Jump to content

Need Help w/ Infection

go1

By go1
in Resolved Malware Removal Logs

 Share

Recommended Posts

go1

go1

Posted
Posted

I was trying to purchase and download a soccer video for my kids, the website asked me to download their software for the transfer, and I did . . . now I've got this infection I can't seem to get rid of. Immediately, every time I ran IE and did a search in google, it would cause my firefox to pop up with advertisements to unwanted websites. It also would redirect my google searches, and would redirect when I would try to manually put in the URL address (such as when I tried to get here, to Malwarebytes, it would take me to some other bogus security website). I updated and ran Malwarebytes, and it detected and said it removed the viruses, but it keeps coming back. I tried downloading Spybot S&D, same thing . . . keeps coming back. So I went by your directions and here is my info:

(In going by your directions I had a couple issues - first, when I ran "defogger" it did not automatically reboot after I clicked OK after "Finished"- so I rebooted manually - I hope this was the correct action. Second, the GMER seemed to take forever to complete - I went out to eat, came back - still running - went to sleep - and came down in morning - it is finally finished - I thought I'd include this fact in case it is a sign of something - it didn't seem like it should take several hours to complete the GMER - since I didn't see a warning about that.

Thank you for your help on this:

1) DDS.txt - copied and pasted below

2) attach.txt - zipped and attached

3) ark.txt - zipped and attached

DDS (Ver_09-12-01.01) - NTFSx86

Run by Owner at 13:41:59.92 on Thu 03/11/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1134 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\ALCXMNTR.EXE

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\NETGEAR\WG111v3\WG111v3.exe

C:\Program Files\interMute\SpamSubtract\SpamSub.exe

C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\EssentialPIM Pro\EssentialPIM.exe

C:\Program Files\EssentialPIM Pro\EssentialPIM.exe

C:\Documents and Settings\Owner.DOUG.000\Desktop\Defogger.exe

C:\Documents and Settings\Owner.DOUG.000\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://srch-qus10.hpwis.com/

uDefault_Page_URL = hxxp://qus10.hpwis.com/

uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/

uSearch Bar = hxxp://srch-qus10.hpwis.com/

mSearch Bar = hxxp://srch-qus10.hpwis.com/

uInternet Connection Wizard,ShellNext = hxxp://qus10.hpwis.com/

uInternet Settings,ProxyOverride = localhost

BHO: {01fdb0d1-464e-40ea-829f-4f952b798f4c} - c:\windows\system32\d3drm32.dll

BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realone player\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll

TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [RecordNow!]

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe

mRun: [HPHmon05] c:\windows\system32\hphmon05.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [VTTimer] VTTimer.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [LTMSG] LTMSG.exe 7

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe

mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office x4\programs\QFSCHD140.EXE"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe

mRun: [atr.exe]

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [RestartNeroSetup] "c:\docume~1\ownerd~1.000\locals~1\temp\nero web\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 7" RUNSETUPXU="1" UPGRADE="1"

mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mExplorerRun: [RTHDBPL] c:\documents and settings\owner.doug.000\application data\systemproc\lsass.exe

StartupFolder: c:\docume~1\ownerd~1.000\startm~1\programs\startup\spamsu~1.lnk - c:\program files\intermute\spamsubtract\SpamSub.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\1940576\program\BackWeb-1940576.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

LSP: SpSubLSP.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259518188906

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259518291828

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: 64ced752841 - c:\windows\system32\dimsroam32.dll

Notify: igfxcui - igfxsrvc.dll

AppInit_DLLs: c:\windows\system32\dimsroam32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-11 11608]

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\savrtpel.sys [2009-12-1 37000]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-11 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-11 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-11 56816]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2003-8-15 255648]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2003-8-15 235168]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe [2009-8-1 81920]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe [2009-8-1 2732032]

R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]

S2 gupdate1ca7559e3fb9d9c;Google Update Service (gupdate1ca7559e3fb9d9c);c:\program files\google\update\GoogleUpdate.exe [2009-7-30 133104]

S2 mrtRate;mrtRate; [x]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-1-15 401920]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2003-8-15 87712]

S3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2003-8-18 158848]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100113.009\NAVENG.Sys [2010-1-18 84912]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100113.009\NavEx15.Sys [2010-1-18 1323568]

S3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2009-12-1 305288]

S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2003-8-10 194272]

=============== Created Last 30 ================

2010-03-11 19:36:04 199168 ----a-w- c:\windows\system32\d3drm32.dll

2010-03-11 19:29:31 0 ----a-w- c:\documents and settings\owner.doug.000\defogger_reenable

2010-03-11 15:05:38 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-03-11 15:05:36 0 d-----w- c:\program files\Avira

2010-03-11 15:05:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-03-11 14:21:55 0 d-sh--w- c:\docume~1\ownerd~1.000\applic~1\SystemProc

