Jump to content

Recommended Posts

Hello everyone.

First of all I want to thank you all for providing such a wonderful service to the users of this forum. It seems to be a great help that has provided many people solutions to troubling problems.

My issue: I am using an office computer at work that appears to have been infected since the day I began here. The most common problems I encounter are browser hijacks/redirects which send me to fake spyware removal websites. These sites often automatically install "spyware removal programs" such as Internet Security 2010 and so on. It makes for working on this office computer very difficult.

I am unable to open either MBAM or HijackThis as they close seconds after opening. The anti-virus program that was installed on this computer - AVG - will not update, and visiting online scanners such as NOD32's free scan and others is impossible as images and whole sections of each page will not load.

If any of you could help me determine which steps I should take to try and immunize this computer, I would greatly appreciate it!

Thank you in advance.

Here is my DDS log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Andie at 9:56:28.51 on Tue 01/26/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.458 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ShowingTime\ShowingDesk Web Edition\ShowingTime.DeskWE.Client.exe

C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Andie\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://lraor.fnismls.com/Paragon/Login.asp?

uURLSearchHooks: KW.com Toolbar: {e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\kw.com\tbKW.1.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: KW.com Toolbar: {e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\kw.com\tbKW.1.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: KW.com Toolbar: {e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\kw.com\tbKW.1.dll

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Wisdom-soft ScreenHunter 5.1 Pro] 0

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

dRunOnce: [RunNarrator] Narrator.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: &Search - ?p=ZSzeb012YCUS_ZZzer000

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: fnismls.com

Trusted Zone: getmedianow.com

Trusted Zone: live.com

Trusted Zone: showingdesk.com

Trusted Zone: showingtime.com

Trusted Zone: sitexdata.com

Trusted Zone: spellchecker.net

Trusted Zone: transactionpoint.com

Trusted Zone: trpoint.com

Trusted Zone: virtualearth.net

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {0854D220-A90A-466D-BC02-6683183802B7} - hxxp://lraor.fnismls.com/Paragon/Codebase/FNISPrintControl.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137800015343

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169178463140

DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.kw.com/listings/includes/ImageUploader4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andie\applic~1\mozilla\firefox\profiles\lt1td9ap.default\

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-12-28 40840]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-23 333192]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-23 28424]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-23 360584]

R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-12-28 66952]

R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-12-28 81288]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-23 285392]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-28 356920]

R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-28 1079176]

R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [2008-10-27 26752]

S3 NETGEAR_WAG311_SERVICE;NETGEAR WAG311 Wireless PCI Adapter Service;c:\windows\system32\drivers\wag311n5.sys [2007-1-28 322560]

=============== Created Last 30 ================

2010-01-25 19:09:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-25 19:09:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-25 13:27:02 0 d-----w- c:\windows\system32\wbem\Repository

2010-01-22 22:20:14 2931 ----a-w- c:\windows\system32\warning.html

2010-01-16 17:43:39 0 d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn

2010-01-11 15:33:11 327168 ----a-w- c:\windows\IsUn040a.exe

2009-12-28 21:07:41 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys

2009-12-28 21:07:41 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys

2009-12-28 21:07:41 40840 ----a-w- c:\windows\system32\drivers\ikfilesec.sys

2009-12-28 21:07:41 29576 ----a-w- c:\windows\system32\drivers\kcom.sys

2009-12-28 21:07:33 0 d-----w- c:\program files\Spyware Doctor

2009-12-28 21:07:33 0 d-----w- c:\docume~1\andie\applic~1\PC Tools

2009-12-28 20:21:01 0 d-----w- C:\spoolerlogs

2009-12-28 19:15:38 0 d-----w- c:\program files\Spybot - Search & Destroy

2009-12-28 19:15:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-12-23 15:56:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2009-12-23 15:56:47 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-12-23 15:56:18 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet(3).dll

2009-10-29 07:46:58 1168384 ----a-w- c:\windows\system32\urlmon(3).dll

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet(5).dll

2009-10-29 07:45:37 1208832 ----a-w- c:\windows\system32\urlmon(5).dll

============= FINISH: 9:58:03.37 ===============

Attached is the other scan I could run. GMER will not complete a scan as it freezes before finishing.

