Infected Still and Error when running GMER

[ljones4]

Hi, I got a virus yesterday and my avg detected it but could not clean it. I ran a full Malwarebytes scan yesterday. It cleaned a lot of stuff but something is running constantly using close to 100% of my cpu power all the time. I ran the quick scan today, log attached, I also did the defogger and DDS. I have attached the attach.txt file and below is the dds.txt. I tried running the GMER program and after it had been running for a while I got a blue screen that said a problem has been detected and windows has been shut down to prevent damage to my computer. It said the the problem seems to be caused by the following file: kwriqpow.sys. PAGE_FAULT_IN_NONPAGED_AREA. There is more to the message mostly instructions on what to do. If you need the Technical info it listed, let me know. Not sure what is going on. Would appreciate help. Thanks.

DDS (Ver_09-12-01.01) - NTFSx86

Run by Jones Boys at 12:24:10.93 on Thu 02/18/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.358 [GMT -6:00]

AV: AVG Internet Security 3-pack *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgfws8.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Jones Boys\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\SearchFilterHost.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Jones Boys\Desktop\Defogger.exe

C:\Documents and Settings\Jones Boys\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://jonesboys/Default

uInternet Settings,ProxyOverride = *.local

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File

EB: {FE54FA40-D68C-11D2-98FA-00C0F0318AFE} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sansaDispatch] c:\documents and settings\jones boys\application data\sandisk\sansa updater\SansaDispatch.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_S10C.tmp" /EF "HKCU"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Lpugon] rundll32.exe "c:\windows\emayecox.dll",Startup

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\documents and settings\jones boys\start menu\programs\startup\monnid32.exe

StartupFolder: c:\docume~1\jonesb~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: buy-security-essentials.com

Trusted Zone: download-soft-package.com

Trusted Zone: download-software-package.com

Trusted Zone: get-key-se10.com

Trusted Zone: is-software-download.com

Trusted Zone: buy-security-essentials.com

Trusted Zone: get-key-se10.com

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238551025690

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {91D4B4D5-E368-40AB-8F53-A37FA634B471} - hxxp://h36.e-tmm.com/bin/tol9inst.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-latest.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonesb~1\applic~1\mozilla\firefox\profiles\5ylicmf4.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - chrome://tavgp/content/html/tabswelcome.htm

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\jones boys\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {24E1F395-303D-432F-BC92-6B95797A42A1} - c:\documents and settings\jones boys\local settings\application data\{24E1F395-303D-432F-BC92-6B95797A42A1}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-12 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-12 335240]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-12 27784]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-12 108552]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-1-12 29208]

S0 ijthuod;ijthuod; [x]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-1-12 29208]

S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]

=============== Created Last 30 ================

2010-02-18 18:21:11 0 ----a-w- c:\documents and settings\jones boys\defogger_reenable

2010-02-17 20:48:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-17 20:48:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-17 20:48:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-17 20:18:58 0 ----a-w- c:\windows\Umeyed.bin

2010-02-17 20:18:57 120 ----a-w- c:\windows\Asoducusezejoh.dat

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-30 14:14:18 5308 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll

2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll

2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll

2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll

2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\dllcache\tsbyuv.dll

2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07:35 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll

2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll

2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll

2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll

2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2008-06-07 02:35:43 251 ----a-w- c:\program files\wt3d.ini

2008-11-29 21:00:42 104 --sh--r- c:\windows\system32\E17CBF0BEB.sys

2008-11-29 21:00:42 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

2008-12-31 21:02:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008123120090101\index.dat

2009-09-15 20:26:52 16384 --sha-w- c:\windows\temp\cookies\index.dat

2009-09-15 20:26:52 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2009-09-15 20:26:52 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 12:30:12.17 ===============

attach.zip

[screen317]

Hello and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[ljones4]

Thanks for your reply. I have attached the logs you requested.

hijackthis.zip

[screen317]

Hi,

Please copy the logs directly into your reply instead of attaching them. Use multiple posts if necessary.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=21972
Driver::
ijthuod
Collect::
c:\windows\Asoducusezejoh.dat
c:\windows\Umeyed.bin
c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat
Dirlook::
c:\documents and settings\Jones Boys\Local Settings\Application Data\{24E1F395-303D-432F-BC92-6B95797A42A1}

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
  

-screen317

[ljones4]

Thanks for replying.

Hi,

Please copy the logs directly into your reply instead of attaching them. Use multiple posts if necessary.

Malwarebytes' Anti-Malware 1.44

Database version: 3761

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/19/2010 9:50:29 AM

mbam-log-2010-02-19 (09-50-29).txt

Scan type: Quick Scan

Objects scanned: 150254

Time elapsed: 44 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 7

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\~TMBD.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jones Boys\Start Menu\Programs\Startup\monnid32.exe (Trojan.Bredolab) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:10:37 AM, on 2/19/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgfws8.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\ehome\ehtray.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Apoint\Apntex.exe

C:\Documents and Settings\Jones Boys\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jonesboys/Default

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [sansaDispatch] C:\Documents and Settings\Jones Boys\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238551025690

O16 - DPF: {91D4B4D5-E368-40AB-8F53-A37FA634B471} (Installer9Ctrl Class) - http://h36.e-tmm.com/bin/tol9inst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...ivex-latest.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

O23 - Service: WLANKEEPER - Intel

[ljones4]

Here is the combofix log that came up when I put CFScript.txt onto the combofix.exe

ComboFix 10-02-19.03 - Jones Boys 02/19/2010 20:37:45.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.507 [GMT -6:00]

Running from: c:\documents and settings\Jones Boys\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jones Boys\Desktop\CFScript.txt

AV: AVG Internet Security 3-pack *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

file zipped: c:\windows\Asoducusezejoh.dat

file zipped: c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat

file zipped: c:\windows\Umeyed.bin

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Asoducusezejoh.dat

c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat

c:\windows\Umeyed.bin

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_ijthuod

((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))

.

2010-02-17 20:48 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-17 20:48 . 2010-02-17 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-17 20:48 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-17 20:18 . 2010-02-17 20:18 -------- d-----w- c:\documents and settings\Jones Boys\Local Settings\Application Data\{24E1F395-303D-432F-BC92-6B95797A42A1}

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-19 16:29 . 2009-01-02 16:10 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-02-19 16:29 . 2009-01-02 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-04 15:23 . 2007-07-04 21:01 -------- d-----w- c:\documents and settings\Jones Boys\Application Data\CoreFTP

2010-01-27 23:57 . 2007-11-01 14:19 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-06 19:17 . 2006-08-18 13:01 -------- d-----w- c:\program files\Paint.NET

2009-12-31 16:50 . 2006-01-17 18:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-30 14:14 . 2006-06-25 02:53 5308 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-27 23:48 . 2009-12-27 23:48 -------- d-----w- c:\program files\Magellan

2009-12-27 23:48 . 2006-01-17 18:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-27 23:40 . 2008-12-04 02:37 -------- d-----w- c:\documents and settings\Jones Boys\Application Data\dvdcss

2009-12-27 23:25 . 2009-12-27 23:25 -------- d-----w- c:\program files\DIFX

2009-12-27 23:24 . 2009-12-27 23:24 -------- d-----w- c:\program files\Mars

2009-12-21 19:14 . 2005-08-16 10:18 916480 ------w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2005-08-16 10:37 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2005-08-16 10:18 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-04 18:22 . 2006-01-17 18:20 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2005-08-16 10:18 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:11 . 2004-08-04 06:56 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:07 . 2005-08-16 10:18 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2005-08-16 10:18 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2004-08-04 06:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2008-06-07 02:35 . 2008-06-07 02:35 251 ----a-w- c:\program files\wt3d.ini

2008-11-29 21:00 . 2006-02-02 04:29 104 --sh--r- c:\windows\system32\E17CBF0BEB.sys

2008-11-29 21:00 . 2006-02-02 04:29 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\Jones Boys\Local Settings\Application Data\{24E1F395-303D-432F-BC92-6B95797A42A1} ----

2010-02-17 20:18 . 2010-02-17 20:18 6778 ----a-w- c:\documents and settings\Jones Boys\Local Settings\Application Data\{24E1F395-303D-432F-BC92-6B95797A42A1}\chrome\content\overlay.xul

2010-02-17 20:18 . 2010-02-17 20:18 2020 ----a-w- c:\documents and settings\Jones Boys\Local Settings\Application Data\{24E1F395-303D-432F-BC92-6B95797A42A1}\chrome\content\_cfg.js

2010-02-17 20:18 . 2010-02-17 20:18 764 ----a-w- c:\documents and settings\Jones Boys\Local Settings\Application Data\{24E1F395-303D-432F-BC92-6B95797A42A1}\install.rdf

2010-02-17 20:18 . 2010-02-17 20:18 122 ----a-w- c:\documents and settings\Jones Boys\Local Settings\Application Data\{24E1F395-303D-432F-BC92-6B95797A42A1}\chrome.manifest

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SansaDispatch"="c:\documents and settings\Jones Boys\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-04-17 79872]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-12 136600]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-20 185872]

c:\documents and settings\Jones Boys\Start Menu\Programs\Startup\

Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-4-27 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-17 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-07-30 14:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/12/2009 8:15 AM 12552]

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [11/14/2007 2:22 PM 6097]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/12/2009 8:15 AM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/12/2009 8:15 AM 108552]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/16/2009 8:37 AM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/12/2009 8:14 AM 297752]

R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/10/2009 8:17 AM 1370488]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [1/30/2008 4:52 AM 106496]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/12/2009 8:13 AM 29208]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/12/2009 8:13 AM 29208]

S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [11/14/2007 2:22 PM 299923]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/9/2009 12:00 PM 11520]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [8/15/2008 2:47 PM 47128]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000]

S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [8/15/2008 2:47 PM 369688]

.

Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-19 c:\windows\Tasks\User_Feed_Synchronization-{84911465-5DAE-452A-B2F6-DDCFC48F8FF9}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://jonesboys/Default

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll

FF - ProfilePath - c:\documents and settings\Jones Boys\Application Data\Mozilla\Firefox\Profiles\5ylicmf4.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - chrome://tavgp/content/html/tabswelcome.htm

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Jones Boys\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

FF - HiddenExtension: XULRunner: {24E1F395-303D-432F-BC92-6B95797A42A1} - c:\documents and settings\Jones Boys\Local Settings\Application Data\{24E1F395-303D-432F-BC92-6B95797A42A1}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-19 20:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\

[screen317]

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[ljones4]

I am still having problems. I haven't done your last instructions yet but I will get to them tonight I hope. Apparently I had my website passwords saved in my ftp client and the a hacked all my websites as a result of these viruses. Doing damage control. Any advice? Working on backing them up but not sure if hosting co. has old enough files.

Laura

[screen317]

Hi Laura,

Any advice?

The primary issue here seems to be your protection. When you post the results of Security Check, I'll explain why.

[ljones4]

I cannot get the f-secure to run. It loads initially but then when I check the box to agree with the terms it just gives me the little java working circle for hours and hours. But here is the Security Check log.

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

AVG 8.5

Antivirus up to date! (On Access scanning disabled!)

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

Java 6 Update 11

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

AVG avgemc.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[screen317]

Hi,

Before we continue, try this online scanner instead.

Please scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your Desktop.
    
  • Double click on the icon on your Desktop.
    

  [*]Check

  [*]Click the button.

  [*]Accept any security warnings from your browser.

  [*]Check

  [*]Push the Start button.

  [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

  [*]When the scan completes, push

  [*]Push , and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

  [*]Push the button.

  [*]Push

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!