Jump to content

Redirected Search results and other problems - Please help!


Srini

Recommended Posts

Hello,

Posting here after spending many many hours/few days trying to resolve this problem, so I appreciate your help in resolving this.

Quick background:

--------------------

Problem 1) redirects after google search

Problem 2) Malwarebytes has been finding new issues each new day even though it cleans up everyday. I have not been doing much of browsing (except for going on these forums and a little black friday research)

FYI, thx to your forums, was able to resolve these next two problems (used Avira AntiVir Rescue System)

Problem 2 - think this is resolved) Was getting a pop up that the system was infected

Problem 3 - resolved) was unable to start malwarebytes or hijack this

I have run hijack and have followed instructions from http://www.malwarebytes.org/forums/index.php?showtopic=9573

(Avira and malwarebytes found some infections).

Logs included:

- Malwarebytes

- DDS.txt

- Hijackthis

- Attach.zip - Attach.txt and ark.txt

Here are the logs:

----------------------------------------

Malware bytes log:

Malwarebytes' Anti-Malware 1.41

Database version: 3250

Windows 5.1.2600 Service Pack 2

11/28/2009 10:20:03 AM

mbam-log-2009-11-28 (10-20-03).txt

Scan type: Quick Scan

Objects scanned: 154981

Time elapsed: 11 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\mscert.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\WINDOWS\rdolib.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

D:\Documents and Settings\LocalService\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

----------------------------------------------

----------------------------------------------

----------------------------------------------

DDS.txt:

DDS (Ver_09-11-24.02) - NTFSx86

Run by janaki at 11:36:37.90 on Sat 11/28/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.109 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\NETGEAR\WNDA3100\WNDA3100.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Avira\AntiVir Desktop\avcenter.exe

C:\Program Files\Avira\AntiVir Desktop\avscan.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Avira\AntiVir Desktop\avscan.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\notepad.exe

C:\My Downloads\Defogger.exe

D:\Documents and Settings\janaki\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {BBCE9859-AC56-4091-B80B-A710A4719CEC} - No File

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [osCheck] "c:\program files\norton 360 premier edition\osCheck.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100\WNDA3100.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{882025a7-7599-4989-8fcd-7604fb90d6a9}\Icon6560581611.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\PGPlsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37887.6715625

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\windows\system32\rdolib.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli PGPpwflt

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\janaki\applic~1\mozilla\firefox\profiles\fobmwy2q.default\

FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

FF - plugin: d:\documents and settings\janaki\application data\mozilla\firefox\profiles\fobmwy2q.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-8-10 97792]

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2007-8-10 168960]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-28 108289]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-8 93320]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2007-8-10 224256]

R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [2007-8-10 33792]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-5-26 9817]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-22 102448]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-24 38224]

R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-6-30 57408]

S2 0179441259267586mcinstcleanup;McAfee Application Installer Cleanup (0179441259267586);c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-5-26 137392]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]

S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\eccl100.sys --> c:\windows\system32\ECCL100.SYS [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wnda3100\jswpsapi.exe [2008-2-27 360547]

S3 NaiAvFilter104;NAI Anti Virus;\Device\NaiAvFilter104.sys --> \Device\NaiAvFilter104.sys [?]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]

S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

S3 Usbidevws;Usbidevws;c:\windows\system32\drivers\hidbth.sys [2004-8-4 25600]

S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\mrv8k51.sys --> c:\windows\system32\drivers\mrv8k51.sys [?]

S3 wind502u;USB 2.0 Wireless Network Adapter;c:\windows\system32\drivers\wind502u.sys --> c:\windows\system32\drivers\wind502u.sys [?]

S3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WNDA31.sys [2008-9-30 453120]

S4 ExtranetAccess;Contivity VPN Service;c:\program files\ip vpn remote services\Extranet_serv.exe [2007-12-7 811008]

S4 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]

S4 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]

S4 SDService;Unicenter Software Delivery;"c:\program files\ca\unicenter software delivery\bin\sdserv.exe" --> c:\program files\ca\unicenter software delivery\bin\SDSERV.EXE [?]

=============== Created Last 30 ================

2009-11-28 17:33:44 0 ----a-w- d:\documents and settings\janaki\defogger_renable

2009-11-28 07:04:11 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-28 07:03:51 0 d-----w- d:\docume~1\alluse~1\applic~1\Avira

2009-11-28 07:03:51 0 d-----w- c:\program files\Avira

2009-11-26 20:29:08 0 d-----w- d:\docume~1\janaki\applic~1\Malwarebytes

2009-11-26 20:26:18 13668 ----a-w- c:\windows\system32\wpa.bak

2009-11-26 20:13:41 488 ---ha-r- c:\windows\system32\logonui.exe.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\WindowsShell.Manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest

2009-11-26 20:10:19 295424 ----a-w- c:\windows\system32\termsrv.dll

2009-11-26 19:43:15 13312 ----a-w- c:\windows\system32\irclass.dll

2009-11-26 19:43:13 24661 ----a-w- c:\windows\system32\spxcoins.dll

2009-11-24 07:16:18 0 ----a-w- d:\documents and settings\janaki\settings.dat

2009-11-24 06:25:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-24 06:25:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-24 06:25:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-21 23:09:25 0 d-----w- c:\program files\Norton 360 Premier Edition

2009-11-21 23:05:43 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-11-21 23:05:43 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-11-21 23:05:43 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-11-21 23:05:43 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-11-21 23:05:19 0 d-----w- c:\program files\Symantec

2009-11-20 12:20:32 0 d-----w- c:\program files\WinPcap

2009-11-20 01:03:25 30 ----a-w- c:\windows\system32\worker.info

2009-11-20 01:03:25 30 ----a-w- c:\windows\system32\thread.xml

2009-11-20 01:03:25 30 ----a-w- c:\windows\system32\config.data

2009-11-16 15:27:58 100 ------w- c:\windows\system32\flags.ini

2009-11-03 02:26:07 0 d-----w- d:\docume~1\janaki\applic~1\Visio

==================== Find3M ====================

2009-11-26 20:11:21 23460 -c--a-w- c:\windows\system32\emptyregdb.dat

2008-12-20 14:55:51 1606064 ----a-w- c:\program files\googletalk-setup.exe

============= FINISH: 11:38:11.25 ===============

------------------------------------------------------------------------------------------------

Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:07:03 PM, on 11/28/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\NETGEAR\WNDA3100\WNDA3100.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Avira\AntiVir Desktop\avcenter.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\notepad.exe

C:\My Downloads\Defogger.exe

C:\WINDOWS\system32\wscript.exe

C:\My Downloads\2tpnvkpy.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: CitiUSBrowserHelper Class - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: (no name) - {BBCE9859-AC56-4091-B80B-A710A4719CEC} - (no file)

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: NETGEAR WNDA3100 Smart Wizard.lnk = C:\Program Files\NETGEAR\WNDA3100\WNDA3100.exe

O4 - Global Startup: PGPtray.exe.lnk = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\rdolib.dll

O20 - Winlogon Notify: wvUkLFya - C:\WINDOWS\

O23 - Service: McAfee Application Installer Cleanup (0179441259267586) (0179441259267586mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\017944~1.EXE (file missing)

O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNDA3100\jswpsapi.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--

End of file - 7699 bytes

----------------------------------------------

Thanks for spending your valuable time to review this and hoping this can get resolved soon.

- sri

Attach.zip

Link to post
Share on other sites

Hello,

Have not received a response to my request below (4th day today). Attempting to bump this up please..

Thanks

Hello,

Posting here after spending many many hours/few days trying to resolve this problem, so I appreciate your help in resolving this.

Quick background:

--------------------

Problem 1) redirects after google search

Problem 2) Malwarebytes has been finding new issues each new day even though it cleans up everyday. I have not been doing much of browsing (except for going on these forums and a little black friday research)

FYI, thx to your forums, was able to resolve these next two problems (used Avira AntiVir Rescue System)

Problem 2 - think this is resolved) Was getting a pop up that the system was infected

Problem 3 - resolved) was unable to start malwarebytes or hijack this

I have run hijack and have followed instructions from http://www.malwarebytes.org/forums/index.php?showtopic=9573

(Avira and malwarebytes found some infections).