Attach.zip

Link to post
Share on other sites

:lol:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]Install the Recovery Console if prompted.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Link to post
Share on other sites

Hello. Thank you very much for the reply. Here is my ComboFix log:

ComboFix 10-01-29.01 - Andie 01/29/2010 13:06:29.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.511 [GMT -5:00]

Running from: c:\documents and settings\Andie\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

PEV Error: ProgramsFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Andie\My Documents\avira_antivir_personal_en.bat

c:\windows\fyxo.bak

c:\windows\system32\warning.html

.

((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-30 )))))))))))))))))))))))))))))))

.

2010-01-26 18:08 . 2010-01-26 18:08 -------- d-----w- c:\windows\system32\wbem\Repository

2010-01-25 19:09 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-25 19:09 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-16 17:43 . 2010-01-16 17:43 -------- d-----w- c:\documents and settings\Andie\Local Settings\Application Data\LogMeIn

2010-01-16 17:43 . 2010-01-16 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn

2010-01-11 15:33 . 1998-10-07 00:34 327168 ----a-w- c:\windows\IsUn040a.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-30 13:50 . 2009-10-26 18:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-29 13:34 . 2008-01-29 18:03 74520 ----a-w- c:\documents and settings\Andie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-26 18:07 . 2009-12-15 22:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-25 19:01 . 2009-12-28 19:15 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-01-11 14:41 . 2009-08-24 14:34 -------- d-----w- c:\documents and settings\Andie\Application Data\U3

2009-12-30 14:48 . 2009-12-23 14:53 -------- d-----w- c:\program files\AVG

2009-12-30 13:17 . 2009-12-28 21:07 -------- d-----w- c:\program files\Spyware Doctor

2009-12-28 21:07 . 2009-12-28 21:07 -------- d-----w- c:\documents and settings\Andie\Application Data\PC Tools

2009-12-28 19:36 . 2009-12-28 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-12-23 15:56 . 2009-12-23 15:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2009-12-23 15:56 . 2009-12-23 15:56 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-12-23 15:56 . 2009-12-23 15:56 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-12-23 15:56 . 2009-12-23 15:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-12-23 15:56 . 2009-12-23 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2009-12-23 15:09 . 2009-12-23 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-12-23 15:06 . 2009-12-23 15:06 -------- d-----w- c:\program files\Conduit

2009-12-23 14:54 . 2009-12-23 14:54 -------- d-----w- c:\program files\Sun

2009-12-23 14:52 . 2009-12-22 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9(2)

2009-12-23 14:49 . 2007-06-11 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-12-23 14:49 . 2009-12-23 14:08 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

2009-12-22 17:30 . 2007-01-19 02:31 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-12-21 19:14 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-18 13:30 . 2009-12-18 13:30 -------- d-----w- c:\program files\MSBuild

2009-12-18 13:30 . 2009-12-18 13:30 -------- d-----w- c:\program files\Reference Assemblies

2009-12-18 13:25 . 2009-12-18 13:25 -------- d-----w- c:\program files\MSXML 6.0

2009-12-16 19:51 . 2009-12-16 19:45 -------- d-----w- c:\program files\EASY TRINITY

2009-12-15 22:27 . 2009-12-15 22:27 -------- d-----w- c:\documents and settings\Andie\Application Data\Malwarebytes

2009-12-15 22:27 . 2009-12-15 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-23 19:37 . 2009-11-23 19:37 152576 ----a-w- c:\documents and settings\Andie\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-23 19:37 . 2009-11-23 19:37 79488 ----a-w- c:\documents and settings\Andie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-23 17:06 . 2009-11-23 17:06 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2009-11-21 16:36 . 2006-02-28 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-19 18:51 . 2009-11-19 18:51 0 ----a-w- c:\windows\nsreg.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Wisdom-soft ScreenHunter 5.1 Pro"="0" [X]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2005-03-03 49152]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-23 2033432]

"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-02-28 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-12-23 15:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi9"=c:\windows\fyxo.bak 2yAPFDOFNF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\Installer\\{2BDAE5C3-4CC3-4281-8129-7549B1D1CCA3}\\WeStarter.exe1_1A7D3903460949A481C0D68751FF8123.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/23/2009 10:56 AM 333192]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/23/2009 10:56 AM 360584]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/23/2009 10:56 AM 285392]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/28/2009 4:07 PM 356920]

R3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [10/27/2008 2:10 PM 26752]

S3 NETGEAR_WAG311_SERVICE;NETGEAR WAG311 Wireless PCI Adapter Service;c:\windows\system32\drivers\wag311n5.sys [1/28/2007 2:46 PM 322560]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://lraor.fnismls.com/Paragon/Login.asp?

