Jump to content

Infected with XP Security 2012


Recommended Posts

I have been infected with the XP Security 2012 virus. I ran Malwarebytes and AVG scans, which haven't removed it. When the internet is accessible, ping.exe takes over and sucks up all available resources, and the virus doesn't allow most programs to open.

Help!

The logs requested are below and attached. I'm not the world's biggest expert at this (obviously), so any help is much appreciated.

Thank you!

Cozzalinda

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Linda Mason at 11:13:57 on 2012-01-04

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1309 [GMT -6:00]

.

AV: AVG Internet Security Business Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\Program Files\Emsisoft Anti-Malware\a2service.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Linda Mason\Local Settings\Application Data\Akamai\netsession_win.exe

C:\Documents and Settings\Linda Mason\Local Settings\Application Data\Akamai\netsession_win.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k Akamai

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG9\avgam.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\AVG\AVG9\avgui.exe

C:\WINDOWS\System32\ping.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Akamai NetSession Interface] "c:\documents and settings\linda mason\local settings\application data\akamai\netsession_win.exe"

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [<NO NAME>]

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [hpqSRMon]

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

LSP: mswsock.dll

Trusted Zone: isqft.com

Trusted Zone: isqft.com\www

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\linda mason\application data\mozilla\firefox\profiles\hgv72dhg.default\

FF - plugin: c:\documents and settings\linda mason\locallow\stonetrip\webplayer1.8.1\npShiVa3D_1.8.1.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-4-12 25168]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-12 52872]

R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2011-11-11 17904]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-12 216400]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-12 29712]

R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-12 243152]

R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-11-11 2979280]

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-13 14336]

R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-21 308136]

R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-21 5897808]

R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-4-12 122448]

R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-4-12 30288]

R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-4-12 26192]

S0 cerc6;cerc6; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-26 136176]

S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2008-4-13 14336]

S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-11-11 51632]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-26 136176]

.

=============== Created Last 30 ================

.

2012-01-04 16:41:45 -------- d--h--w- c:\windows\PIF

2011-12-22 16:32:24 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-12-21 20:13:16 -------- d-----w- c:\documents and settings\linda mason\application data\AVG9

.

==================== Find3M ====================

.

.

============= FINISH: 11:14:42.40 ===============

attach.txt

Link to post
Share on other sites

Hello and welcome. Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif Download GMER Rootkit Scanner from here to your desktop.

  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    GMER_thumb.jpg
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    [*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If you have trouble running GEMR:

  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode

Please include the following in your next post:

  • GMER log

Link to post
Share on other sites

Thanks for your response! I was able to run the GMER scan without any apparent problems. Results:

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-01-25 11:07:35

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD80 rev.10.0

Running: r2gi1q4r.exe; Driver: C:\DOCUME~1\LINDAM~1\LOCALS~1\Temp\uxtdapob.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xAB044670]

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xAB044720]

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xAB0447C0]

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xAB044860]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB85F7000, 0x18FE04, 0xE8000020]

init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xA5F54A00]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01F6000A

.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01F7000A

.text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01F5000C

.text C:\WINDOWS\system32\SearchIndexer.exe[3268] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) A0FCB000-A0FE5000 (106496 bytes)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB24235$\3075533307 0 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\@ 2048 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\bckfg.tmp 873 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\cfg.ini 208 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\Desktop.ini 4608 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\keywords 147 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\kwrd.dll 223744 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\L 0 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\L\djoaiqci 138496 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\lsflt7.ver 5176 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\U 0 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\U\00000001.@ 1536 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\U\00000002.@ 224768 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\U\00000004.@ 1024 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\U\80000000.@ 11264 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\U\80000004.@ 12800 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3075533307\U\80000032.@ 97792 bytes

File C:\WINDOWS\$NtUninstallKB24235$\3341319409 0 bytes

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Cozzalinda:

Please do this:

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

<p>I hope this worked.  It warned me that I had not properly disabled my AVG, although I did what the instructions in your link indicated (disabled the Resident Shield.)  ComboFix.txt log:</p>