2010-03-11 14:21:09 199168 ----a-w- c:\windows\system32\comrepl32.dll

2010-03-11 12:48:31 1908 ----a-w- c:\windows\GnuHashes.ini

2010-03-11 12:41:09 817 ----a-w- c:\windows\system32\1691277138

2010-03-11 12:40:29 0 d-sh--w- c:\windows\system32\SysWoW32

2010-03-10 18:13:42 1357 --sha-w- c:\windows\system32\882804482

2010-03-10 18:12:23 203776 --sh--w- c:\windows\system32\unrar.exe

2010-03-10 18:12:23 0 d-----w- c:\windows\system32\1459400757

2010-03-10 18:12:08 1047 ----a-w- c:\windows\system32\5f7904cb

2010-03-10 18:12:07 0 d-sh--w- C:\System Volume Data

2010-03-10 18:12:02 750592 --sha-w- c:\windows\system32\37F3.tmp

2010-03-10 18:11:42 132096 ----a-w- c:\windows\system32\dimsroam32.dll

2010-03-10 15:16:27 0 d-----w- c:\documents and settings\owner.doug.000\Incomplete

2010-03-10 15:09:59 0 d-----w- c:\docume~1\ownerd~1.000\applic~1\LimeWire

2010-03-10 15:07:02 0 d-----w- c:\documents and settings\owner.doug.000\Shared

2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-02-17 19:08:16 255352 ----a-w- c:\windows\system32\awrdscdc.ax

2010-02-17 19:08:09 24576 ------w- c:\windows\system32\msxml3a.dll

2010-02-17 19:07:52 0 d-----w- c:\program files\Audible

2010-02-13 07:11:40 14416 ----a-w- C:\Our Greatest Fear.wpd

==================== Find3M ====================

2010-03-11 14:57:39 3766 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys

2009-12-23 04:31:41 203776 ----a-w- c:\windows\system32\clrviddc.dll

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-11-24 22:22:01 91235464 ----a-w- c:\program files\AnyTimeOrganizer_v13_3.exe

2009-11-03 14:40:55 2357856 ----a-w- c:\program files\AmazonGSDownloaderSetup.exe

2009-09-30 21:18:38 1364995 ----a-w- c:\program files\CamStudio20.exe

2007-04-23 20:21:16 269824 -c--a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys

2007-04-23 20:11:54 224896 -c--a-w- c:\windows\inf\wg111v3\wg111v3.sys

2006-12-15 17:30:36 98304 -c--a-w- c:\windows\inf\wg111v3\UScanM.exe

2006-12-15 17:30:36 66048 -c--a-w- c:\windows\inf\wg111v3\EAPPkt.sys

2006-12-15 17:30:36 315392 -c--a-w- c:\windows\inf\wg111v3\InstallDriver.exe

2006-12-15 17:30:36 28672 -c--a-w- c:\windows\inf\wg111v3\SetDrv.exe

2006-12-15 17:30:36 212992 -c--a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe

2006-12-15 17:30:36 20480 -c--a-w- c:\windows\inf\wg111v3\RTWUPath.exe

2006-12-15 17:30:36 19968 -c--a-w- c:\windows\inf\wg111v3\RTWREFU.EXE

2004-09-16 23:38:14 12631561 -c--a-w- c:\program files\61.77_win2kxp_english.exe

2004-08-27 21:04:05 295 ----a-w- c:\program files\acrO6stand.zip.html

2004-08-27 21:04:05 162103792 -c--a-w- c:\program files\acrO6stand.zip

2004-08-27 20:30:37 283604 -c--a-w- c:\program files\Acrobat_6_Standard_downloader.exe

2004-08-27 17:58:11 373760 -c--a-w- c:\program files\pdfedithtmlmodule.exe

2004-08-27 17:32:00 15838208 ----a-w- c:\program files\openoffice995part2.htm

2004-08-27 17:12:55 15982080 ----a-w- c:\program files\openoffice995part3.htm

2004-08-27 15:46:16 16865792 ----a-w- c:\program files\openoffice995part1.htm

2004-08-27 15:16:05 443392 -c--a-w- c:\program files\signature995.exe

2004-08-27 15:10:36 543232 -c--a-w- c:\program files\pdfedit.exe

2004-08-27 15:09:47 3276800 -c--a-w- c:\program files\ps2pdf995.exe

2004-08-27 15:08:11 1378304 -c--a-w- c:\program files\pdf995s.exe

2004-04-20 02:02:20 22510470 -c--a-w- c:\program files\AnyTime Upgrade.EXE

2009-11-30 14:49:18 56 --sh--r- c:\windows\system32\81D912EF39.sys

2009-11-30 14:51:03 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-11-30 01:17:32 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2009-11-29 17:26:06 16384 --sha-w- c:\windows\temp\cookies\index.dat