IE: &Search - ?p=ZSzeb012YCUS_ZZzer000

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: fnismls.com

Trusted Zone: getmedianow.com

Trusted Zone: live.com

Trusted Zone: showingdesk.com

Trusted Zone: showingtime.com

Trusted Zone: sitexdata.com

Trusted Zone: spellchecker.net

Trusted Zone: transactionpoint.com

Trusted Zone: trpoint.com

Trusted Zone: virtualearth.net

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\Andie\Application Data\Mozilla\Firefox\Profiles\lt1td9ap.default\

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\KW.com\tbKW.1.dll

BHO-{e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\KW.com\tbKW.1.dll

Toolbar-{e682e50f-a793-4bfd-a3d6-4a38ee2ae13b} - c:\program files\KW.com\tbKW.1.dll

WebBrowser-{E682E50F-A793-4BFD-A3D6-4A38EE2AE13B} - c:\program files\KW.com\tbKW.1.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-30 08:50

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-1220945662-839522115-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{162D5BD0-4320-B256-B032-3A4A0F728BBA}*]

"oadofihaapiemfnhdbdckmjjibimfm"=hex:6b,61,68,70,6d,63,70,61,6d,63,6c,61,65,63,

6b,6d,6e,67,67,66,62,6a,00,00

"nabaimaflkfmfeplhccegnnhicdi"=hex:6b,61,68,70,6c,63,65,61,64,69,65,69,6e,62,

63,6b,6e,63,62,66,6c,6d,00,00

"oahnomjgockahifmimopdpbngfcdlg"=hex:64,61,6b,61,64,65,66,6d,00,7c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1804)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Spyware Doctor\pctsSvc.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\system32\wscntfy.exe

c:\windows\SOUNDMAN.EXE

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2010-01-30 08:54:32 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-30 13:54

Pre-Run: 139,527,155,712 bytes free

Post-Run: 140,187,869,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1119474674654EF15F35DFB8D957F31B

I look forward to your next reply!

Link to post
Share on other sites

Just wanted to note that I can now get MBAM to run. A scan produced this logfile:

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

1/30/2010 9:42:22 AM

mbam-log-2010-01-30 (09-42-18).txt

Scan type: Quick Scan

Objects scanned: 133046

Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Additionally, I can now get AVG to update - the program would not update previously. I will turn this over to you now and see if my problem has somehow already been rectified by ComboFix (but I have a feeling it isn't really that easy).

Link to post
Share on other sites

I would like to review a file:

Please go here:

The Spy Killer Forum

  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "JSntgRvr"
  • Put a link to this thread in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:
    • c:\windows\IsUn040a.exe

    [*]Click Open.

    [*]Click Post.

You wont be able to see if the file was uploaded, but following the instructions above will certainly do.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 18.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u18-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586.exe and select "Run as an Administrator.")

Link to post
Share on other sites

Hello again!

Thank you so much for the help and your reply.

I have upgraded my Java as well as posted the specific file you mentioned to the forum you requested.

Additionally, here is my Kaspersky scan log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, February 1, 2010

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, January 30, 2010 17:11:34

Records in database: 3387647

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

Scan statistics:

Objects scanned: 47964

Threats found: 1

Infected objects found: 1

Suspicious objects found: 0

Scan duration: 02:12:10

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\fyxo.bak.vir Infected: Trojan-PSW.Win32.Kates.ar 1

Selected area has been scanned.

Looks like it found one virus that I believe ComboFix detected and quarantined? Any other steps I must now take?

Thank you again!

Link to post
Share on other sites

Hi!

Computer seems to be running fine. I have been able to update my antivirus - which was impossible before, MBAM now opens, and no Google redirects have occurred since the quarantine. I think everything is running smoothly. Can I go ahead and remove the objects found by MBAM?

Again, thank you so much! You guys are so very helpful.

Link to post
Share on other sites

Hi, kwlafayette. :)

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.

  • Click START then RUN
  • Now copy and paste "c:\documents and settings\Andie\Desktop\Combo-Fix.exe" /Uninstall in the runbox (including the quotation marks) and click OK.

Create a Restore point:

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  4. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  6. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  7. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  8. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! wavey.gif

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.