<p> </p>

<p> </p>

<div>ComboFix 12-01-26.01 - Linda Mason 01/26/2012   9:30.1.2 - x86</div>

<div>Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1468 [GMT -6:00]</div>

<div>Running from: c:\documents and settings\Linda Mason\Desktop\ComboFix.exe</div>

<div>AV: AVG Internet Security Business Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}</div>

<div> * Created a new restore point</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>c:\documents and settings\Linda Mason\WINDOWS</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\@</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\bckfg.tmp</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\cfg.ini</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\Desktop.ini</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\keywords</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\kwrd.dll</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\L\djoaiqci</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\lsflt7.ver</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\U\00000001.@</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\U\00000002.@</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\U\00000004.@</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\U\80000000.@</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\U\80000004.@</div>

<div>c:\windows\$NtUninstallKB24235$\3075533307\U\80000032.@</div>

<div>c:\windows\$NtUninstallKB24235$\3341319409</div>

<div>c:\windows\system32\certstore.dat</div>

<div>c:\windows\$NtUninstallKB24235$ . . . . Failed to delete</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>-------\Legacy_6TO4</div>

<div>-------\Service_6to4</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((   Files Created from 2011-12-26 to 2012-01-26  )))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>2012-01-04 16:41 . 2012-01-04 16:41<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d--h--w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\PIF</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>2001-12-03 22:09 . 2010-04-27 16:04<span class="Apple-tab-span" style="white-space:pre"> </span>90112<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\internet explorer\plugins\DjVuControl.dll</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>*Note* empty entries & legit default entries are not shown </div>

<div>REGEDIT4</div>

<div>.</div>

<div>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div>

<div>"Akamai NetSession Interface"="c:\documents and settings\Linda Mason\Local Settings\Application Data\Akamai\netsession_win.exe" [2011-12-13 3305760]</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div>

<div>"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]</div>

<div>"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]</div>

<div>"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-10-24 2078048]</div>

<div>"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]</div>

<div>"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]</div>

<div>"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]</div>

<div>.</div>

<div>c:\documents and settings\All Users\Start Menu\Programs\Startup\</div>

<div>HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]</div>

<div>Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]</div>

<div>.</div>

<div>[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]</div>

<div>"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]</div>

<div>2010-06-21 18:46<span class="Apple-tab-span" style="white-space:pre"> </span>12536<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\avgrsstx.dll</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]</div>

<div>2010-04-12 16:18<span class="Apple-tab-span" style="white-space:pre"> </span>10536<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\security center]</div>

<div>"AntiVirusOverride"=dword:00000001</div>

<div>"FirewallOverride"=dword:00000001</div>

<div>.</div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]</div>

<div>"EnableFirewall"= 0 (0x0)</div>

<div>"DisableNotifications"= 1 (0x1)</div>

<div>.</div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</div>

<div>"%windir%\\Network Diagnostic\\xpnetdiag.exe"=</div>

<div>"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=</div>

<div>"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=</div>

<div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=</div>

<div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=</div>

<div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=</div>

<div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=</div>

<div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=</div>

<div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=</div>

<div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=</div>

<div>"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=</div>

<div>"c:\\WINDOWS\\system32\\sessmgr.exe"=</div>

<div>.</div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]</div>

<div>"1124:TCP"= 1124:TCP:Akamai NetSession Interface</div>

<div>"5000:UDP"= 5000:UDP:Akamai NetSession Interface</div>

<div>.</div>

<div>R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [4/12/2010 2:11 PM 25168]</div>

<div>R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/12/2010 2:11 PM 52872]</div>

<div>R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [11/11/2011 10:20 AM 17904]</div>

<div>R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2010 2:11 PM 216400]</div>

<div>R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2010 2:11 PM 243152]</div>

<div>R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [11/11/2011 10:20 AM 2979280]</div>

<div>R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/13/2008 5:00 PM 14336]</div>

<div>R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/21/2010 12:46 PM 308136]</div>

