Jump to content

Recommended Posts

Good evening,

I have a laptop that seems to still be infected after scans with Malwarebytes, Spybot S & D, and AVG 9.0. Laptop is running XP Home w/ SP3.

Summary: had rogue anti-spyware infection, that was removed with Malwarebytes free version. After this infection was removed, the DCOM "shutdown" / DEP issue showed up (surfaced).

Performed both quick & full scan with Malwarebytes, Spybot S & D, and full scan with AVG 9.0. Spybot turned up some trojans, but the DCOM / DEP issue is still there.

I've performed all the initial steps for starting the removal via this forum. I want to thank all in advance for helping me kick this crap off this laptop. As an aspiring geek, I don't want to resort to formatting this machine (it's a friends laptop) & restoring data; would kinda feel like a defeat, you know?

Thanks again!

Adam

Malwarebytes' logs

==============

Malwarebytes' Anti-Malware 1.44

Database version: 3637

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/25/2010 8:53:37 PM

mbam-log-2010-01-25 (20-53-37).txt

Scan type: Quick Scan

Objects scanned: 1

Time elapsed: 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS.txt logs

===============

DDS (Ver_09-12-01.01) - NTFSx86

Run by Monument Music at 20:49:22.03 on Mon 01/25/2010

Internet Explorer: 8.0.6001.18702

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080227

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080227

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"

uRun: [Google Update] "c:\documents and settings\monument music\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} - hxxps://install.charter.com/diskless/bin/ssctlsma.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\monume~1\applic~1\mozilla\firefox\profiles\h4phq2ot.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\monument music\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-01-26 02:44:02 0 ----a-w- c:\documents and settings\monument music\defogger_reenable

2010-01-24 21:54:38 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-01-24 21:54:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-01-24 21:45:39 0 d-sh--w- c:\documents and settings\monument music\IETldCache

2010-01-24 21:42:47 873 ----a-w- c:\windows\system32\spupdsvc.inf

2010-01-24 21:39:50 0 dc-h--w- c:\windows\ie8

2010-01-24 21:35:17 0 d-----w- C:\e652854ce7352bedfa2c7a0381a410

2010-01-24 19:34:10 437 ----a-w- C:\44.js

2010-01-21 04:06:52 0 d--h--w- C:\$AVG

2010-01-21 04:06:12 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-01-21 04:05:38 0 d-----w- c:\windows\SxsCaPendDel

2010-01-21 03:40:53 0 d-s---w- c:\documents and settings\monument music\UserData

2010-01-20 06:08:34 563864 ----a-w- C:\ChromeSetup.exe

2010-01-20 06:00:22 0 d-----w- c:\program files\Trend Micro

2010-01-20 05:58:47 812344 ----a-w- C:\HijackThisInstaller.exe

2010-01-18 07:43:04 0 d-----w- c:\program files\Yahoo!

2010-01-18 07:42:49 0 d-----w- c:\program files\CCleaner

2010-01-18 07:34:02 437 ----a-w- C:\33.js

2010-01-18 07:26:00 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-01-18 07:03:02 0 ----a-w- c:\windows\system32\15724.exe

2010-01-18 06:43:02 0 ----a-w- c:\windows\system32\19169.exe

2010-01-18 06:23:01 0 ----a-w- c:\windows\system32\26500.exe

2010-01-18 06:03:01 0 ----a-w- c:\windows\system32\6334.exe

==================== Find3M ====================

2010-01-21 04:06:36 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-01-21 04:06:36 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-01-21 04:06:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-01-18 17:13:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-01-18 17:13:59 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys

2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll

============= FINISH: 20:50:37.23 ===============

attach.zip

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Thanks for the reply...the ComboFix log:

-------------------------------------------------------------

ComboFix 10-01-31.03 - Monument Music 01/31/2010 22:15:47.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.538 [GMT -6:00]

Running from: c:\documents and settings\Monument Music\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Fonts\MyriadPro-Regular.otf

c:\windows\system32\15724.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\26500.exe

c:\windows\system32\6334.exe

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk

c:\windows\system32\twain_32.dll

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it ;)

.

((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))

.

2010-01-27 02:44 . 2010-01-27 02:44 -------- d-----w- c:\windows\ie8updates

2010-01-26 04:44 . 2010-01-26 04:44 -------- d-sh--w- c:\documents and settings\Monument Music\PrivacIE

2010-01-25 18:57 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-01-25 18:57 . 2009-12-21 19:14 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll

2010-01-25 18:57 . 2009-12-21 19:14 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-01-25 18:57 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-01-25 18:57 . 2009-12-21 19:14 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2010-01-25 18:57 . 2009-12-21 19:14 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-01-24 21:54 . 2010-01-24 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-01-24 21:54 . 2010-01-24 21:57 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-01-24 21:50 . 2010-01-24 21:50 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-01-24 21:45 . 2010-01-24 21:45 -------- d-sh--w- c:\documents and settings\Monument Music\IETldCache

2010-01-24 21:39 . 2010-01-24 21:41 -------- dc-h--w- c:\windows\ie8

2010-01-24 21:35 . 2010-01-24 21:35 -------- d-----w- C:\e652854ce7352bedfa2c7a0381a410

2010-01-21 04:06 . 2010-01-21 04:09 -------- d-----w- C:\$AVG

2010-01-21 04:06 . 2010-01-27 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-01-21 04:05 . 2010-01-21 04:09 -------- d-----w- c:\windows\SxsCaPendDel

2010-01-21 03:40 . 2010-01-21 03:40 -------- d-sh--w- c:\documents and settings\Monument Music\UserData

2010-01-20 06:12 . 2010-01-20 06:13 -------- d-----w- c:\documents and settings\Monument Music\Local Settings\Application Data\Temp

2010-01-20 06:08 . 2010-01-20 06:08 563864 ----a-w- C:\ChromeSetup.exe

2010-01-20 06:00 . 2010-01-20 06:00 -------- d-----w- c:\program files\Trend Micro

2010-01-20 05:58 . 2010-01-20 05:58 812344 ----a-w- C:\HijackThisInstaller.exe

2010-01-18 07:43 . 2010-01-18 07:43 -------- d-----w- c:\documents and settings\Monument Music\Application Data\Yahoo!