Logs included:

- Malwarebytes

- DDS.txt

- Hijackthis

- Attach.zip - Attach.txt and ark.txt

Here are the logs:

----------------------------------------

Malware bytes log:

Malwarebytes' Anti-Malware 1.41

Database version: 3250

Windows 5.1.2600 Service Pack 2

11/28/2009 10:20:03 AM

mbam-log-2009-11-28 (10-20-03).txt

Scan type: Quick Scan

Objects scanned: 154981

Time elapsed: 11 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\mscert.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\WINDOWS\rdolib.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

D:\Documents and Settings\LocalService\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

----------------------------------------------

----------------------------------------------

----------------------------------------------

DDS.txt:

DDS (Ver_09-11-24.02) - NTFSx86

Run by janaki at 11:36:37.90 on Sat 11/28/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.109 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\NETGEAR\WNDA3100\WNDA3100.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Avira\AntiVir Desktop\avcenter.exe

C:\Program Files\Avira\AntiVir Desktop\avscan.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Avira\AntiVir Desktop\avscan.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\notepad.exe

C:\My Downloads\Defogger.exe

D:\Documents and Settings\janaki\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {BBCE9859-AC56-4091-B80B-A710A4719CEC} - No File

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [osCheck] "c:\program files\norton 360 premier edition\osCheck.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100\WNDA3100.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{882025a7-7599-4989-8fcd-7604fb90d6a9}\Icon6560581611.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\PGPlsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37887.6715625

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\windows\system32\rdolib.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli PGPpwflt

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\janaki\applic~1\mozilla\firefox\profiles\fobmwy2q.default\

FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

FF - plugin: d:\documents and settings\janaki\application data\mozilla\firefox\profiles\fobmwy2q.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-8-10 97792]

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2007-8-10 168960]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-28 108289]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-8 93320]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2007-8-10 224256]

R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [2007-8-10 33792]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-5-26 9817]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-22 102448]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-24 38224]

R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-6-30 57408]

S2 0179441259267586mcinstcleanup;McAfee Application Installer Cleanup (0179441259267586);c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-5-26 137392]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]

S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\eccl100.sys --> c:\windows\system32\ECCL100.SYS [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wnda3100\jswpsapi.exe [2008-2-27 360547]

S3 NaiAvFilter104;NAI Anti Virus;\Device\NaiAvFilter104.sys --> \Device\NaiAvFilter104.sys [?]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]

S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

S3 Usbidevws;Usbidevws;c:\windows\system32\drivers\hidbth.sys [2004-8-4 25600]

S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\mrv8k51.sys --> c:\windows\system32\drivers\mrv8k51.sys [?]

S3 wind502u;USB 2.0 Wireless Network Adapter;c:\windows\system32\drivers\wind502u.sys --> c:\windows\system32\drivers\wind502u.sys [?]

S3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WNDA31.sys [2008-9-30 453120]

S4 ExtranetAccess;Contivity VPN Service;c:\program files\ip vpn remote services\Extranet_serv.exe [2007-12-7 811008]

S4 getPlusHelper;getPlus

Link to post
Share on other sites

Hello and welcome to Malwarebytes.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please take a read in this thread on instructions on running the tools and posting the logs for instructions:http://www.malwarebytes.org/forums/index.php?showtopic=9573

In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please note that the forum is very busy and if I don

Link to post
Share on other sites

Hello Extremeboy,

Thanks for taking the time! It is appreciated.

As of yesterday morning, search links were getting redirected to the wrong places. Oddly enough, (without me doing anything additional), the links are working ok this morning. :) (This is my mother's computer, so I don't use it too often)

Since I did not do anything at all yesterday, I am a bit confused. So I would still like to request you to take a look at the logs, as there could still be some underlying problem. (this problem has been there for 3 weeks now, so I cannot imagine it would disappear the day you responded!).

Logs as requested:

----------

Malwarebytes' Anti-Malware 1.42

Database version: 3298

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

12/4/2009 11:36:54 PM

mbam-log-2009-12-04 (23-36-54).txt

Scan type: Quick Scan

Objects scanned: 157239

Time elapsed: 15 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----------------------------------------------------

----------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86

Run by janaki at 12:15:59.47 on Sat 12/05/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.572 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WNDA3100\WNDA3100.exe

C:\WINDOWS\system32\cleanmgr.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

c:\program files\avira\antivir desktop\avcenter.exe

C:\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {BBCE9859-AC56-4091-B80B-A710A4719CEC} - No File

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [osCheck] "c:\program files\norton 360 premier edition\osCheck.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100\WNDA3100.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{882025a7-7599-4989-8fcd-7604fb90d6a9}\Icon6560581611.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\PGPlsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37887.6715625

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\windows\system32\rdolib.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli PGPpwflt

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\janaki\applic~1\mozilla\firefox\profiles\fobmwy2q.default\

FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-8-10 97792]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-28 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-28 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-28 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-28 55656]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-8 93320]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-5-26 9817]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-1 102448]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091204.037\NAVENG.SYS [2009-12-4 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091204.037\NAVEX15.SYS [2009-12-4 1323568]

R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-11-21 1245064]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-5-26 137392]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]

S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\eccl100.sys --> c:\windows\system32\ECCL100.SYS [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wnda3100\jswpsapi.exe [2008-2-27 360547]

S3 NaiAvFilter104;NAI Anti Virus;\Device\NaiAvFilter104.sys --> \Device\NaiAvFilter104.sys [?]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]

S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

S3 Usbidevws;Usbidevws;c:\windows\system32\drivers\hidbth.sys [2004-8-4 25600]

S3 wind502u;USB 2.0 Wireless Network Adapter;c:\windows\system32\drivers\wind502u.sys --> c:\windows\system32\drivers\wind502u.sys [?]

S3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WNDA31.sys [2008-9-30 453120]

S4 0179441259267586mcinstcleanup;McAfee Application Installer Cleanup (0179441259267586);c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S4 ExtranetAccess;Contivity VPN Service;c:\program files\ip vpn remote services\Extranet_serv.exe [2007-12-7 811008]

S4 SDService;Unicenter Software Delivery;"c:\program files\ca\unicenter software delivery\bin\sdserv.exe" --> c:\program files\ca\unicenter software delivery\bin\SDSERV.EXE [?]

=============== Created Last 30 ================

2009-12-05 09:13:17 0 d-----w- c:\windows\system32\XPSViewer

2009-12-05 09:11:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-12-05 09:11:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-12-05 09:11:31 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-12-05 09:11:31 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-12-05 09:11:31 117760 ------w- c:\windows\system32\prntvpt.dll

2009-12-05 09:11:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-12-05 09:11:30 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-12-04 17:10:11 0 d-----w- c:\windows\system32\KB905474

2009-12-03 12:46:34 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2009-12-03 12:36:36 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

2009-12-03 12:36:36 283648 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-12-03 12:36:35 35328 -c----w- c:\windows\system32\dllcache\sc.exe

2009-12-03 12:36:09 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-12-03 12:36:09 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-12-03 12:36:08 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-12-03 12:35:43 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-12-03 12:35:42 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-12-03 12:35:15 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-12-03 12:34:49 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-12-03 12:28:43 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

2009-12-03 12:25:05 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys

2009-12-03 12:24:12 333184 -c----w- c:\windows\system32\dllcache\srv.sys

2009-12-03 12:23:04 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-12-03 12:22:10 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2009-12-03 12:16:44 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

2009-12-03 12:10:17 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll

2009-12-03 12:09:48 1193414 -c----w- c:\windows\system32\dllcache\sysmain.sdb

2009-12-03 12:09:22 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2009-12-03 11:50:34 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-12-03 11:45:52 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2009-12-03 11:38:46 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2009-12-03 11:34:41 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-12-03 11:34:40 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-12-03 11:34:13 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-12-03 11:33:46 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-12-03 11:31:30 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll

2009-11-28 17:33:44 0 ----a-w- d:\documents and settings\janaki\defogger_renable

2009-11-28 07:04:11 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-28 07:03:51 0 d-----w- d:\docume~1\alluse~1\applic~1\Avira

2009-11-28 07:03:51 0 d-----w- c:\program files\Avira

2009-11-26 20:29:08 0 d-----w- d:\docume~1\janaki\applic~1\Malwarebytes

2009-11-26 20:26:18 13668 ----a-w- c:\windows\system32\wpa.bak

2009-11-26 20:13:41 488 ---ha-r- c:\windows\system32\logonui.exe.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\WindowsShell.Manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest

2009-11-26 20:10:19 295424 ----a-w- c:\windows\system32\termsrv.dll

2009-11-26 19:43:15 13312 ----a-w- c:\windows\system32\irclass.dll

2009-11-26 19:43:13 24661 ----a-w- c:\windows\system32\spxcoins.dll

2009-11-24 07:16:18 0 ----a-w- d:\documents and settings\janaki\settings.dat

2009-11-24 06:25:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-24 06:25:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-24 06:25:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-21 23:09:25 0 d-----w- c:\program files\Norton 360 Premier Edition

2009-11-21 23:05:43 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-11-21 23:05:43 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-11-21 23:05:43 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-11-21 23:05:43 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-11-21 23:05:19 0 d-----w- c:\program files\Symantec

2009-11-20 12:20:32 0 d-----w- c:\program files\WinPcap

2009-11-20 01:03:25 30 ----a-w- c:\windows\system32\worker.info

2009-11-20 01:03:25 30 ----a-w- c:\windows\system32\thread.xml

2009-11-20 01:03:25 30 ----a-w- c:\windows\system32\config.data

==================== Find3M ====================

2009-11-26 20:11:21 23460 -c--a-w- c:\windows\system32\emptyregdb.dat

2009-09-25 05:56:36 662016 ----a-w- c:\windows\system32\wininet.dll

2009-09-25 05:56:32 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll

2008-12-20 14:55:51 1606064 ----a-w- c:\program files\googletalk-setup.exe

============= FINISH: 12:17:15.22 ===============

------------------------------------------------------

Thanks again for your feedback,

Hello and welcome to Malwarebytes.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please take a read in this thread on instructions on running the tools and posting the logs for instructions:http://www.malwarebytes.org/forums/index.php?showtopic=9573

In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please note that the forum is very busy and if I don

Attach.zip

Link to post
Share on other sites

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Here is the ComboFix.txt: (you asked that it be included - I read that as copy and paste. It is also attached, just in case that's what you meant)

Thanks again!

-------------

ComboFix 09-12-05.03 - janaki 12/05/2009 23:37.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.733 [GMT -6:00]

Running from: d:\documents and settings\janaki\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 Premier Edition *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\WinPCap

c:\program files\WinPCap\rpcapd.exe

c:\recycler\S-1-5-21-1361031659-3470074583-838623864-500

c:\recycler\S-1-5-21-1815002781-3848448594-3852255402-500

c:\recycler\S-1-5-21-2008529862-4088190255-1608279117-500

c:\recycler\S-1-5-21-2055378577-3357456969-1883788766-500

c:\recycler\S-1-5-21-2304659736-572454927-963639892-500

c:\recycler\S-1-5-21-3765412682-274146658-773706229-500

c:\recycler\S-1-5-21-4101351205-3031065371-1103848779-500

c:\windows\Downloaded Program Files\Temp

c:\windows\run.log

c:\windows\system32\config.data

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\thread.xml

c:\windows\system32\WanPacket.dll

c:\windows\system32\worker.info

c:\windows\system32\wpcap.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Legacy_RPCPATCH

-------\Legacy_RPCTFTPD

-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))

.

2009-12-05 09:14 . 2009-12-05 09:14 176864 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-12-05 09:13 . 2009-12-05 09:13 -------- d-----w- c:\windows\system32\XPSViewer

2009-12-05 09:13 . 2009-12-05 09:13 -------- d-----w- c:\program files\MSBuild

2009-12-05 09:12 . 2009-12-05 09:12 -------- d-----w- c:\program files\Reference Assemblies

2009-12-05 09:12 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2009-12-05 09:11 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-12-05 09:11 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-12-05 09:11 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-12-05 09:11 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-12-05 09:11 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-12-05 09:11 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2009-12-05 09:11 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-12-05 09:11 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-12-05 05:19 . 2009-12-05 05:19 4844296 ----a-w- d:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-04 17:10 . 2009-12-04 17:10 -------- d-----w- c:\windows\system32\KB905474

2009-12-04 17:10 . 2009-03-11 04:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe

2009-12-04 17:10 . 2009-03-11 04:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe

2009-12-03 12:46 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2009-12-03 12:36 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-12-03 12:36 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

2009-12-03 12:36 . 2009-02-06 16:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe

2009-12-03 12:36 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-12-03 12:36 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-12-03 12:36 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-12-03 12:35 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-12-03 12:35 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-12-03 12:35 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-12-03 12:34 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-12-03 12:25 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys

2009-12-03 12:24 . 2008-12-11 11:57 333184 -c----w- c:\windows\system32\dllcache\srv.sys

2009-12-03 12:23 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-12-03 12:22 . 2008-04-11 18:50 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2009-12-03 12:16 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

2009-12-03 12:10 . 2009-07-31 04:57 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll

2009-12-03 12:09 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2009-12-03 11:50 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-12-03 11:45 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2009-12-03 11:38 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2009-12-03 11:34 . 2009-08-04 13:58 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-12-03 11:34 . 2009-08-04 14:00 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-12-03 11:34 . 2009-08-04 13:13 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-12-03 11:33 . 2009-08-04 13:13 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-12-03 11:31 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll

2009-11-28 07:04 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-28 07:04 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-11-28 07:04 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-11-28 07:04 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-11-28 07:03 . 2009-11-28 07:03 -------- d-----w- d:\documents and settings\All Users\Application Data\Avira

2009-11-28 07:03 . 2009-11-28 07:03 -------- d-----w- c:\program files\Avira

2009-11-26 20:29 . 2009-11-26 20:29 -------- d-----w- d:\documents and settings\janaki\Application Data\Malwarebytes

2009-11-26 20:10 . 2004-08-04 12:00 295424 ----a-w- c:\windows\system32\termsrv.dll

2009-11-26 19:43 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll

2009-11-26 19:43 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll

2009-11-24 07:16 . 2009-11-24 07:16 0 ----a-w- d:\documents and settings\janaki\settings.dat

2009-11-24 06:25 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-24 06:25 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-24 06:25 . 2009-12-05 05:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-22 06:27 . 2009-11-22 06:27 -------- d-sh--w- d:\documents and settings\Default User\IETldCache

2009-11-21 23:10 . 2009-11-21 23:10 -------- d-----w- c:\program files\Windows Sidebar

2009-11-21 23:09 . 2009-11-26 22:24 -------- d-----w- c:\program files\Norton 360 Premier Edition

2009-11-21 23:05 . 2009-11-22 06:46 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-11-21 23:05 . 2009-11-22 06:46 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-11-21 23:05 . 2009-11-22 06:46 -------- d-----w- c:\program files\Symantec

2009-11-17 13:43 . 2009-11-17 13:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-06 05:58 . 2009-05-03 15:00 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-12-05 16:18 . 2005-11-13 16:51 -------- d-----w- d:\documents and settings\All Users\Application Data\Skype

2009-12-05 16:18 . 2007-09-25 02:14 -------- d-----w- c:\program files\VideoLAN

2009-12-04 04:10 . 2005-01-03 19:18 82352 -c--a-w- d:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-28 06:48 . 2008-07-25 00:07 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP

2009-11-28 06:47 . 2009-02-23 04:36 -------- d-----w- c:\program files\SpywareBlaster

