42 16720]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [18/01/2007 17:12 36608]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [23/12/2011 22:31 20464]

R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [09/11/2006 18:32 20608]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 06:25 4433248]

S2 gupdate1ca30667189a908;Google Update Service (gupdate1ca30667189a908);c:\program files\Google\Update\GoogleUpdate.exe [08/09/2009 09:26 133104]

S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\DOWNLO~1\DMService.exe [13/04/2011 11:11 468368]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [08/09/2009 09:26 133104]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 12:49 227232]

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

2012-01-04 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-14 17:56]

.

2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 09:26]

.

2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 09:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/advanced_search?hl=en

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

TCP: DhcpNameServer = 192.168.0.1

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\9.0.1\ViProtocol.dll

DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game09.zylom.com/activex/zylomgamesplayer.cab

FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\z12h76ed.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-04 21:10

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2444)

c:\windows\system32\WININET.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Kontiki\KService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\RTHDCPL.EXE

c:\windows\AGRSMMSG.exe

c:\program files\Samsung\Samsung Recovery Solution II\WCScheduler.exe

c:\program files\SAMSUNG\MagicKBD\MagicKBD.exe

c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2012-01-04 21:17:50 - machine was rebooted

ComboFix-quarantined-files.txt 2012-01-04 21:17

.

Pre-Run: 84,721,139,712 bytes free

Post-Run: 88,458,395,648 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - AFCEF67D83C0380D757589452FBE3648

Link to post
Share on other sites

Malwarebytes Anti-Malware (Trial) 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.04.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Geoff :: SHELAGH [administrator]

Protection: Disabled

04/01/2012 21:43:21

mbam-log-2012-01-04 (21-43-21).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 253991

Time elapsed: 21 minute(s), 43 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

connected to internet OK - no redirected websites - dhcp service stops and starts correctly (this failed on dependencies over the last couple of days)

so looking good

its bedtime here (uk) so hopefully, it will behave itself tomorrow.

many thanks for all your help - your a star!!

Link to post
Share on other sites

Great :)

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

-------------------

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

-----------------------------------

Please update your Java, older versions are vulnerable to malware > go to your control panel > Java > Update tab > Update

Any questions...please post back.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.