<div>R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [6/21/2010 12:46 PM 5897808]</div>

<div>R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [4/12/2010 2:11 PM 122448]</div>

<div>R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [4/12/2010 2:11 PM 30288]</div>

<div>R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [4/12/2010 2:11 PM 26192]</div>

<div>S0 cerc6;cerc6; [x]</div>

<div>S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2011 12:20 PM 136176]</div>

<div>S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [4/13/2008 5:00 PM 14336]</div>

<div>S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [11/11/2011 10:20 AM 51632]</div>

<div>S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2011 12:20 PM 136176]</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]</div>

<div>HPZ12<span class="Apple-tab-span" style="white-space:pre"> </span>REG_MULTI_SZ   <span class="Apple-tab-span" style="white-space:pre"> </span>Pml Driver HPZ12 Net Driver HPZ12</div>

<div>hpdevmgmt<span class="Apple-tab-span" style="white-space:pre"> </span>REG_MULTI_SZ   <span class="Apple-tab-span" style="white-space:pre"> </span>hpqcxs08 hpqddsvc</div>

<div>Akamai<span class="Apple-tab-span" style="white-space:pre"> </span>REG_MULTI_SZ   <span class="Apple-tab-span" style="white-space:pre"> </span>Akamai</div>

<div>NecUsbSevice<span class="Apple-tab-span" style="white-space:pre"> </span>REG_MULTI_SZ   <span class="Apple-tab-span" style="white-space:pre"> </span>NecUsb</div>

<div>.</div>

<div>Contents of the 'Scheduled Tasks' folder</div>

<div>.</div>

<div>2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job</div>

<div>- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-26 18:20]</div>

<div>.</div>

<div>2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job</div>

<div>- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-26 18:20]</div>

<div>.</div>

<div>.</div>

<div>------- Supplementary Scan -------</div>

<div>.</div>

<div>uStart Page = about:blank</div>

<div>uInternet Connection Wizard,ShellNext = iexplore</div>

<div>IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200</div>

<div>Trusted Zone: isqft.com</div>

<div>Trusted Zone: isqft.com\www</div>

<div>FF - ProfilePath - c:\documents and settings\Linda Mason\Application Data\Mozilla\Firefox\Profiles\hgv72dhg.default\</div>

<div>FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}</div>

<div>FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff</div>

<div>.</div>

<div>- - - - ORPHANS REMOVED - - - -</div>

<div>.</div>

<div>Toolbar-Locked - (no file)</div>

<div>HKLM-Run-hpqSRMon - (no file)</div>

<div>HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe</div>

<div>AddRemove-HP OrderReminder - c:\program files\Hewlett-Packard\OrderReminder\uninstall\hpuninstaller.exe</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>**************************************************************************</div>

<div>.</div>

<div>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net</div>

<div>Rootkit scan 2012-01-26 09:43</div>

<div>Windows 5.1.2600 Service Pack 3 NTFS</div>

<div>.</div>

<div>scanning hidden processes ...  </div>

<div>.</div>

<div>scanning hidden autostart entries ... </div>

<div>.</div>

<div>scanning hidden files ...  </div>

<div>.</div>

<div>scan completed successfully</div>

<div>hidden files: 0</div>

<div>.</div>

<div>**************************************************************************</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]</div>

<div>"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"</div>

<div>.</div>

<div>--------------------- DLLs Loaded Under Running Processes ---------------------</div>

<div>.</div>

<div>- - - - - - - > 'winlogon.exe'(892)</div>

<div>c:\windows\system32\Ati2evxx.dll</div>

<div>c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll</div>

<div>.</div>

<div>- - - - - - - > 'explorer.exe'(3272)</div>

<div>c:\windows\system32\WININET.dll</div>

<div>c:\program files\Windows Desktop Search\deskbar.dll</div>

<div>c:\program files\Windows Desktop Search\en-us\dbres.dll.mui</div>

<div>c:\program files\Windows Desktop Search\dbres.dll</div>

<div>c:\program files\Windows Desktop Search\wordwheel.dll</div>

<div>c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui</div>

<div>c:\program files\Windows Desktop Search\msnlExtRes.dll</div>

<div>c:\windows\system32\ieframe.dll</div>

<div>c:\windows\system32\webcheck.dll</div>

<div>.</div>

<div>------------------------ Other Running Processes ------------------------</div>