2009-11-26 20:29 . 2009-03-08 19:26 -------- d-----w- c:\program files\McAfee

2009-11-26 20:11 . 2003-09-23 16:02 23460 -c--a-w- c:\windows\system32\emptyregdb.dat

2009-11-24 06:17 . 2009-05-03 15:08 -------- d-----w- d:\documents and settings\All Users\Application Data\Symantec

2009-11-22 06:46 . 2009-11-21 23:05 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-11-22 06:46 . 2009-11-21 23:05 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-11-22 05:56 . 2009-02-23 03:48 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-21 23:17 . 2009-06-18 05:30 -------- d-----w- d:\documents and settings\janaki\Application Data\Symantec

2009-11-05 16:08 . 2009-04-06 15:52 19176444 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2009-11-03 02:26 . 2009-11-03 02:26 -------- d-----w- d:\documents and settings\janaki\Application Data\Visio

2009-10-28 03:07 . 2009-10-28 03:07 -------- d-----w- c:\program files\OpenProj

2009-10-28 02:48 . 2009-10-28 02:48 -------- d-----w- d:\documents and settings\All Users\Application Data\KaDonk

2009-10-28 02:47 . 2009-10-28 02:47 -------- d-----w- d:\documents and settings\janaki\Application Data\KaDonk

2009-10-28 02:45 . 2009-10-28 02:45 143546 ----a-r- d:\documents and settings\janaki\Application Data\Microsoft\Installer\{AF181338-5152-4BB7-ADA0-AC4249335F83}\_F62732F4AD468E2E2DC6ED.exe

2009-10-28 02:45 . 2009-10-28 02:45 143546 ----a-r- d:\documents and settings\janaki\Application Data\Microsoft\Installer\{AF181338-5152-4BB7-ADA0-AC4249335F83}\_D467E31FEC7FBC4521B739.exe

2009-10-28 02:45 . 2009-10-28 02:45 143546 ----a-r- d:\documents and settings\janaki\Application Data\Microsoft\Installer\{AF181338-5152-4BB7-ADA0-AC4249335F83}\_6FEFF9B68218417F98F549.exe

2009-10-28 02:44 . 2009-10-28 02:44 -------- d-----w- c:\program files\Temp

2009-10-18 16:07 . 2009-10-18 16:07 -------- d-----w- d:\documents and settings\janaki\Application Data\RapidTyping

2009-10-18 16:07 . 2009-10-18 16:07 -------- d-----w- c:\program files\RapidTyping

2009-10-18 16:07 . 2009-10-18 16:07 -------- d-----w- d:\documents and settings\All Users\Application Data\RapidTyping

2009-09-30 20:58 . 2008-02-18 19:38 9576 ----a-w- d:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\CCMSLLUM.DLL

2009-09-25 05:56 . 2004-08-04 12:00 662016 ----a-w- c:\windows\system32\wininet.dll

2009-09-25 05:56 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-09-11 14:33 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2008-12-20 14:55 . 2008-12-20 14:55 1606064 ----a-w- c:\program files\googletalk-setup.exe

2008-06-30 19:44 . 2009-05-05 12:14 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]

@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"

[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]

2007-08-10 20:27 598016 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

d:\documents and settings\cchittoor\Start Menu\Programs\Startup\

Check for TWS Updates.lnk - c:\program files\Jts\WiseUpdt.exe [2008-6-24 194775]

DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

d:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WNDA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100\WNDA3100.exe [2008-12-10 1482815]

PGPtray.exe.lnk - c:\windows\Installer\{882025A7-7599-4989-8FCD-7604FB90D6A9}\Icon6560581611.exe [2007-8-30 55296]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]

path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk

backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]

path=d:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk

backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^PGPtray.exe.lnk]

path=d:\documents and settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk

backup=c:\windows\pss\PGPtray.exe.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to mbam.lnk]

path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to mbam.lnk

backup=c:\windows\pss\Shortcut to mbam.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to mbamgui.lnk]

path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to mbamgui.lnk

backup=c:\windows\pss\Shortcut to mbamgui.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^cchittoor^Start Menu^Programs^Startup^Check for TWS Updates.lnk]

path=d:\documents and settings\cchittoor\Start Menu\Programs\Startup\Check for TWS Updates.lnk

backup=c:\windows\pss\Check for TWS Updates.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^cchittoor^Start Menu^Programs^Startup^Epson all-in-one Registration.lnk]

path=d:\documents and settings\cchittoor\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk

backup=c:\windows\pss\Epson all-in-one Registration.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^cchittoor^Start Menu^Programs^Startup^HotSync Manager.lnk]

path=d:\documents and settings\cchittoor\Start Menu\Programs\Startup\HotSync Manager.lnk

backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"McTaskManager"=2 (0x2)

"Macromedia Licensing Service"=3 (0x3)

"Ati HotKey Poller"=2 (0x2)

"AmoAgent"=2 (0x2)

"AeXNSClient"=2 (0x2)

"gusvc"=3 (0x3)

"WMPNetworkSvc"=2 (0x2)

"r_server"=2 (0x2)

"SCardSvr"=2 (0x2)

"SDService"=2 (0x2)

"IDriverT"=3 (0x3)

"MDM"=2 (0x2)

"PGPserv"=2 (0x2)

"ose"=3 (0x3)

"Maxtor Sync Service"=2 (0x2)

"BITS"=3 (0x3)

"McShield"=2 (0x2)

"ExtranetAccess"=2 (0x2)

"S24EventMonitor"=2 (0x2)

"vsmon"=2 (0x2)

"SharedAccess"=2 (0x2)

"RDSessMgr"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

"MSDTC"=3 (0x3)

"getPlusHelper"=3 (0x3)

"mnmsrvc"=3 (0x3)

"0179441259267586mcinstcleanup"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\system32\\sessmgr.exe"=

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [8/10/2007 2:21 PM 97792]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/28/2009 1:04 AM 108289]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 1:37 PM 149352]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/8/2009 1:27 PM 93320]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [5/26/2005 3:58 PM 9817]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/1/2009 9:24 PM 102448]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [10/1/2008 3:45 PM 57440]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [5/26/2005 3:58 PM 137392]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 8:32 PM 23888]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/24/2003 11:10 AM 17149]

S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\ECCL100.SYS --> c:\windows\system32\ECCL100.SYS [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WNDA3100\jswpsapi.exe [2/27/2008 10:54 AM 360547]

S3 NaiAvFilter104;NAI Anti Virus;\Device\NaiAvFilter104.sys --> \Device\NaiAvFilter104.sys [?]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]

S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

S3 Usbidevws;Usbidevws;c:\windows\system32\drivers\hidbth.sys [8/4/2004 6:00 AM 25600]

S3 wind502u;USB 2.0 Wireless Network Adapter;c:\windows\system32\DRIVERS\wind502u.sys --> c:\windows\system32\DRIVERS\wind502u.sys [?]

S3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WNDA31.sys [9/30/2008 2:24 AM 453120]

S4 0179441259267586mcinstcleanup;McAfee Application Installer Cleanup (0179441259267586);c:\windows\TEMP\017944~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\017944~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S4 ExtranetAccess;Contivity VPN Service;c:\program files\IP VPN Remote Services\Extranet_serv.exe [12/7/2007 8:25 PM 811008]

S4 SDService;Unicenter Software Delivery;"c:\program files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE" --> c:\program files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

LSP: c:\windows\system32\PGPlsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - d:\documents and settings\janaki\Application Data\Mozilla\Firefox\Profiles\fobmwy2q.default\

FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll

FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

BHO-{BBCE9859-AC56-4091-B80B-A710A4719CEC} - (no file)

Notify-wvUkLFya - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-06 00:00

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1512)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2572)

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\windows\system32\PGPfsshl.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\PGPlsp.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\acs.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-12-06 00:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-06 06:07

Pre-Run: 921,067,520 bytes free

Post-Run: 887,152,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

- - End Of File - - 8B8BF1D036DDC12626C83DF996675604

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

ComboFix.txt

Link to post
Share on other sites

Hi again,

That's fine. Posting it is preferred.