2009-11-29 17:26:06 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2009-11-29 17:26:06 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 13:43:14.04 ===============

ark.zip

Attach.zip

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

First of all, please update MalwareBytes, because the databaseversion looks outdated (since some files should be removed here already)

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites
go1

go1

Posted
  • Author
Posted
Hi,

First of all, please update MalwareBytes, because the databaseversion looks outdated (since some files should be removed here already)

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Here is the MBAM Log (quickscan done after updating) (the DDS HJT log follows) . . . by the way, another popup occurred as I was typing this (after the MBAM quickscan finished):

Malwarebytes' Anti-Malware 1.44

Database version: 3858

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/12/2010 7:40:40 AM

mbam-log-2010-03-12 (07-40-40).txt

Scan type: Quick Scan

Objects scanned: 171927

Time elapsed: 20 minute(s), 12 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 5

Files Infected: 23

Memory Processes Infected:

C:\Documents and Settings\Owner.DOUG.000\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\d3drm32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01fdb0d1-464e-40ea-829f-4f952b798f4c} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{01fdb0d1-464e-40ea-829f-4f952b798f4c} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.Tracur) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{01fdb0d1-464e-40ea-829f-4f952b798f4c} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.DOUG.000\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} (Worm.Prolaco.M) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\d3drm32.dll (Trojan.BHO.H) -> Delete on reboot.

C:\WINDOWS\system32\SysWoW32\mu1049922824v4 (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\mu1049922824v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\mu1049922824v5 (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\mu1049922824v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\mu1049922824v6 (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\mu1049922824v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\mu1049922824v7 (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\mu1049922824v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\wu1049922824v0 (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\wu1049922824v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\wu1049922824v1 (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\wu1049922824v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\wu1049922824v2 (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\wu1049922824v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\wu1049922824v3 (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysWoW32\wu1049922824v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner.DOUG.000\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Worm.Prolaco.M) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\comrepl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.

Here is the DDS HJT log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Owner at 7:46:39.68 on Fri 03/12/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1236 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\NETGEAR\WG111v3\WG111v3.exe

C:\Program Files\interMute\SpamSubtract\SpamSub.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner.DOUG.000\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://srch-qus10.hpwis.com/

uDefault_Page_URL = hxxp://qus10.hpwis.com/

uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/

uSearch Bar = hxxp://srch-qus10.hpwis.com/

mSearch Bar = hxxp://srch-qus10.hpwis.com/

uInternet Connection Wizard,ShellNext = hxxp://qus10.hpwis.com/

uInternet Settings,ProxyOverride = localhost

BHO: {01fdb0d1-464e-40ea-829f-4f952b798f4c} - c:\windows\system32\fxsui32.dll

BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realone player\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll

TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [RecordNow!]

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe

mRun: [HPHmon05] c:\windows\system32\hphmon05.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [VTTimer] VTTimer.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [LTMSG] LTMSG.exe 7

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe

mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office x4\programs\QFSCHD140.EXE"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe

mRun: [atr.exe]

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [RestartNeroSetup] "c:\docume~1\ownerd~1.000\locals~1\temp\nero web\SetupXu.exe" MODE="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 7" RUNSETUPXU="1" UPGRADE="1"

mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mExplorerRun: [RTHDBPL] c:\documents and settings\owner.doug.000\application data\systemproc\lsass.exe

StartupFolder: c:\docume~1\ownerd~1.000\startm~1\programs\startup\spamsu~1.lnk - c:\program files\intermute\spamsubtract\SpamSub.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\1940576\program\BackWeb-1940576.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

LSP: SpSubLSP.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259518188906

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259518291828

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: 64ced752841 - c:\windows\system32\dimsroam32.dll

Notify: igfxcui - igfxsrvc.dll

AppInit_DLLs: c:\windows\system32\dimsroam32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-11 11608]

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\savrtpel.sys [2009-12-1 37000]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-11 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-11 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-11 56816]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2003-8-15 255648]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2003-8-15 235168]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe [2009-8-1 81920]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe [2009-8-1 2732032]

R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]

S2 gupdate1ca7559e3fb9d9c;Google Update Service (gupdate1ca7559e3fb9d9c);c:\program files\google\update\GoogleUpdate.exe [2009-7-30 133104]

S2 mrtRate;mrtRate; [x]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-1-15 401920]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2003-8-15 87712]

S3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2003-8-18 158848]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100113.009\NAVENG.Sys [2010-1-18 84912]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100113.009\NavEx15.Sys [2010-1-18 1323568]

S3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2009-12-1 305288]

S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2003-8-10 194272]