2010-01-18 07:43 . 2010-01-18 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2010-01-18 07:43 . 2010-01-18 07:43 -------- d-----w- c:\program files\Yahoo!

2010-01-18 07:42 . 2010-01-18 07:43 -------- d-----w- c:\program files\CCleaner

2010-01-18 07:26 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-21 04:06 . 2008-03-05 18:42 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-01-21 04:06 . 2008-06-06 03:23 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-01-21 04:06 . 2008-06-06 03:23 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-01-21 04:06 . 2008-06-06 03:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-01-21 04:06 . 2010-01-27 02:48 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe

2010-01-21 04:06 . 2010-01-27 02:48 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-01-21 04:06 . 2008-06-06 03:23 -------- d-----w- c:\program files\AVG

2010-01-18 17:13 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-01-18 05:27 . 2009-10-15 02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-18 05:26 . 2010-01-18 05:26 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-07 22:07 . 2009-10-15 02:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 22:07 . 2009-10-15 02:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-21 19:14 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll

2009-11-21 15:51 . 2004-08-10 18:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Monument Music\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-20 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"SigmatelSysTrayApp"="stsystra.exe" [2007-04-24 303104]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-21 2033432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-27 50688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-01-21 04:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk

backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Monument Music^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]

path=c:\documents and settings\Monument Music\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk

backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Monument Music^Start Menu^Programs^Startup^RCA Detective.lnk]

path=c:\documents and settings\Monument Music\Start Menu\Programs\Startup\RCA Detective.lnk

backup=c:\windows\pss\RCA Detective.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-12 04:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]

2004-02-19 13:23 61440 ----a-w- c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2007-07-20 22:55 1228800 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Dock]

2008-05-14 23:52 536576 ----a-w- c:\documents and settings\Monument Music\My Documents\RCA EasyRip\EZDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2006-10-03 17:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2006-10-03 17:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2006-10-20 23:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2006-11-05 17:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2005-11-10 19:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"stllssvr"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"IDriverT"=3 (0x3)

"hnmsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2/27/2008 12:26 PM 3456]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/5/2008 9:23 PM 333192]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/5/2008 9:23 PM 360584]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/20/2010 10:06 PM 906520]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/20/2010 10:06 PM 285392]

.

Contents of the 'Scheduled Tasks' folder

2010-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1554381860-1881224428-3418246106-1006Core.job

- c:\documents and settings\Monument Music\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-20 06:12]

2010-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1554381860-1881224428-3418246106-1006UA.job

- c:\documents and settings\Monument Music\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-20 06:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080227

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Monument Music\Application Data\Mozilla\Firefox\Profiles\h4phq2ot.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Monument Music\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

MSConfigStartUp-13353284 - c:\documents and settings\All Users\Application Data\13353284\13353284.exe

MSConfigStartUp-16406254 - c:\documents and settings\All Users\Application Data\16406254\16406254.exe

MSConfigStartUp-DellAutomatedPCTuneUp - c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe

MSConfigStartUp-dscactivate - c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-31 22:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2824)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\windows\stsystra.exe

c:\program files\Microsoft ActiveSync\Wcescomm.exe

c:\program files\ATI Technologies\ATI.ACE\CLI.EXE

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\ATI Technologies\ATI.ACE\cli.exe

c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2010-01-31 22:26:17 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-01 04:26

Pre-Run: 61,193,043,968 bytes free

Post-Run: 61,228,867,584 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - CF257283ED7095B65B8C7DE09674F1C0

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Thanks again for your efforts. The DCOM message and system shutdown messages no longer show up. I have not seen any browser redirects on IE or Firefox either.

However, I performed a full scan of the laptop using both Avast V5.0.396 & Malwarebytes. They both turned up infections. Could these be the result of the programs that I was directed to put on (ie DDS or GMER)??

I don't see an efficient way to post the log of the Avast! scan, short of using a Print Screen. One of the infections Avast! found was called 2.js This was located directly in the C: drive. The others were all located in the "C:\System Volume Information" folder, and had bizzare names like A0025773.dll I'm unable to access this "System Volume Information" folder. Would you like to see the print screen of this?

Either way, here's the Malwarebytes log:

Malwarebytes' Anti-Malware 1.44

Database version: 3675

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/1/2010 8:47:10 PM

mbam-log-2010-02-01 (20-47-10).txt

Scan type: Full Scan (C:\|)

Objects scanned: 190557

Time elapsed: 30 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP101\A0029927.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP101\A0029955.com (Adware.Swizzor) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP105\A0030178.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP105\A0030215.com (Adware.Swizzor) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Staff

Hi,

What mbam found were just leftovers in your system restore points, nothing to worry about :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Hi,

What mbam found were just leftovers in your system restore points, nothing to worry about :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Thank you so much for your efforts. My friend will be SO happy to get his laptop back again!!

As for me, I will definitely be purchasing the full version of MBAM very soon.

Again, thank you! You and the people who help the "not-so-informed" are incredible!

Adam

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.