You had a password stealing trojan.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

--

Update and Scan with MalwareBytes Anti-Malware

  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,

Extremeboy

Link to post
Share on other sites

Wow - that's not good, as I believe there might have been some banking transactions done and I am a bit concerned.

So a few questions, if you don't mind:

- I have used a flash drive to copy photographs/documents between this computer and my other "clean" computer. Will that cause a risk to the other computer?

- can I/do I need to post logs from my other "clean" computer, so you could take a quick look?

- for my knowledge, are you able to tell the name of this virus from the logs and how the virus might have got in, in the first place?

- also, did ComboFix detect and remove it?

Sorry for all the questions, but your response is appreciated.

(I will be unable to post the new logs till later tonight.)

Again, thanks for your help and for the excellent service you all are providing!

Hi again,

That's fine. Posting it is preferred.

You had a password stealing trojan.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

--

Update and Scan with MalwareBytes Anti-Malware

  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,

Extremeboy

Link to post
Share on other sites

Hello.

Will that cause a risk to the other computer?

Perhaps but I can't be 100% sure without anything to see.

can I/do I need to post logs from my other "clean" computer, so you could take a quick look?

Yes, you can. Start a new topic in this forum and I will take a look and respond back to you.

for my knowledge, are you able to tell the name of this virus from the logs and how the virus might have got in, in the first place?

It's almost impossible to tell how the virus came to your computer without me physically being there at the time of the infection. I can say generally these infections come from P2P sharing, flash-drive/removable drive autorun worms/infections.

Some information on one of the infection: http://www.threatexpert.com/report.aspx?md...7845a4a8b7ab6b8

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

- also, did ComboFix detect and remove it?

Not just Combofix, but yes, the main infection is gone now. Things look good but still a few steps we need to complete to verify that your computer is completely clean.

--

No problem, glad we can help and thanks for letting me know.

Post the results whenever you're done.

With Regards,

Extremeboy

Link to post
Share on other sites

Hello extremeBoy,

Thanks for the response. I will try to create the logs for the other computer and post it to a new topic in a day or so.

In the meantime, here are the logs:

Malwarebytes' Anti-Malware 1.42

Database version: 3304

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

12/6/2009 12:44:17 PM

mbam-log-2009-12-06 (12-44-17).txt

Scan type: Quick Scan

Objects scanned: 156523

Time elapsed: 39 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------

DDS (Ver_09-11-24.02) - NTFSx86

Run by janaki at 13:07:17.76 on Sun 12/06/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.690 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\NETGEAR\WNDA3100\WNDA3100.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\thisComputerRelated\virusIssue200911\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [osCheck] "c:\program files\norton 360 premier edition\osCheck.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100\WNDA3100.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{882025a7-7599-4989-8fcd-7604fb90d6a9}\Icon6560581611.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\PGPlsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37887.6715625

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli PGPpwflt

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\janaki\applic~1\mozilla\firefox\profiles\fobmwy2q.default\

FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-8-10 97792]

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2007-8-10 168960]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-28 108289]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-8 93320]

R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2007-8-10 224256]

R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [2007-8-10 33792]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-5-26 9817]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-1 102448]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-24 38224]

R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-6-30 57408]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-5-26 137392]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]

S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\eccl100.sys --> c:\windows\system32\ECCL100.SYS [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wnda3100\jswpsapi.exe [2008-2-27 360547]

S3 NaiAvFilter104;NAI Anti Virus;\Device\NaiAvFilter104.sys --> \Device\NaiAvFilter104.sys [?]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]

S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

S3 Usbidevws;Usbidevws;c:\windows\system32\drivers\hidbth.sys [2004-8-4 25600]

S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\mrv8k51.sys --> c:\windows\system32\drivers\mrv8k51.sys [?]

S3 wind502u;USB 2.0 Wireless Network Adapter;c:\windows\system32\drivers\wind502u.sys --> c:\windows\system32\drivers\wind502u.sys [?]

S3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WNDA31.sys [2008-9-30 453120]

S4 0179441259267586mcinstcleanup;McAfee Application Installer Cleanup (0179441259267586);c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S4 ExtranetAccess;Contivity VPN Service;c:\program files\ip vpn remote services\Extranet_serv.exe [2007-12-7 811008]

S4 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]

S4 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]

S4 SDService;Unicenter Software Delivery;"c:\program files\ca\unicenter software delivery\bin\sdserv.exe" --> c:\program files\ca\unicenter software delivery\bin\SDSERV.EXE [?]

=============== Created Last 30 ================

2009-12-06 05:35:57 0 d-sha-r- C:\cmdcons

2009-12-06 05:34:05 98816 ----a-w- c:\windows\sed.exe

2009-12-06 05:34:05 77312 ----a-w- c:\windows\MBR.exe

2009-12-06 05:34:05 260608 ----a-w- c:\windows\PEV.exe

2009-12-06 05:34:05 161792 ----a-w- c:\windows\SWREG.exe

2009-12-05 09:13:17 0 d-----w- c:\windows\system32\XPSViewer

2009-12-05 09:11:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-12-05 09:11:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-12-05 09:11:31 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-12-05 09:11:31 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-12-05 09:11:31 117760 ------w- c:\windows\system32\prntvpt.dll

2009-12-05 09:11:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-12-05 09:11:30 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-12-04 17:10:11 0 d-----w- c:\windows\system32\KB905474

2009-12-03 12:46:34 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2009-12-03 12:36:36 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

2009-12-03 12:36:36 283648 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-12-03 12:36:35 35328 -c----w- c:\windows\system32\dllcache\sc.exe

2009-12-03 12:36:09 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-12-03 12:36:09 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-12-03 12:36:08 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-12-03 12:35:43 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-12-03 12:35:42 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-12-03 12:35:15 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-12-03 12:34:49 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-12-03 12:28:43 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

2009-12-03 12:25:05 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys

2009-12-03 12:24:12 333184 -c----w- c:\windows\system32\dllcache\srv.sys

2009-12-03 12:23:04 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-12-03 12:22:10 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2009-12-03 12:16:44 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

2009-12-03 12:10:17 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll

2009-12-03 12:09:48 1193414 -c----w- c:\windows\system32\dllcache\sysmain.sdb

2009-12-03 12:09:22 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2009-12-03 11:50:34 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-12-03 11:45:52 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2009-12-03 11:38:46 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2009-12-03 11:34:41 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-12-03 11:34:40 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-12-03 11:34:13 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-12-03 11:33:46 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-12-03 11:31:30 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll

2009-11-28 17:33:44 0 ----a-w- d:\documents and settings\janaki\defogger_renable

2009-11-28 07:04:11 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-28 07:03:51 0 d-----w- d:\docume~1\alluse~1\applic~1\Avira

2009-11-28 07:03:51 0 d-----w- c:\program files\Avira

2009-11-26 20:29:08 0 d-----w- d:\docume~1\janaki\applic~1\Malwarebytes

2009-11-26 20:26:18 13668 ----a-w- c:\windows\system32\wpa.bak

2009-11-26 20:13:41 488 ---ha-r- c:\windows\system32\logonui.exe.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\WindowsShell.Manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest

2009-11-26 20:10:19 295424 ------w- c:\windows\system32\termsrv.dll

2009-11-26 19:43:15 13312 ----a-w- c:\windows\system32\irclass.dll

2009-11-26 19:43:13 24661 ----a-w- c:\windows\system32\spxcoins.dll

2009-11-24 07:16:18 0 ----a-w- d:\documents and settings\janaki\settings.dat

2009-11-24 06:25:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-24 06:25:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-24 06:25:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-21 23:09:25 0 d-----w- c:\program files\Norton 360 Premier Edition

2009-11-21 23:05:43 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-11-21 23:05:43 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-11-21 23:05:43 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-11-21 23:05:43 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-11-21 23:05:19 0 d-----w- c:\program files\Symantec

==================== Find3M ====================

2009-11-26 20:11:21 23460 -c--a-w- c:\windows\system32\emptyregdb.dat

2009-09-25 05:56:36 662016 ------w- c:\windows\system32\wininet.dll

2009-09-25 05:56:32 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll

2008-12-20 14:55:51 1606064 ----a-w- c:\program files\googletalk-setup.exe

============= FINISH: 13:08:25.58 ===============

--------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------

Attach.zip attached for latest attach.txt and ark.txt from GMER run.