<div>.</div>

<div>c:\windows\system32\Ati2evxx.exe</div>

<div>c:\windows\system32\Ati2evxx.exe</div>

<div>c:\program files\AVG\AVG9\avgchsvx.exe</div>

<div>c:\program files\AVG\AVG9\avgrsx.exe</div>

<div>c:\program files\AVG\AVG9\avgcsrvx.exe</div>

<div>c:\windows\system32\brss01a.exe</div>

<div>c:\program files\Java\jre6\bin\jqs.exe</div>

<div>c:\windows\system32\SearchIndexer.exe</div>

<div>c:\program files\AVG\AVG9\avgam.exe</div>

<div>c:\program files\AVG\AVG9\avgnsx.exe</div>

<div>c:\program files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe</div>

<div>c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe</div>

<div>c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe</div>

<div>c:\program files\HP\Digital Imaging\bin\hpqbam08.exe</div>

<div>c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe</div>

<div>.</div>

<div>**************************************************************************</div>

<div>.</div>

<div>Completion time: 2012-01-26  09:48:48 - machine was rebooted</div>

<div>ComboFix-quarantined-files.txt  2012-01-26 15:48</div>

<div>.</div>

<div>Pre-Run: 28,233,564,160 bytes free</div>

<div>Post-Run: 29,117,972,480 bytes free</div>

<div>.</div>

<div>WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe</div>

<div>[boot loader]</div>

<div>timeout=2</div>

<div>default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS</div>

<div>[operating systems]</div>

<div>c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons</div>

<div>UnsupportedDebug="do not select this" /debug</div>

<div>multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect</div>

<div>.</div>

<div>- - End Of File - - 686F6AE5BFC01B22BB3C78F17BCD17B0</div>

<div> </div>

<div> </div>

<div>Thank you!!</div>

Link to post
Share on other sites

I am re-posting this, only because it added a lot of <p>'s and <div>'s the last time, and I'm not sure why. Hopefully this will be more readable for you. Thanks again!

ComboFix 12-01-26.01 - Linda Mason 01/26/2012 9:30.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1468 [GMT -6:00]

Running from: c:\documents and settings\Linda Mason\Desktop\ComboFix.exe

AV: AVG Internet Security Business Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Linda Mason\WINDOWS

c:\windows\$NtUninstallKB24235$\3075533307\@

c:\windows\$NtUninstallKB24235$\3075533307\bckfg.tmp

c:\windows\$NtUninstallKB24235$\3075533307\cfg.ini

c:\windows\$NtUninstallKB24235$\3075533307\Desktop.ini

c:\windows\$NtUninstallKB24235$\3075533307\keywords

c:\windows\$NtUninstallKB24235$\3075533307\kwrd.dll

c:\windows\$NtUninstallKB24235$\3075533307\L\djoaiqci

c:\windows\$NtUninstallKB24235$\3075533307\lsflt7.ver

c:\windows\$NtUninstallKB24235$\3075533307\U\00000001.@

c:\windows\$NtUninstallKB24235$\3075533307\U\00000002.@

c:\windows\$NtUninstallKB24235$\3075533307\U\00000004.@

c:\windows\$NtUninstallKB24235$\3075533307\U\80000000.@

c:\windows\$NtUninstallKB24235$\3075533307\U\80000004.@

c:\windows\$NtUninstallKB24235$\3075533307\U\80000032.@

c:\windows\$NtUninstallKB24235$\3341319409

c:\windows\system32\certstore.dat

c:\windows\$NtUninstallKB24235$ . . . . Failed to delete

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_6TO4

-------\Service_6to4

.

.

((((((((((((((((((((((((( Files Created from 2011-12-26 to 2012-01-26 )))))))))))))))))))))))))))))))

.

.

2012-01-04 16:41 . 2012-01-04 16:41 -------- d--h--w- c:\windows\PIF

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2001-12-03 22:09 . 2010-04-27 16:04 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Akamai NetSession Interface"="c:\documents and settings\Linda Mason\Local Settings\Application Data\Akamai\netsession_win.exe" [2011-12-13 3305760]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-10-24 2078048]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-06-21 18:46 12536 ----a-w- c:\windows\system32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-04-12 16:18 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1124:TCP"= 1124:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [4/12/2010 2:11 PM 25168]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/12/2010 2:11 PM 52872]

R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [11/11/2011 10:20 AM 17904]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2010 2:11 PM 216400]

R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2010 2:11 PM 243152]

R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [11/11/2011 10:20 AM 2979280]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/13/2008 5:00 PM 14336]

R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/21/2010 12:46 PM 308136]

R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [6/21/2010 12:46 PM 5897808]

R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [4/12/2010 2:11 PM 122448]

R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [4/12/2010 2:11 PM 30288]

R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [4/12/2010 2:11 PM 26192]

S0 cerc6;cerc6; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2011 12:20 PM 136176]

S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [4/13/2008 5:00 PM 14336]

S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [11/11/2011 10:20 AM 51632]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2011 12:20 PM 136176]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Akamai REG_MULTI_SZ Akamai

NecUsbSevice REG_MULTI_SZ NecUsb

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-26 18:20]

.

2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-26 18:20]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

Trusted Zone: isqft.com

Trusted Zone: isqft.com\www

FF - ProfilePath - c:\documents and settings\Linda Mason\Application Data\Mozilla\Firefox\Profiles\hgv72dhg.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKLM-Run-hpqSRMon - (no file)

HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

AddRemove-HP OrderReminder - c:\program files\Hewlett-Packard\OrderReminder\uninstall\hpuninstaller.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-26 09:43

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]

"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(892)

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

.

- - - - - - - > 'explorer.exe'(3272)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\brss01a.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\AVG\AVG9\avgam.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2012-01-26 09:48:48 - machine was rebooted

ComboFix-quarantined-files.txt 2012-01-26 15:48

.

Pre-Run: 28,233,564,160 bytes free

Post-Run: 29,117,972,480 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 686F6AE5BFC01B22BB3C78F17BCD17B0

Link to post
Share on other sites

Cozzalinda:

Thanks for reposting that! Please do this next:

icon11.gif Please download GrantPerms.zip and save it to your desktop.

  • Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
  • Copy and paste the following in the edit box:
    c:\windows\$NtUninstallKB24235$


  • Click Unlock. When it is done click "OK".
  • Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

  • GrantPerms log
  • MBAM log

Link to post
Share on other sites

I was only able to do half of what you asked. First, Perms.txt:

GrantPerms by Farbar

Ran by Linda Mason (administrator) at 2012-01-27 09:11:16

===============================================

\\?\c:\windows\$NtUninstallKB24235$

Owner: BUILTIN\Administrators

DACL(NP)(AI):

BUILTIN\Administrators FULL ALLOW (CI)(OI)

NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)

BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)

BUILTIN\Users READ/EXECUTE ALLOW (I)

BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(IO)(I)

BUILTIN\Power Users change ALLOW (I)

BUILTIN\Power Users change ALLOW (CI)(OI)(IO)(I)

BUILTIN\Administrators FULL ALLOW (I)

BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)

NT AUTHORITY\SYSTEM FULL ALLOW (I)

NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)

CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)

I was not able to update the Malwarebytes Anti-Malware program. When I click "update," it returns the following error:

An error has occurred. Please report the error code to our support team.

PROGRAM_ERROR_UPDATING(12007, 0, WinHttpSendRequest)

I await further instructions.

Thank you!