=============== Created Last 30 ================

2010-03-12 13:45:49 199168 ----a-w- c:\windows\system32\fxsui32.dll

2010-03-12 13:45:46 0 d-sh--w- c:\docume~1\ownerd~1.000\applic~1\SystemProc

2010-03-11 22:05:03 199168 ----a-w- c:\windows\system32\bitsprx332.dll

2010-03-11 19:29:31 0 ----a-w- c:\documents and settings\owner.doug.000\defogger_reenable

2010-03-11 15:05:38 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-03-11 15:05:36 0 d-----w- c:\program files\Avira

2010-03-11 15:05:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-03-11 12:41:09 817 ----a-w- c:\windows\system32\1691277138

2010-03-10 18:13:42 1402 --sha-w- c:\windows\system32\882804482

2010-03-10 18:12:23 203776 --sh--w- c:\windows\system32\unrar.exe

2010-03-10 18:12:23 0 d-----w- c:\windows\system32\1459400757

2010-03-10 18:12:08 1047 ----a-w- c:\windows\system32\5f7904cb

2010-03-10 18:12:07 0 d-sh--w- C:\System Volume Data

2010-03-10 18:12:02 750592 --sha-w- c:\windows\system32\37F3.tmp

2010-03-10 18:11:42 132096 ----a-w- c:\windows\system32\dimsroam32.dll

2010-03-10 15:16:27 0 d-----w- c:\documents and settings\owner.doug.000\Incomplete

2010-03-10 15:09:59 0 d-----w- c:\docume~1\ownerd~1.000\applic~1\LimeWire

2010-03-10 15:07:02 0 d-----w- c:\documents and settings\owner.doug.000\Shared

2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-02-17 19:08:16 255352 ----a-w- c:\windows\system32\awrdscdc.ax

2010-02-17 19:08:09 24576 ------w- c:\windows\system32\msxml3a.dll

2010-02-17 19:07:52 0 d-----w- c:\program files\Audible

2010-02-13 07:11:40 14416 ----a-w- C:\Our Greatest Fear.wpd

==================== Find3M ====================

2010-03-11 14:57:39 3766 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys

2009-12-23 04:31:41 203776 ----a-w- c:\windows\system32\clrviddc.dll

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-11-24 22:22:01 91235464 ----a-w- c:\program files\AnyTimeOrganizer_v13_3.exe

2009-11-03 14:40:55 2357856 ----a-w- c:\program files\AmazonGSDownloaderSetup.exe

2009-09-30 21:18:38 1364995 ----a-w- c:\program files\CamStudio20.exe

2007-04-23 20:21:16 269824 -c--a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys

2007-04-23 20:11:54 224896 -c--a-w- c:\windows\inf\wg111v3\wg111v3.sys

2006-12-15 17:30:36 98304 -c--a-w- c:\windows\inf\wg111v3\UScanM.exe

2006-12-15 17:30:36 66048 -c--a-w- c:\windows\inf\wg111v3\EAPPkt.sys

2006-12-15 17:30:36 315392 -c--a-w- c:\windows\inf\wg111v3\InstallDriver.exe

2006-12-15 17:30:36 28672 -c--a-w- c:\windows\inf\wg111v3\SetDrv.exe

2006-12-15 17:30:36 212992 -c--a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe

2006-12-15 17:30:36 20480 -c--a-w- c:\windows\inf\wg111v3\RTWUPath.exe

2006-12-15 17:30:36 19968 -c--a-w- c:\windows\inf\wg111v3\RTWREFU.EXE

2004-09-16 23:38:14 12631561 -c--a-w- c:\program files\61.77_win2kxp_english.exe

2004-08-27 21:04:05 295 ----a-w- c:\program files\acrO6stand.zip.html

2004-08-27 21:04:05 162103792 -c--a-w- c:\program files\acrO6stand.zip

2004-08-27 20:30:37 283604 -c--a-w- c:\program files\Acrobat_6_Standard_downloader.exe

2004-08-27 17:58:11 373760 -c--a-w- c:\program files\pdfedithtmlmodule.exe

2004-08-27 17:32:00 15838208 ----a-w- c:\program files\openoffice995part2.htm

2004-08-27 17:12:55 15982080 ----a-w- c:\program files\openoffice995part3.htm

2004-08-27 15:46:16 16865792 ----a-w- c:\program files\openoffice995part1.htm

2004-08-27 15:16:05 443392 -c--a-w- c:\program files\signature995.exe

2004-08-27 15:10:36 543232 -c--a-w- c:\program files\pdfedit.exe

2004-08-27 15:09:47 3276800 -c--a-w- c:\program files\ps2pdf995.exe

2004-08-27 15:08:11 1378304 -c--a-w- c:\program files\pdf995s.exe

2004-04-20 02:02:20 22510470 -c--a-w- c:\program files\AnyTime Upgrade.EXE

2009-11-30 14:49:18 56 --sh--r- c:\windows\system32\81D912EF39.sys

2009-11-30 14:51:03 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-11-30 01:17:32 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2009-11-29 17:26:06 16384 --sha-w- c:\windows\temp\cookies\index.dat