Thanks again,

sri

Hello.

Perhaps but I can't be 100% sure without anything to see.

Yes, you can. Start a new topic in this forum and I will take a look and respond back to you.

It's almost impossible to tell how the virus came to your computer without me physically being there at the time of the infection. I can say generally these infections come from P2P sharing, flash-drive/removable drive autorun worms/infections.

Some information on one of the infection: http://www.threatexpert.com/report.aspx?md...7845a4a8b7ab6b8

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Not just Combofix, but yes, the main infection is gone now. Things look good but still a few steps we need to complete to verify that your computer is completely clean.

--

No problem, glad we can help and thanks for letting me know.

Post the results whenever you're done.

With Regards,

Extremeboy

Attach.zip

Link to post
Share on other sites

Some leftovers we can deal with afterwards...

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.

If you use Firefox browser also...

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser also...

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Run ESET Online Scan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

      You can refer to this animation by neomage if needed.
      Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.
      Thanks.
      With Regards,
      Extremeboy
Link to post
Share on other sites

Hello again,

Sorry got a bit delayed as I had started eset scanner one night on 12/9, but the machine was rebooted by morning due to a windows update.

I restarted eset scanner again, but it could find no issues. I also realized that I overwrote the log from the previous night. (it does not save history automatically. Just latest log.txt)

I looked at the ESET Online Scanner\Quarantine folder, and found some files there with date stamps during the night of the first scan (12/9), so thought I would let you know

There were five files with names:

- ABECC3CDED6E7C9712E8A403F44EDF3B2BF36FE4.NDF

- ABECC3CDED6E7C9712E8A403F44EDF3B2BF36FE4.NQF

- F4F78EB62985200220188A15223186E31E4E5FBB.NDF

- F4F78EB62985200220188A15223186E31E4E5FBB.NQF

- INFO.NQI

Pls. let me know if you need more information on this.

-----------------------------

Also, FYI, Avira had two messages in its Events:

Virus or unwanted program 'EXP/Pidief.GI [exploit]'

detected in file 'D:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP9D5E85C6.

Action performed: Delete file

Virus or unwanted program 'EXP/Pidief.GI [exploit]'

detected in file 'D:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APDF7E1801.

Action performed: Delete file

-----------------------------

I am trying to figure out why these showed up (no P2P software on machine). If you have any clues or advise, please let me know.

Eset scanner is still running, but i thought I would at least post an update. As soon as it is done, I will post the report and a DDS report.

Search redirects are working ok now.

Thanks for your patience,

Sri

Some leftovers we can deal with afterwards...

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.

If you use Firefox browser also...

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser also...

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Run ESET Online Scan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

      You can refer to this animation by neomage if needed.
      Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.
      Thanks.
      With Regards,
      Extremeboy
Link to post
Share on other sites

Hello.

I am trying to figure out why these showed up (no P2P software on machine). If you have any clues or advise, please let me know.

Those are quarantine items from Symantec.

See if you can find the ESET log in the C:\Program Files\ESET location.

Eset scanner is still running, but i thought I would at least post an update. As soon as it is done, I will post the report and a DDS report.

Sure, thanks.

POst the results whenever it's done.

Thanks.

~EB

Link to post
Share on other sites

Hello ExtremeBoy,

Here are the logs you requested:

Attach.txt is attached.

----------------------------------------------------

----------------------------------------------------

ESET LOG:

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=684a052679681a49b9728215930f0e78

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-09 09:08:17

# local_time=2009-12-09 03:08:17 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 14027840 14027840 0 0

# compatibility_mode=1797 16775125 100 94 0 32048134 0 0

# compatibility_mode=4864 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 50 9 1407375 27678161 0 0

# scanned=86355

# found=3

# cleaned=3

# scan_time=12880

C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\winlogon.exe.XXX Win32/Spy.Ursnif.A virus (deleted - quarantined) 00000000000000000000000000000000 C

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=684a052679681a49b9728215930f0e78

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-09 07:27:12

# local_time=2009-12-09 01:27:12 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 14062457 14062457 0 0

# compatibility_mode=1797 16775125 100 94 0 32082751 0 0

# compatibility_mode=4864 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 50 9 1441992 27712778 0 0

# scanned=86643

# found=0

# cleaned=0

# scan_time=15398

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=684a052679681a49b9728215930f0e78

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-12 10:49:31

# local_time=2009-12-12 04:49:31 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 14290756 14290756 0 0

# compatibility_mode=1797 16775125 100 94 0 32311050 0 0

# compatibility_mode=4864 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 50 9 1670291 27941077 0 0

# scanned=86971

# found=0

# cleaned=0

# scan_time=15236

----------------------------------------------------

----------------------------------------------------

DDS.txt

DDS (Ver_09-11-24.02) - NTFSx86

Run by janaki at 22:36:16.97 on Sat 12/12/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.379 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WNDA3100\WNDA3100.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe

c:\program files\avira\antivir desktop\avcenter.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

C:\WINDOWS\system32\Restore\rstrui.exe

C:\thisComputerRelated\virusIssue200911\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [osCheck] "c:\program files\norton 360 premier edition\osCheck.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100\WNDA3100.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{882025a7-7599-4989-8fcd-7604fb90d6a9}\Icon6560581611.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\PGPlsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37887.6715625

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli PGPpwflt

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\janaki\applic~1\mozilla\firefox\profiles\fobmwy2q.default\

FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-8-10 97792]

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2007-8-10 168960]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-28 108289]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-8 93320]

R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2007-8-10 224256]

R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [2007-8-10 33792]

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-5-26 9817]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-1 102448]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]

R3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WNDA31.sys [2008-9-30 453120]

R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-6-30 57408]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-5-26 137392]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\eccl100.sys --> c:\windows\system32\ECCL100.SYS [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wnda3100\jswpsapi.exe [2008-2-27 360547]

S3 NaiAvFilter104;NAI Anti Virus;\Device\NaiAvFilter104.sys --> \Device\NaiAvFilter104.sys [?]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]

S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

S3 Usbidevws;Usbidevws;c:\windows\system32\drivers\hidbth.sys [2004-8-4 25600]

S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\mrv8k51.sys --> c:\windows\system32\drivers\mrv8k51.sys [?]

S3 wind502u;USB 2.0 Wireless Network Adapter;c:\windows\system32\drivers\wind502u.sys --> c:\windows\system32\drivers\wind502u.sys [?]

S4 0179441259267586mcinstcleanup;McAfee Application Installer Cleanup (0179441259267586);c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S4 ExtranetAccess;Contivity VPN Service;c:\program files\ip vpn remote services\Extranet_serv.exe [2007-12-7 811008]

S4 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]

S4 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]

S4 SDService;Unicenter Software Delivery;"c:\program files\ca\unicenter software delivery\bin\sdserv.exe" --> c:\program files\ca\unicenter software delivery\bin\SDSERV.EXE [?]