Link to post
Share on other sites

Cozzalinda:

Please do this next:

icon11.gif Please download Junction.zip and save it.

  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start > Run or press the Windows key + r Copy and paste the following command in the run box and click OK:
    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt


  • A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Please include the following in your next post:

  • Junction log

Link to post
Share on other sites

Here's the junction log. In the txt file, all those "..." are preceded and followed by zeros.

Thank you!

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..

Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.

.

...

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

.\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

..

...

...

...

...

...

...

...

Link to post
Share on other sites

Cozzalinda:

Please do this next:

icon11.gif Uninstall Malwarebytes via Control Panel > Add/Remove Programs

  • Reboot
  • Download the Malwarebytes Removal Tool
  • Double click on the utility to run it
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here
  • Choose the options to update and open the program and run a full scan

Please include the following in your next post:

  • MBAM log

Link to post
Share on other sites

Here's the problem I'm having now.

When I became infected with the virus, one of the problems (in addition to many many annoying pop-ups and not being able to open certain programs) was that it wouldn't allow me to open websites (IE would open, but couldn't connect to websites.) I have kept the computer offline almost entirely since then. When you told me to download files, I did it on another machine, put it on a flash drive and transferred it to the infected machine. Exception: when I ran ComboFix and it needed to download and install Microsoft Windows Recovery Console, I reconnected the internet for that, and it seems to have worked fine.

NOW, however, when I try to connect to the internet (so I can download and update Malwarebytes), it tells me there is "limited or no connectivity," and I am unable to access any websites at all.

We checked thoroughly, and there is no problem with our network.

I was able to run the Malwarebytes Removal Tool. The problem just lies in that I can't use the internet to update a new version of Malwarebytes.

Sorry, and thanks again for your help.

Link to post
Share on other sites

Cozzalinda:

This infection is pretty notorious for causing loss of internet connectivity. Please do this next:

icon11.gif Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

Please include the following in your next post:

  • FSS log

Link to post
Share on other sites

Phew... it's not just me. :)

Farbar Service Scanner Version: 31-01-2012 01

Ran by Linda Mason (administrator) on 31-01-2012 at 16:44:29

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Attempt to access Google IP returned error: Google IP is unreachable

Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys

[2011-12-22 10:32] - [2011-08-17 07:49] - 0138496 ____A () 99B74D4C168C5FA4EDEB8F5BAD50972B

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

AvgTdiX(86) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)

0x080000000500000001000000020000000300000004000000560000000600000007000000

IpSec Tag value is correct.

**** End of log ****

Link to post
Share on other sites

Here it is...

Farbar Service Scanner Version: 31-01-2012 01

Ran by Linda Mason (administrator) on 01-02-2012 at 09:05:13

Microsoft Windows XP Service Pack 3 (X86)

************************************************

================== Search: "afd.sys" ===================

C:\WINDOWS\system32\drivers\afd.sys

[2011-12-22 10:32] - [2011-08-17 07:49] - 0138496 ____A () 99B74D4C168C5FA4EDEB8F5BAD50972B

C:\WINDOWS\system32\dllcache\afd.sys

[2008-04-13 17:00] - [2011-02-16 07:22] - 0138496 ____C (Microsoft Corporation) 355556D9E580915118CD7EF736653A89

C:\WINDOWS\SoftwareDistribution\Download\402b80bba3eb5ba477eeaa840ad0e146\SP3QFE\afd.sys

[2011-06-16 09:24] - [2011-02-16 07:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

C:\WINDOWS\SoftwareDistribution\Download\402b80bba3eb5ba477eeaa840ad0e146\SP3GDR\afd.sys

[2011-06-16 09:24] - [2011-02-16 07:22] - 0138496 ____A (Microsoft Corporation) 355556D9E580915118CD7EF736653A89

C:\WINDOWS\$NtUninstallKB956803$\afd.sys

[2010-04-12 12:26] - [2008-06-20 05:40] - 0138496 ____C (Microsoft Corporation) E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\$NtUninstallKB951748$\afd.sys