2009-11-29 17:26:06 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2009-11-29 17:26:06 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 7:47:50.39 ===============

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites
go1

go1

Posted
  • Author
Posted
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Here is the log from ComboFix:

ComboFix 10-03-11.05 - Owner 03/12/2010 8:43.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1555 [GMT -6:00]

Running from: c:\documents and settings\Owner.DOUG.000\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Application Data\0200000041112ad6841C.manifest

c:\documents and settings\Administrator\Application Data\0200000041112ad6841O.manifest

c:\documents and settings\Administrator\Application Data\0200000041112ad6841P.manifest

c:\documents and settings\Administrator\Application Data\0200000041112ad6841S.manifest

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\Tvm.log

c:\documents and settings\Owner.DOUG.000\Application Data\0200000041112ad6841C.manifest

c:\documents and settings\Owner.DOUG.000\Application Data\0200000041112ad6841O.manifest

c:\documents and settings\Owner.DOUG.000\Application Data\0200000041112ad6841P.manifest

c:\documents and settings\Owner.DOUG.000\Application Data\0200000041112ad6841S.manifest

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{3003f433-e32f-45c4-bb12-b1692acf93d1}

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{3003f433-e32f-45c4-bb12-b1692acf93d1}\chrome.manifest

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{3003f433-e32f-45c4-bb12-b1692acf93d1}\chrome\xulcache.jar

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{3003f433-e32f-45c4-bb12-b1692acf93d1}\defaults\preferences\xulcache.js

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{3003f433-e32f-45c4-bb12-b1692acf93d1}\install.rdf

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{901d84f5-50b0-4d03-be25-48ac37b49680}

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{901d84f5-50b0-4d03-be25-48ac37b49680}\chrome.manifest

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{901d84f5-50b0-4d03-be25-48ac37b49680}\chrome\xulcache.jar

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{901d84f5-50b0-4d03-be25-48ac37b49680}\defaults\preferences\xulcache.js

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{901d84f5-50b0-4d03-be25-48ac37b49680}\install.rdf

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{ad21c3b5-16c3-4ddd-aa5c-ec4e16096008}

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{ad21c3b5-16c3-4ddd-aa5c-ec4e16096008}\chrome.manifest

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{ad21c3b5-16c3-4ddd-aa5c-ec4e16096008}\chrome\xulcache.jar

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{ad21c3b5-16c3-4ddd-aa5c-ec4e16096008}\defaults\preferences\xulcache.js

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{ad21c3b5-16c3-4ddd-aa5c-ec4e16096008}\install.rdf

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{d39ae302-68c1-44fe-a7cd-e6242524f8b6}

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{d39ae302-68c1-44fe-a7cd-e6242524f8b6}\chrome.manifest

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{d39ae302-68c1-44fe-a7cd-e6242524f8b6}\chrome\xulcache.jar

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{d39ae302-68c1-44fe-a7cd-e6242524f8b6}\defaults\preferences\xulcache.js

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{d39ae302-68c1-44fe-a7cd-e6242524f8b6}\install.rdf

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{fdaef997-d146-4837-bace-87317c552b6a}

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{fdaef997-d146-4837-bace-87317c552b6a}\chrome.manifest

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{fdaef997-d146-4837-bace-87317c552b6a}\chrome\xulcache.jar

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{fdaef997-d146-4837-bace-87317c552b6a}\defaults\preferences\xulcache.js

c:\documents and settings\Owner.DOUG.000\Application Data\Mozilla\Firefox\Profiles\dawp2c5c.default\extensions\{fdaef997-d146-4837-bace-87317c552b6a}\install.rdf

c:\documents and settings\Owner.DOUG.000\Application Data\SystemProc

c:\documents and settings\Owner.DOUG.000\Application Data\SystemProc\lsass.exe

c:\documents and settings\Owner.DOUG.000\Local Settings\Temporary Internet Files\Tvm.log

c:\program files\Internet Explorer\SET6C.tmp

c:\program files\Internet Explorer\SET6D.tmp

c:\program files\Internet Explorer\SET6F.tmp

c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}

c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest

c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul

c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf

c:\recycler\S-1-5-21-2850041110-3266419891-1194892548-1003

c:\recycler\S-1-5-21-4016496050-1458029084-2093742439-1003

C:\Thumbs.db

c:\windows\Downloaded Program Files\Workspace

c:\windows\system32\1459400757

c:\windows\system32\37F3.tmp

c:\windows\system32\bitsprx332.dll

c:\windows\system32\dimsroam32.dll

c:\windows\system32\fxsui32.dll

c:\windows\system32\ps2.bat

c:\windows\system32\unrar.exe

c:\windows\viassary-hp.reg

c:\windows\winhelp.ini

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2010-02-12 to 2010-03-12 )))))))))))))))))))))))))))))))

.