=============== Created Last 30 ================

2009-12-09 05:12:18 0 d-----w- c:\program files\ESET

2009-12-06 05:35:57 0 d-sha-r- C:\cmdcons

2009-12-06 05:34:05 98816 ----a-w- c:\windows\sed.exe

2009-12-06 05:34:05 77312 ----a-w- c:\windows\MBR.exe

2009-12-06 05:34:05 260608 ----a-w- c:\windows\PEV.exe

2009-12-06 05:34:05 161792 ----a-w- c:\windows\SWREG.exe

2009-12-05 09:13:17 0 d-----w- c:\windows\system32\XPSViewer

2009-12-05 09:11:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-12-05 09:11:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-12-05 09:11:31 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-12-05 09:11:31 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-12-05 09:11:31 117760 ------w- c:\windows\system32\prntvpt.dll

2009-12-05 09:11:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-12-05 09:11:30 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-12-04 17:10:11 0 d-----w- c:\windows\system32\KB905474

2009-12-03 12:46:34 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2009-12-03 12:36:36 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

2009-12-03 12:36:36 283648 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-12-03 12:36:35 35328 -c----w- c:\windows\system32\dllcache\sc.exe

2009-12-03 12:36:09 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-12-03 12:36:09 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-12-03 12:36:08 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-12-03 12:35:43 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-12-03 12:35:42 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-12-03 12:35:15 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-12-03 12:34:49 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-12-03 12:28:43 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

2009-12-03 12:25:05 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys

2009-12-03 12:24:12 333184 -c----w- c:\windows\system32\dllcache\srv.sys

2009-12-03 12:23:04 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-12-03 12:22:10 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2009-12-03 12:16:44 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

2009-12-03 12:10:17 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll

2009-12-03 12:09:48 1193414 -c----w- c:\windows\system32\dllcache\sysmain.sdb

2009-12-03 12:09:22 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2009-12-03 11:50:34 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-12-03 11:45:52 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2009-12-03 11:38:46 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2009-12-03 11:34:41 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-12-03 11:34:40 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-12-03 11:34:13 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-12-03 11:33:46 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-12-03 11:31:30 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll

2009-11-28 17:33:44 0 ----a-w- d:\documents and settings\janaki\defogger_renable

2009-11-28 07:04:11 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-28 07:03:51 0 d-----w- d:\docume~1\alluse~1\applic~1\Avira

2009-11-28 07:03:51 0 d-----w- c:\program files\Avira

2009-11-26 20:29:08 0 d-----w- d:\docume~1\janaki\applic~1\Malwarebytes

2009-11-26 20:26:18 13668 ----a-w- c:\windows\system32\wpa.bak

2009-11-26 20:13:41 488 ---ha-r- c:\windows\system32\logonui.exe.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\WindowsShell.Manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest

2009-11-26 20:10:19 295424 ------w- c:\windows\system32\termsrv.dll

2009-11-26 19:43:15 13312 ----a-w- c:\windows\system32\irclass.dll

2009-11-26 19:43:13 24661 ----a-w- c:\windows\system32\spxcoins.dll

2009-11-24 07:16:18 0 ----a-w- d:\documents and settings\janaki\settings.dat

2009-11-24 06:25:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-24 06:25:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-24 06:25:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-21 23:09:25 0 d-----w- c:\program files\Norton 360 Premier Edition

2009-11-21 23:05:43 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-11-21 23:05:43 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-11-21 23:05:43 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-11-21 23:05:43 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-11-21 23:05:19 0 d-----w- c:\program files\Symantec

==================== Find3M ====================

2009-11-26 20:11:21 23460 -c--a-w- c:\windows\system32\emptyregdb.dat

2009-10-29 05:48:04 662016 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:58:48 263552 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll

2009-09-25 05:56:32 81920 ----a-w- c:\windows\system32\ieencode.dll

2008-12-20 14:55:51 1606064 ----a-w- c:\program files\googletalk-setup.exe

============= FINISH: 22:37:38.11 ===============

----------------------------------------------------

----------------------------------------------------

Attach.txt is attached

Thanks

sri

Hello.

Those are quarantine items from Symantec.

See if you can find the ESET log in the C:\Program Files\ESET location.

Sure, thanks.

POst the results whenever it's done.

Thanks.

~EB

Attach.txt

Link to post
Share on other sites

Hello ExtremeBoy,

Was not sure if you needed it, but I also ran the GMER Rootkit Scanner for you to take a look. Attached is Attach.zip with both ark and attach.txt files..

Thanks and regards,

sri

Hello ExtremeBoy,

Here are the logs you requested:

Attach.txt is attached.

----------------------------------------------------

----------------------------------------------------

ESET LOG:

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=684a052679681a49b9728215930f0e78

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-09 09:08:17

# local_time=2009-12-09 03:08:17 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 14027840 14027840 0 0

# compatibility_mode=1797 16775125 100 94 0 32048134 0 0

# compatibility_mode=4864 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 50 9 1407375 27678161 0 0

# scanned=86355

# found=3

# cleaned=3

# scan_time=12880

C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\winlogon.exe.XXX Win32/Spy.Ursnif.A virus (deleted - quarantined) 00000000000000000000000000000000 C

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=684a052679681a49b9728215930f0e78

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-09 07:27:12

# local_time=2009-12-09 01:27:12 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 14062457 14062457 0 0

# compatibility_mode=1797 16775125 100 94 0 32082751 0 0

# compatibility_mode=4864 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 50 9 1441992 27712778 0 0

# scanned=86643

# found=0

# cleaned=0

# scan_time=15398

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=684a052679681a49b9728215930f0e78

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-12 10:49:31

# local_time=2009-12-12 04:49:31 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 14290756 14290756 0 0

# compatibility_mode=1797 16775125 100 94 0 32311050 0 0

# compatibility_mode=4864 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 50 9 1670291 27941077 0 0

# scanned=86971

# found=0

# cleaned=0

# scan_time=15236

----------------------------------------------------

----------------------------------------------------

DDS.txt

DDS (Ver_09-11-24.02) - NTFSx86

Run by janaki at 22:36:16.97 on Sat 12/12/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.379 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WNDA3100\WNDA3100.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe

c:\program files\avira\antivir desktop\avcenter.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

C:\WINDOWS\system32\Restore\rstrui.exe

C:\thisComputerRelated\virusIssue200911\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [osCheck] "c:\program files\norton 360 premier edition\osCheck.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100\WNDA3100.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{882025a7-7599-4989-8fcd-7604fb90d6a9}\Icon6560581611.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\PGPlsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37887.6715625

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli PGPpwflt

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\janaki\applic~1\mozilla\firefox\profiles\fobmwy2q.default\

FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-8-10 97792]

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2007-8-10 168960]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-28 108289]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-8 93320]

R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2007-8-10 224256]

R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [2007-8-10 33792]

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-5-26 9817]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-1 102448]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]

R3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WNDA31.sys [2008-9-30 453120]

R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-6-30 57408]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-5-26 137392]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\eccl100.sys --> c:\windows\system32\ECCL100.SYS [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wnda3100\jswpsapi.exe [2008-2-27 360547]

S3 NaiAvFilter104;NAI Anti Virus;\Device\NaiAvFilter104.sys --> \Device\NaiAvFilter104.sys [?]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]

S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

S3 Usbidevws;Usbidevws;c:\windows\system32\drivers\hidbth.sys [2004-8-4 25600]

S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\mrv8k51.sys --> c:\windows\system32\drivers\mrv8k51.sys [?]

S3 wind502u;USB 2.0 Wireless Network Adapter;c:\windows\system32\drivers\wind502u.sys --> c:\windows\system32\drivers\wind502u.sys [?]

S4 0179441259267586mcinstcleanup;McAfee Application Installer Cleanup (0179441259267586);c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S4 ExtranetAccess;Contivity VPN Service;c:\program files\ip vpn remote services\Extranet_serv.exe [2007-12-7 811008]

S4 getPlusHelper;getPlus

Attach.zip

Link to post
Share on other sites

Hello.

I am still getting a virus caught by Avira or Symantec every other day or so.

Okay. Firstly, we need to uninstal lone of those anti-virus software, I forgot to mention this to you earlier since we were fixing other things...

Why?

2 Anti-virus/Firewall Programs Running Simultaenously Warning

I do not recommend that you have more than one anti virus or firewall product installed and running on your computer at a time. In addition to wasting resources, if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.

2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Norton or Avira.

Please uninstall them until you are only running one antivirus using Add/Remove Programs if you are using XP or remove it via Programs and Features if you are using Vista.

---

Once you have done that successfully, post back with a new DDS log by running it again.

Thanks.

~EB

Link to post
Share on other sites

Generally speaking, which one should I keep? I paid for the Norton, but of course, it does not make it better.

Going one step further, if you had to make a choice, which one anti virus would you pick from what is out there now? I really don't have an idea, so some direction would be helpful.

Hello.

Okay. Firstly, we need to uninstal lone of those anti-virus software, I forgot to mention this to you earlier since we were fixing other things...

Why?

2 Anti-virus/Firewall Programs Running Simultaenously Warning

I do not recommend that you have more than one anti virus or firewall product installed and running on your computer at a time. In addition to wasting resources, if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.

2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Norton or Avira.

Please uninstall them until you are only running one antivirus using Add/Remove Programs if you are using XP or remove it via Programs and Features if you are using Vista.

---

Once you have done that successfully, post back with a new DDS log by running it again.

Thanks.

~EB

Link to post
Share on other sites

Hello Extremeboy,

Sorry got a bit delayed on this.

per your instruction, I have disabled Avira guard for now and have also stopped the scheduler.

Here is the DDS.txt and Attach.txt (is attached). Do you also need ark.txt again?

--------------------------------

DDS (Ver_09-11-24.02) - NTFSx86

Run by janaki at 22:53:08.08 on Sun 12/20/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.673 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WNDA3100\WNDA3100.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

C:\thisComputerRelated\virusIssue200911\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [osCheck] "c:\program files\norton 360 premier edition\osCheck.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100\WNDA3100.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{882025a7-7599-4989-8fcd-7604fb90d6a9}\Icon6560581611.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\PGPlsp.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37887.6715625

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli PGPpwflt

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\janaki\applic~1\mozilla\firefox\profiles\fobmwy2q.default\

FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-8-10 97792]

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2007-8-10 168960]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-28 108289]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-8 93320]

R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2007-8-10 224256]

R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [2007-8-10 33792]

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-5-26 9817]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-1 102448]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]

R3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WNDA31.sys [2008-9-30 453120]

R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-6-30 57408]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-5-26 137392]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\eccl100.sys --> c:\windows\system32\ECCL100.SYS [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\netgear\wnda3100\jswpsapi.exe [2008-2-27 360547]

S3 NaiAvFilter104;NAI Anti Virus;\Device\NaiAvFilter104.sys --> \Device\NaiAvFilter104.sys [?]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]

S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

S3 Usbidevws;Usbidevws;c:\windows\system32\drivers\hidbth.sys [2004-8-4 25600]

S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\mrv8k51.sys --> c:\windows\system32\drivers\mrv8k51.sys [?]

S3 wind502u;USB 2.0 Wireless Network Adapter;c:\windows\system32\drivers\wind502u.sys --> c:\windows\system32\drivers\wind502u.sys [?]

S4 0179441259267586mcinstcleanup;McAfee Application Installer Cleanup (0179441259267586);c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\017944~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S4 ExtranetAccess;Contivity VPN Service;c:\program files\ip vpn remote services\Extranet_serv.exe [2007-12-7 811008]

S4 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]

S4 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]

S4 SDService;Unicenter Software Delivery;"c:\program files\ca\unicenter software delivery\bin\sdserv.exe" --> c:\program files\ca\unicenter software delivery\bin\SDSERV.EXE [?]

=============== Created Last 30 ================

2009-12-13 15:44:47 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-12-13 15:44:29 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-12-13 15:44:28 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2009-12-13 15:44:04 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2009-12-13 15:44:03 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-12-13 15:43:55 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll

2009-12-13 15:36:32 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-12-09 05:12:18 0 d-----w- c:\program files\ESET

2009-12-06 05:35:57 0 d-sha-r- C:\cmdcons

2009-12-06 05:34:05 98816 ----a-w- c:\windows\sed.exe

2009-12-06 05:34:05 77312 ----a-w- c:\windows\MBR.exe

2009-12-06 05:34:05 260608 ----a-w- c:\windows\PEV.exe

2009-12-06 05:34:05 161792 ----a-w- c:\windows\SWREG.exe

2009-12-05 09:13:17 0 d-----w- c:\windows\system32\XPSViewer

2009-12-05 09:11:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-12-05 09:11:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-12-05 09:11:31 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-12-05 09:11:31 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-12-05 09:11:31 117760 ------w- c:\windows\system32\prntvpt.dll

2009-12-05 09:11:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-12-05 09:11:30 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-12-04 17:10:11 0 d-----w- c:\windows\system32\KB905474

2009-12-03 12:46:34 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2009-12-03 12:36:36 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

2009-12-03 12:36:36 283648 -c----w- c:\windows\system32\dllcache\pdh.dll

2009-12-03 12:36:35 35328 -c----w- c:\windows\system32\dllcache\sc.exe

2009-12-03 12:36:09 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-12-03 12:36:09 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-12-03 12:36:08 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-12-03 12:35:43 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-12-03 12:35:42 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-12-03 12:35:15 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-12-03 12:34:49 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-12-03 12:28:43 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

2009-12-03 12:25:05 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys

2009-12-03 12:24:12 333184 -c----w- c:\windows\system32\dllcache\srv.sys

2009-12-03 12:23:04 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-12-03 12:22:10 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2009-12-03 12:16:44 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

2009-12-03 12:10:17 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll

2009-12-03 12:09:48 1193414 -c----w- c:\windows\system32\dllcache\sysmain.sdb

2009-12-03 12:09:22 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2009-12-03 11:50:34 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-12-03 11:45:52 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2009-12-03 11:38:46 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2009-12-03 11:34:41 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-12-03 11:34:40 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-12-03 11:34:13 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-12-03 11:33:46 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-12-03 11:31:30 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll

2009-11-28 17:33:44 0 ----a-w- d:\documents and settings\janaki\defogger_renable

2009-11-28 07:04:11 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-28 07:03:51 0 d-----w- d:\docume~1\alluse~1\applic~1\Avira

2009-11-28 07:03:51 0 d-----w- c:\program files\Avira

2009-11-26 20:29:08 0 d-----w- d:\docume~1\janaki\applic~1\Malwarebytes

2009-11-26 20:26:18 13668 ----a-w- c:\windows\system32\wpa.bak

2009-11-26 20:13:41 488 ---ha-r- c:\windows\system32\logonui.exe.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\WindowsShell.Manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest

2009-11-26 20:13:29 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest

2009-11-26 20:10:19 295424 ------w- c:\windows\system32\termsrv.dll

2009-11-26 19:43:15 13312 ----a-w- c:\windows\system32\irclass.dll

2009-11-26 19:43:13 24661 ----a-w- c:\windows\system32\spxcoins.dll

2009-11-24 07:16:18 0 ----a-w- d:\documents and settings\janaki\settings.dat

2009-11-24 06:25:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-24 06:25:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-24 06:25:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-21 23:09:25 0 d-----w- c:\program files\Norton 360 Premier Edition

2009-11-21 23:05:43 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-11-21 23:05:43 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-11-21 23:05:43 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-11-21 23:05:43 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-11-21 23:05:19 0 d-----w- c:\program files\Symantec

==================== Find3M ====================

2009-11-26 20:11:21 23460 -c--a-w- c:\windows\system32\emptyregdb.dat

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll

2008-12-20 14:55:51 1606064 ----a-w- c:\program files\googletalk-setup.exe

============= FINISH: 22:54:05.12 ===============

Thanks

sri

Hi,

Are you still there?

Attach.txt

Link to post
Share on other sites

Hello.

per your instruction, I have disabled Avira guard for now and have also stopped the scheduler.

It would be best if you just uninstall Avira if you're not going to use it any longer.

Update Java to Version 6 Update 17

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for Java Runtime Environment (JRE) JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.

-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.

-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

-----

Your logs look clean, we can wrap up now.

Please follow/read the steps below to remove the tools we used and for some more information. :)

Uninstall ComboFix

Remove Combofix now that we're done with it.

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click OTC_Icon.jpg icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Congratulations! You now appear clean! :D

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

[*]Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a sm

Link to post
Share on other sites

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we can help. :)

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,

Extremeboy

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.