[2010-04-12 12:26] - [2008-04-13 17:00] - 0138112 ____C (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\$NtUninstallKB2509553$\afd.sys

[2011-04-14 10:55] - [2008-08-14 04:04] - 0138496 ____C (Microsoft Corporation) 7E775010EF291DA96AD17CA4B17137D7

C:\WINDOWS\$NtUninstallKB2503665$\afd.sys

[2011-06-17 08:06] - [2008-10-16 08:43] - 0138496 ____C (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys

[2010-04-12 12:22] - [2008-08-14 04:34] - 0138496 ____A (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys

[2008-06-20 05:48] - [2008-06-20 05:48] - 0138496 ____A (Microsoft Corporation) D6EE6014241D034E63C49A50CB2B442A

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys

[2008-10-16 09:07] - [2008-10-16 09:07] - 0138496 ____A (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099

C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys

[2011-06-16 09:24] - [2011-02-16 07:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

====== End Of Search ======

Link to post
Share on other sites

Cozzalinda:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

FCopy::
C:\WINDOWS\SoftwareDistribution\Download\402b80bba3eb5ba477eeaa840ad0e146\SP3QFE\afd.sys | C:\WINDOWS\system32\drivers\afd.sys

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

If ComboFix does not reboot your computer, please reboot it yourself, then run this:

icon11.gif Please run Farbar Service Scanner again.

  • Make sure the following options are checked:

    • Internet Services

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

Please include the following in your next post:

  • ComboFix log
  • FSS log

Link to post
Share on other sites

Holy cow, I think I have internet again. Don't worry, I won't go doing anything crazy.

______________________________________________________________________________

ComboFix 12-01-26.01 - Linda Mason 02/01/2012 13:27:42.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1337 [GMT -6:00]

Running from: c:\documents and settings\Linda Mason\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Linda Mason\Desktop\CFScript.txt

AV: AVG Internet Security Business Edition *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

- REDUCED FUNCTIONALITY MODE -

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\SoftwareDistribution\Download\402b80bba3eb5ba477eeaa840ad0e146\SP3QFE\afd.sys --> c:\windows\system32\drivers\afd.sys

.

((((((((((((((((((((((((( Files Created from 2012-01-01 to 2012-02-01 )))))))))))))))))))))))))))))))

.

.

2012-01-30 15:31 . 2010-09-07 21:39 150392 ----a-w- c:\windows\junction.exe

2012-01-04 16:41 . 2012-01-04 16:41 -------- d--h--w- c:\windows\PIF

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2001-12-03 22:09 . 2010-04-27 16:04 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-01-26_15.40.48 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-01-30 21:39 . 2012-01-30 21:39 16384 c:\windows\Temp\Perflib_Perfdata_e38.dat

+ 2012-01-30 21:39 . 2012-01-30 21:39 16384 c:\windows\Temp\Perflib_Perfdata_d10.dat

+ 2011-12-22 16:32 . 2011-02-16 13:25 138496 c:\windows\system32\dllcache\afd.sys

- 2008-04-13 23:00 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Akamai NetSession Interface"="c:\documents and settings\Linda Mason\Local Settings\Application Data\Akamai\netsession_win.exe" [2011-12-13 3305760]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-10-24 2078048]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-06-21 18:46 12536 ----a-w- c:\windows\system32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-04-12 16:18 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1124:TCP"= 1124:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [4/12/2010 2:11 PM 25168]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/12/2010 2:11 PM 52872]

R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [11/11/2011 10:20 AM 17904]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2010 2:11 PM 216400]

R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2010 2:11 PM 243152]

R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [11/11/2011 10:20 AM 2979280]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/13/2008 5:00 PM 14336]

R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/21/2010 12:46 PM 308136]

R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [6/21/2010 12:46 PM 5897808]

R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [4/12/2010 2:11 PM 122448]

R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [4/12/2010 2:11 PM 30288]

R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [4/12/2010 2:11 PM 26192]

S0 cerc6;cerc6; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2011 12:20 PM 136176]

S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [4/13/2008 5:00 PM 14336]

S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [11/11/2011 10:20 AM 51632]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2011 12:20 PM 136176]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Akamai REG_MULTI_SZ Akamai

NecUsbSevice REG_MULTI_SZ NecUsb

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-26 18:20]

.