2010-03-12 12:25 . 2010-03-12 12:25 -------- d-----w- c:\program files\NOS

2010-03-11 15:05 . 2009-11-25 17:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-03-11 15:05 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-03-11 15:05 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-03-11 15:05 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-03-11 15:05 . 2010-03-11 15:05 -------- d-----w- c:\program files\Avira

2010-03-11 15:05 . 2010-03-11 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-03-10 19:19 . 2010-03-10 19:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-03-10 19:17 . 2010-03-10 19:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-03-10 19:17 . 2004-04-19 14:48 54848 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-10 19:17 . 2004-01-26 13:27 128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat

2010-03-10 19:15 . 2004-04-18 22:34 -------- d-s---w- c:\documents and settings\Administrator\UserData

2010-03-10 19:15 . 2004-01-26 13:10 -------- d-----w- c:\documents and settings\Administrator\WINDOWS

2010-03-10 19:15 . 2010-03-10 19:17 -------- d-----w- c:\documents and settings\Administrator

2010-03-10 18:12 . 2010-03-10 18:12 -------- d-----w- C:\System Volume Data

2010-03-10 15:16 . 2010-03-10 22:21 -------- d-----w- c:\documents and settings\Owner.DOUG.000\Incomplete

2010-03-10 15:09 . 2010-03-10 18:25 -------- d-----w- c:\documents and settings\Owner.DOUG.000\Application Data\LimeWire

2010-03-10 15:07 . 2010-03-10 22:19 -------- d-----w- c:\documents and settings\Owner.DOUG.000\Shared

2010-03-09 22:53 . 2010-03-09 22:53 -------- d-----w- c:\documents and settings\Owner.DOUG.000\Local Settings\Application Data\imr

2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-02-17 19:16 . 2010-02-20 16:22 -------- d-----w- c:\documents and settings\Owner.DOUG.000\Local Settings\Application Data\Audible

2010-02-17 19:08 . 2001-08-18 04:43 24576 ------w- c:\windows\system32\msxml3a.dll

2010-02-17 19:07 . 2010-02-17 19:08 -------- d-----w- c:\program files\Audible

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-12 13:45 . 2010-03-12 13:44 20829680 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe

2010-03-12 13:44 . 2010-03-12 13:44 8405312 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2010-03-12 13:44 . 2010-03-12 13:44 149000 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe

2010-03-12 13:44 . 2010-03-12 13:43 10309448 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe

2010-03-12 13:43 . 2010-03-12 13:43 181768 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe

2010-03-12 13:43 . 2010-03-12 13:43 283280 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe

2010-03-12 13:43 . 2010-03-12 13:43 79368 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\RUP\vista.exe

2010-03-12 13:43 . 2010-03-12 13:43 64000 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll

2010-03-12 13:43 . 2010-03-12 13:43 52288 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll

2010-03-12 13:43 . 2010-03-12 13:43 50688 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll

2010-03-12 13:43 . 2010-03-12 13:43 49152 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll

2010-03-12 13:43 . 2010-03-12 13:43 118784 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll

2010-03-12 12:25 . 2009-04-27 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-03-11 18:20 . 2010-03-11 18:20 439816 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\Real\Update\setup3.10\setup.exe

2010-03-11 14:57 . 2008-11-12 02:13 3766 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-03-11 14:57 . 2008-11-12 02:13 3766 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-03-11 05:26 . 2004-05-26 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-11 03:46 . 2004-10-23 03:16 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-02-25 14:31 . 2009-09-29 15:48 -------- d-----w- c:\program files\Microsoft Silverlight

2010-02-16 21:15 . 2010-01-18 19:22 -------- d-----w- c:\program files\H&R Block Business 2009

2010-02-13 09:02 . 2004-04-18 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-01-27 15:39 . 2010-01-27 15:39 -------- d-----w- c:\program files\PreziDesktop

2010-01-27 15:26 . 2010-01-01 20:15 -------- d-----w- c:\program files\XMind

2010-01-27 14:55 . 2009-11-29 17:39 55008 ----a-w- c:\documents and settings\Owner.DOUG.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-27 13:59 . 2004-01-26 10:23 -------- d-----w- c:\program files\Common Files\Java

2010-01-27 13:58 . 2004-01-26 10:23 -------- d-----w- c:\program files\Java

2010-01-19 15:53 . 2009-12-23 21:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-19 15:53 . 2010-01-19 15:53 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-18 21:11 . 2010-01-15 20:02 -------- d-----w- c:\program files\Common Files\CCHSFS

2010-01-18 21:09 . 2010-01-18 21:09 -------- d-----w- c:\documents and settings\Owner.DOUG.000\Application Data\MozillaControl

2010-01-18 21:09 . 2010-01-18 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Wolters Kluwer

2010-01-16 17:25 . 2010-01-16 17:25 335 ----a-w- c:\windows\mozregistry.dat

2010-01-16 16:28 . 2010-01-16 16:02 -------- d-----w- c:\program files\HRBlock2009

2010-01-16 16:02 . 2008-10-22 19:57 -------- d-----w- c:\program files\PDF995

2010-01-16 15:41 . 2004-01-26 12:22 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-15 21:09 . 2010-01-15 21:08 14247112 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30025501cupd.exe

2010-01-15 21:08 . 2010-01-15 19:38 -------- d-----w- c:\documents and settings\Owner.DOUG.000\Application Data\TaxCut

2010-01-15 20:07 . 2009-11-29 17:39 137 ----a-w- c:\documents and settings\Owner.DOUG.000\Local Settings\Application Data\fusioncache.dat

2010-01-15 19:57 . 2008-10-22 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut

2010-01-15 19:47 . 2010-01-15 19:47 -------- d-----w- c:\program files\Amazon

2010-01-12 21:45 . 2010-01-12 21:45 -------- d-----w- c:\documents and settings\Owner.DOUG.000\Application Data\Broderbund

2010-01-12 21:42 . 2010-01-12 21:42 -------- d-----w- c:\program files\Common Files\Broderbund

2010-01-12 21:42 . 2010-01-12 21:42 -------- d-----w- c:\program files\Broderbund

2010-01-11 23:22 . 2009-11-29 17:38 -------- d-----w- c:\documents and settings\Owner.DOUG.000\Application Data\Sonic

2010-01-11 23:21 . 2010-01-11 23:21 -------- d-----w- c:\documents and settings\Owner.DOUG.000\Application Data\Leadertech

2010-01-07 22:07 . 2009-12-23 21:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 22:07 . 2009-12-23 21:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-04 22:53 . 2010-01-04 22:53 32768 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\63\1\.cp\os\win32\x86\localfile_1_0_0.dll

2010-01-01 20:36 . 2010-01-01 20:36 77824 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-xulrunner-win32-3555.dll

2010-01-01 20:16 . 2010-01-01 20:16 77824 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-gdip-win32-3555.dll

2010-01-01 20:16 . 2010-01-01 20:16 348160 ----a-w- c:\documents and settings\Owner.DOUG.000\Application Data\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-win32-3555.dll

2009-12-31 16:50 . 2004-01-26 08:10 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-23 04:31 . 2009-12-23 04:31 203776 ----a-w- c:\windows\system32\clrviddc.dll

2009-12-21 19:14 . 2004-01-21 22:16 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2004-02-04 19:12 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2004-02-04 19:10 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-11-24 22:22 . 2009-11-24 22:05 91235464 ----a-w- c:\program files\AnyTimeOrganizer_v13_3.exe

2009-11-03 14:40 . 2009-11-03 14:40 2357856 ----a-w- c:\program files\AmazonGSDownloaderSetup.exe

2009-09-30 21:18 . 2009-09-30 21:18 1364995 ----a-w- c:\program files\CamStudio20.exe

2004-09-16 23:38 . 2004-09-16 23:38 12631561 -c--a-w- c:\program files\61.77_win2kxp_english.exe

2004-08-27 21:04 . 2004-08-27 21:04 295 ----a-w- c:\program files\acrO6stand.zip.html

2004-08-27 21:04 . 2004-08-27 20:30 162103792 -c--a-w- c:\program files\acrO6stand.zip

2004-08-27 20:30 . 2004-08-27 20:30 283604 -c--a-w- c:\program files\Acrobat_6_Standard_downloader.exe

2004-08-27 17:58 . 2004-08-27 17:58 373760 -c--a-w- c:\program files\pdfedithtmlmodule.exe

2004-08-27 17:32 . 2004-08-27 17:32 15838208 ----a-w- c:\program files\openoffice995part2.htm

2004-08-27 17:12 . 2004-08-27 17:33 15982080 ----a-w- c:\program files\openoffice995part3.htm

2004-08-27 15:46 . 2004-08-27 15:46 16865792 ----a-w- c:\program files\openoffice995part1.htm

2004-08-27 15:16 . 2004-08-27 17:59 443392 -c--a-w- c:\program files\signature995.exe

2004-08-27 15:10 . 2004-08-27 17:59 543232 -c--a-w- c:\program files\pdfedit.exe

2004-08-27 15:09 . 2004-08-27 17:59 3276800 -c--a-w- c:\program files\ps2pdf995.exe