2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-26 18:20]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

Trusted Zone: isqft.com

Trusted Zone: isqft.com\www

FF - ProfilePath - c:\documents and settings\Linda Mason\Application Data\Mozilla\Firefox\Profiles\hgv72dhg.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-01 13:28

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]

"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(708)

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

.

- - - - - - - > 'explorer.exe'(13340)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2012-02-01 13:31:57

ComboFix-quarantined-files.txt 2012-02-01 19:31

ComboFix2.txt 2012-01-26 15:48

.

Pre-Run: 29,102,817,280 bytes free

Post-Run: 29,417,648,128 bytes free

.

- - End Of File - - 305A9CA4C76EDA1830D8B1F5ADE54177

______________________________________________________________________________

Farbar Service Scanner Version: 31-01-2012 01

Ran by Linda Mason (administrator) on 01-02-2012 at 13:36:54

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys

[2011-12-22 10:32] - [2011-02-16 07:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

AvgTdiX(86) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)

0x080000000500000001000000020000000300000004000000560000000600000007000000

IpSec Tag value is correct.

**** End of log ****

Link to post
Share on other sites

No malicious items detected! I hope that's a good thing.

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.01.06

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Linda Mason :: LINDA [administrator]

2/1/2012 2:23:16 PM

mbam-log-2012-02-01 (14-23-16).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 225032

Time elapsed: 37 minute(s), 2 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Cozzalinda:

How is your computer running now? Please do this next:

icon11.gifYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to this page to download the latest version. Press the download button under JRE and follow the prompts. Accept the agreement and choose the Windows x86 offline option.
  • Run the insatller you just downloaded

icon11.gif Please go to here to run an online scan with ESET.


    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Click Scan

[*]Wait for the scan to finish

[*]If any threats were found, click the 'List of found threats' , then click Export to text file....

[*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Please include the following in your next post:

  • How is the computer running now?
  • ESET log

Link to post
Share on other sites

My computer seems to be running considerably better.

  • There are no more annoying popups or fake "threat warnings."
  • The internet seems to be working perfectly.
  • I have the Task Manager open, and neither ping.exe nor multiple instances of iexplore.exe are opening and sucking up memory, which was a huge problem before.
  • I haven't been doing anything other than what you instruct me to, so I can't say how other programs will perform, but everything seems to be working very well.

Here's what ESET found:

C:\Documents and Settings\Linda Mason\Application Data\Sun\Java\Deployment\cache\6.0\34\77382de2-627f8099 probably a variant of Java/Rowindal.A trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\afd.sys.vir Win32/Sirefef.DA trojan

Link to post
Share on other sites

Cozzalinda:

This will take care of that ESET detection (the other is already in quarantine):

icon11.gif Go to Start > Run and copy/paste the contents of the codebox below into the Run box and click OK:

cmd /c del /a/f/q "C:\Documents and Settings\Linda Mason\Application Data\Sun\Java\Deployment\cache\6.0\34\77382de2-627f8099"

A DOS window may briefly open and close again, this is normal.

Other than that, your logs look good! All I have left for you is some very important cleanup:

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER
  • Junction
  • FSS

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

All done! One last thing... I just opened this forum on the infected computer, in IE, and most of the pictures/icons come up as red X's. I then tried Google & Yahoo, and got the same result. Is there a security setting somewhere that is not allowing them to load? It's not a huge deal, but some of the things that aren't showing up are buttons or links, and that seems like it could be a problem.

I have Google Chrome on a different computer, and like it better than IE, so I may just download that and use it anyway, which may solve the red X problem. Your thoughts welcome.

Thank you, thank you, thank you for all your help!!!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.