2004-08-27 15:08 . 2004-08-27 17:59 1378304 -c--a-w- c:\program files\pdf995s.exe

2004-04-20 02:02 . 2004-04-20 02:02 22510470 -c--a-w- c:\program files\AnyTime Upgrade.EXE

2009-11-30 14:49 . 2009-11-29 16:12 56 --sh--r- c:\windows\system32\81D912EF39.sys

2009-11-30 14:51 . 2009-11-29 16:05 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"VTTimer"="VTTimer.exe" [2004-10-22 53248]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]

"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]

"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 135168]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2009-06-22 83232]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-22 640440]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-05 198160]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Organize.lnk.disabled [2004-1-26 1715]

spamsubtract.lnk.disabled [2004-1-27 817]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Organize.lnk.disabled [2004-1-26 1715]

spamsubtract.lnk.disabled [2004-1-27 817]

c:\documents and settings\Owner.DOUG.000\Start Menu\Programs\Startup\

spamsubtract.lnk.disabled [2004-1-27 817]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Compaq Connections.lnk.disabled [2009-12-6 1903]

HP Digital Imaging Monitor.lnk.disabled [2004-1-26 1808]

NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

"RecordNow!"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" /min

"HPHmon05"=c:\windows\System32\hphmon05.exe

"hpsysdrv"=c:\windows\system\hpsysdrv.exe

"HPHUPD05"=c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"

"KBD"=c:\hp\KBD\KBD.EXE

"LTMSG"=LTMSG.exe 7

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"

"Recguard"=c:\windows\SMINST\RECGUARD.EXE

"Symantec NetDriver Monitor"=c:\progra~1\SYMNET~1\SNDMon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=

"c:\\Program Files\\EssentialPIM Pro\\EssentialPIM.exe"=

"c:\\Program Files\\Firebird\\Firebird_2_1\\bin\\isql.exe"=

"c:\\Program Files\\Brother\\Brmfl08g\\FAXRX.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\EPIM Synchronizer\\EPIMSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/11/2010 9:05 AM 108289]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [8/1/2009 11:56 PM 81920]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [8/1/2009 11:56 PM 2732032]

R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]

S2 gupdate1ca7559e3fb9d9c;Google Update Service (gupdate1ca7559e3fb9d9c);c:\program files\Google\Update\GoogleUpdate.exe [7/30/2009 8:37 PM 133104]

S2 mrtRate;mrtRate; [x]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [1/15/2010 1:47 PM 401920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2008-07-30 16:39 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ca755bec658892.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 02:37]

2010-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA1ca755becdf2080.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 02:37]

2010-03-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4016496050-1458029084-2093742439-1003Core.job

- c:\documents and settings\Owner.DOUG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-12 02:37]

2010-03-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4016496050-1458029084-2093742439-1003UA.job

- c:\documents and settings\Owner.DOUG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-12 02:37]

2010-03-12 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2010-03-06 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job

- c:\progra~1\NORTON~1\Navw32.exe [2003-08-18 00:22]

2010-03-12 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-27 08:17]

2010-03-12 c:\windows\Tasks\User_Feed_Synchronization-{06028606-BE02-4499-ACD0-1BB01422EB9B}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/

mSearch Bar = hxxp://srch-qus10.hpwis.com/

uInternet Connection Wizard,ShellNext = hxxp://qus10.hpwis.com/

uInternet Settings,ProxyOverride = localhost

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta

LSP: SpSubLSP.dll

.

- - - - ORPHANS REMOVED - - - -

BHO-{01FDB0D1-464E-40EA-829F-4F952B798F4c} - c:\windows\System32\fxsui32.dll

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

HKLM-Run-atr.exe - (no file)

HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\Owner.DOUG.000\Application Data\SystemProc\lsass.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-12 09:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

RTHDBPL = c:\documents and settings\Owner.DOUG.000\Application Data\SystemProc\lsass.exe??????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(888)

c:\windows\system32\SpSubLSP.dll

- - - - - - - > 'explorer.exe'(3232)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\system32\VTTimer.exe

c:\windows\ALCXMNTR.EXE

c:\program files\Brother\Brmfcmon\BrMfimon.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-03-12 09:10:59 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-12 15:10

Pre-Run: 100,329,545,728 bytes free

Post-Run: 101,424,717,824 bytes free

- - End Of File - - D45C3DD8B596DC25C99E9230663159A9

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, run another scan with malwarebytes again to get rid of some leftovers (since I see there's still a leftover to delete here).

Then let me know in your next reply how things are now.

Link to post
Share on other sites
go1

go1

Posted
  • Author
Posted
Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, run another scan with malwarebytes again to get rid of some leftovers (since I see there's still a leftover to delete here).

Then let me know in your next reply how things are now.

Quickscan or full? (Running a Quickscan right now).

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept