Trojan.Agent problem

[screen317]

Okay thanks for letting me know.

Today I received a new DRAM for that computer that will upgrade it from 448M to 1280M. Any problem with installing that before I continue?

No please go ahead and install the DRAM.

Also, hold off on altering your protection software lineup until you are clean; wouldn't want to create complications.

[mwalimu]

Didn't notice any problems (and it didn't need to reboot). An MBAM update/quick scan came out clean.

Now to see if I can figure out the infection I've gotten on a different computer.

ComboFix 10-03-22.02 - Owner 03/22/2010 19:59:32.6.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.193 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))

.

2010-03-21 22:14 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-21 22:13 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-21 22:12 . 2010-03-21 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-21 20:50 . 2010-03-21 21:03 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-21 15:33 . 2010-03-22 07:07 22 ----a-w- c:\windows\liccyval.dat

2010-03-20 07:33 . 2010-03-20 07:33 -------- d-----w- c:\program files\Trend Micro

2010-03-20 02:29 . 2010-03-21 22:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-03-20 01:18 . 2010-03-21 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-17 06:35 . 2010-03-17 06:35 -------- d-----w- C:\$AVG

2010-03-17 06:03 . 2010-03-17 06:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-17 06:03 . 2010-03-17 06:03 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-17 06:03 . 2010-03-17 06:03 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-17 06:03 . 2010-03-17 06:03 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-17 06:03 . 2010-03-22 23:39 -------- d-----w- c:\windows\system32\drivers\Avg

2010-03-17 06:03 . 2010-03-17 06:03 -------- d-----w- c:\program files\AVG

2010-03-17 06:03 . 2010-03-17 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-03-17 03:59 . 2010-03-17 03:59 -------- d-----w- c:\documents and settings\Administrator.YOUR-RVLNHR6V8D\Local Settings\Application Data\Mozilla

2010-03-15 08:02 . 2010-03-15 06:02 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-15 06:03 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-15 06:02 . 2010-03-15 06:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-15 06:01 . 2010-03-15 06:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-03-15 05:56 . 2010-03-15 06:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

2010-03-15 05:54 . 2010-03-15 05:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-15 03:29 . 2010-03-15 03:29 -------- d-----w- c:\program files\SysInternals

2010-03-14 23:42 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-22 13:50 . 2008-11-05 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData

2010-03-22 13:39 . 2003-02-21 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-03-22 13:39 . 2003-02-21 16:33 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-21 21:56 . 2004-09-10 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-18 00:09 . 2007-03-02 00:31 -------- d-----w- c:\program files\Google

2010-03-15 05:55 . 2004-09-08 00:41 -------- d-----w- c:\program files\Lavasoft

2010-01-05 10:00 . 2003-02-05 12:07 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2003-02-05 12:23 17408 ------w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2003-02-05 12:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2004-11-30 00:05 . 2004-11-30 00:03 22 ----a-w- c:\program files\Profmine.zip

2008-09-10 19:49 . 2008-09-10 19:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"C2K"="c:\windows\cyb2k.exe" [2006-02-08 3067392]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-17 06:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk

backup=c:\windows\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk

backup=c:\windows\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk

backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk

backup=c:\windows\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OZ-290_ZQ-290II Synchronization Software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OZ-290_ZQ-290II Synchronization Software.lnk

backup=c:\windows\pss\OZ-290_ZQ-290II Synchronization Software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-07 05:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]

2006-02-08 21:02 3067392 ----a-w- c:\windows\Cyb2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]

2002-10-07 06:23 90112 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2002-10-16 14:05 114688 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

2002-11-22 19:49 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]

2002-11-22 19:50 49152 ----a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

2001-07-07 04:56 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

2004-09-23 00:20 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2002-09-10 06:35 372736 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-09-01 00:05 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

2003-01-11 09:47 315392 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2002-04-18 01:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

2002-06-18 15:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-03-14 08:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-12-30 16:18 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]

2002-11-27 01:14 131072 ----a-w- c:\program files\Coloreal\COLOREAL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]

2002-12-07 05:25 20539 ----a-w- c:\program files\Zero Knowledge\Freedom\AutoStarterR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"gusvc"=2 (0x2)

"Pml Driver HPH11"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Cyb2k.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/15/2010 1:03 AM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/17/2010 1:03 AM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/17/2010 1:03 AM 242696]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 1:03 AM 308064]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1263728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-03-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:52]

2008-04-17 c:\windows\Tasks\easy Internet sign-up.job

- c:\program files\Hewlett-Packard\EZ Internet Signup\HPSdpApp.exe [2003-02-20 05:10]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>;localhost

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

LSP: c:\windows\system32\lspcs.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\m9k2su9g.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.goodsearch.com/

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-22 20:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1128)

c:\windows\system32\lspcs.dll

- - - - - - - > 'explorer.exe'(732)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-03-22 20:23:30

ComboFix-quarantined-files.txt 2010-03-23 01:23

ComboFix2.txt 2010-03-22 14:36

ComboFix3.txt 2010-03-21 15:53

ComboFix4.txt 2010-03-20 18:12

ComboFix5.txt 2010-03-23 00:57

Pre-Run: 43,059,331,072 bytes free

Post-Run: 43,029,372,928 bytes free

- - End Of File - - E33A24C073688D338958AFAFA7FDB2E9

[screen317]

Hi,

Your other computer will be addressed in due time.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[mwalimu]

I made numerous attempts to run F-Secure Online Scanner, all of which got to the Downloading Files... stage, started downloading, and failed at 7%.

Results of screen317's Security Check version 0.99.2

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG Free 9.0

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

MVPS Hosts File

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 18

Java SE Runtime Environment 6 Update 1

Adobe Flash Player 10

Adobe Reader 9.3

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe

AVG avgwdsvc.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[mwalimu]

Partial recant on the last post. F-Secure is now running. If it completes successfully (a few hours from now) I'll post the results.

On a hunch I decided to see if I could remove Cybersitter while I was running it, and discovered it was active. I had deactivated it several days ago and thought it was still inactive, but apparently that only lasted until the next reboot. My suspicions were confirmed when it got past the 7% mark it kept failing at before. It finished downloading files and started running. So far so good.

A similar incident occured two or three days ago when I was running MBAM. While trying to update, the updating window would appear and the progress bar would get about two thirds of the way through, then it would abort with a 732 error. I was able to reproduce this several times, always aborting at about the same spot in the download. That was several database versions ago so I can't retry it now (the problem no longer occurs with more recent versions). I have a hunch Cybersitter was the culprit there as well.

You can add Cybersitter to your list of applications that can sometimes interefere with malware removal.

I'll post the F-Secure report when it's done. Currently it's at 12% with no spyware or malware found so far.

[mwalimu]

The F-Secure report:

Scanning Report

Thursday, March 25, 2010 20:49:39 - 23:05:19

Computer name: YOUR-RVLNHR6V8D

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

--------------------------------------------------------------------------------

7 malware found

TrackingCookie.Adinterax (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Zanox (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

C:\PROGRAM FILES\YAHOO! GAMES\PUZZLEINLAY\PUZZLEINLAY.EXE (Not cleaned)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 45371

System: 4342

Not scanned: 45

Actions:

Disinfected: 6

Renamed: 0

Deleted: 0

Not cleaned: 1

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP

C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE

C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL

C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE

C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\MIGREGDB.EXE

C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\TXFLOG.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\RPCSS.DLL

C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL

C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\HSPERFDATA_OWNER\2700

C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\HSPERFDATA_OWNER\1876

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\EA563F5ED0B8EA72081A19B9B561DD25_5259E984-4C04-4341-94FF-4A2B73F0F56D

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\BRODERBUND SOFTWARE\PRINT\PRINTMASTER\PMWPRINT.INI

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright

[screen317]

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

[mwalimu]

Combofix uninstall done.

Delete SecurityCheck done.

Uninstall Java SE done.

Microsoft Updates done, although it took about three or four iterations before it wasn't finding anything new that needed updating.

Although there's no evidence of any new or previously undetected malware, the performance of the system has taken a nosedive. It was getting worse over the last few days, and watching activity under task manager suggests that AVG and/or Ad-Aware may be responsible for a lot of the activity that's taking up resources. So now I have that to figure out. An MBAM quick scan this morning came up clean but took twice as long as it did a few days ago.

[screen317]

Hmm.

Well we can investigate performance issues. I don't personally recommend Ad-Aware anymore due to its diminishing performance over the last few years. It may be worthwhile to uninstall it, and see if performance improves.

Next, please run the PCPitstop Full Tests here. When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

-screen317

[mwalimu]

Uninstall Ad-Aware done. Performance seems to be somewhat improved though still slow.

Attempted to run the PCPitstop tests. I did at one point finally get it to run (I hope I ran the right test; the page you pointed me to offered a few different ones). I did eventually get the test to run (one of them) and it dispalyed the results, but it didn't give me a URL were the results screen was saved, and it was a graphically-oriented display that didn't lent itself to being cut-and-pasted here. Finally I got it to run again (a different report, I think). The results are here.

[screen317]

Hi,

PCPitStop noted several things that you can do to improve the shape your computer is in.

Pay particular attention to these items:

[mwalimu]

Okay, a couple of things about the computer. As noted previously, it's my brother's computer, and I need to get it back to him within a few more days. Are you comfortable saying that it's free of malware at this point? That's the only thing that's really a deal-breaker as far as it being ready to return to him. Beyond that, I'd like to make sure it's got adequate measures in place to safeguard it from future malware infections (not foolfproof, obviously, since as I'm sure you're well aware, malware developers keep coming up with new tricks). Finally, I'd like to get it performing better than it was, which led up to the last couple of notes.

And yes, it's a 7-year old computer they're trying to keep usable for another year or two until their youngest son gets his own computer.

Pay particular attention to these items:

[mwalimu]

Most of the instructions are done. The HTML1.1 setting it recommended wouldn't stick. I reduced the restore space down to about 3% but PCPitStop still thinks I have too much. There were a couple of browser items in CCleaner I wasn't comfortable checking (including the saved passwords) and would rather let my brother make that call himself when he gets the computer back.

PCPitStop, though it was good for identifying out of date drivers, was next to useless at actually providing updates and I had to google them from other sources. At least three of the four installers added startup/tray applications that I had to go back and remove and two left behind installshield directories. But they all apper to be working well.

The updated report is in the same place as before.

Overall, it's performing better. Hopefully it'll improve further after the replacing AVG with Avast, and I'll probably replace Spybot with SASW as well (if Spybot will let me I'll disable TeaTimer but keep it installed so it can still be used as a foreground app).

[screen317]

Hi,

Okay, a couple of things about the computer. As noted previously, it's my brother's computer, and I need to get it back to him within a few more days. Are you comfortable saying that it's free of malware at this point?

Yes, I can say with relative confidence that the computer appears to be free of malware.

"Very little" is a relative term in this case. Although it has "only" 39.3G free space on the c: drive, this is a 70.4G drive, so it's less than 50% full. It is not at any rate a contributing factor to any of the current performance issues. Having said that, I concur with the temporary files and the restore space and will be taking those steps. (It will be up to my brother to decide what programs to remove if they don't involve any of the work I'm doing.)

Fair points all around.

I've already been trying to work on that one. The computer has two DRAM slots that currently have 256M in each. A defect is causing it to recognize only 192M in the first slot (I traded out the two DRAMs between the two slots and it was always the first slot that was only registering 192M, which means the problem is in the slot/MBoard itself, not either of the DRAMs). You may recall I mentioned earlier upgrading one of the DRAMs to 1G. It didn't work. After a little online research I found that this particular model MB only supports up to 512M DRAMs. If I could upgrade both I could get it to 1G minus whatever of the first DRAM slot the MBoard won't recognize. But I think even if I upgrade only the DRAM in the good slot, the additional 256M would be a worthwhile improvement (and those can be mail-ordered for under $15).

I agree, especially since the current RAM usage is averaging at over 80%, the additional 256MB would probably result in a noticeable improvement.

Any objection to me going ahead and replacing AVG with Avast? I'll post a reply later with the updated PCPitStop results as well as any additional observations.

No objections here; avast released version 5 of their antivirus recently and I have no qualms with it.

Also, it's now been one week since I last got a response from any of the site experts to the thread on the problem with my own computer. I should probably rerun and repost DDS and HJT logs since I took a few measures I considered necessary to make it safer to continue using the computer while waiting for a response.

You will be getting a response shortly.

PCPitStop, though it was good for identifying out of date drivers, was next to useless at actually providing updates and I had to google them from other sources. At least three of the four installers added startup/tray applications that I had to go back and remove and two left behind installshield directories. But they all apper to be working well.

I agree; that's one of my biggest issues with the PCPitStop scan.

Overall, it's performing better. Hopefully it'll improve further after the replacing AVG with Avast, and I'll probably replace Spybot with SASW as well (if Spybot will let me I'll disable TeaTimer but keep it installed so it can still be used as a foreground app).

What's SASW? I would recommend instead getting the PRO version of MBAM. One license will protect this computer for life with exceptional protection that's pretty light on resources.

Let me know if there's anything else I can do for you.

-screen317

[mwalimu]

SASW=SuperAntiSpyWare

I found out how to disable TeaTimer without uninstalling Spybot. I will pass along the suggestion to my brother about getting the paid version of MBAM (I'll probably get it for my own computer) but anything involving spending money will have to be his decision.

No, I think you've helped as much as I need, and there seem to be plenty of others who can use your expertise. Thank you very much for all of your assistance.

[mwalimu]

Okay. maybe I'm not quite done yet after all. After uninstalling AVG and installing Avast and SuperAntiSpyware, now all of a sudden I'm getting "MBAM_ERROR_UPDATING (10107, 0, WinHttpResponse) A system call that should never fail has failed." Additionally I am now unable to access the web in Firefox.

SASW found and quarantined some things no previous scan had detected. Among them are two registry keys that it flagged under Trojan.Agent/Gen-Alureon, and 29 .DLL files from c:\windows\system32 that it flagged as Rogue.Agent/Gen-Nullo[DLL]

I'm tempted to Restore the files, and see if it resolves the MBAM error and the web access problem, but neither do I want to ignore the possibility that it found a previously undetected infection of some sort.

[mwalimu]

A couple of Google searches, a couple of netsh commands later, and the computer is recovered from the 10107 errors, and MBAM and Firefox now work as before. Unless you have any last minute dire warnings about the infections that SuperAntiSpyware found and fixed, I'll be returning the computer to my brother shortly (tomorrow at the earliest).

[mwalimu]

More followup... Something kept knocking out Winsock resulting in 10107 errors. I kept resetting it.

Eventually I figured out that the culprit was CyberSitter. At some point while installing Avast or SuperAntiSpyware and running checks it removed a file used by CyberSitter, which it interpreted as tampering, and locked down all internet access; its method of locking down caused other applications to get the 10107 errors. Once I realized what was going on I updated its files (which apparently restored the one it was missing), changed a couple of other settings, and it hasn't gotten in the way since.

Upon subsequently rerunning the SuperAntiSpyware scan, it again flagged the same 29 files as having Rogue.Agent/Gen-Nullo[DLL]. I surmised that these were the ones CyberSitter had complained about being missing and had restored (the filenames more or less corresponded to a list of exclusions I found within CA) so I marked them as trusted. I'll be saying something to my brother about these.

[screen317]

Hi,

My apologies for the delay.

Looks like you're out of the woods here.

Usually we just refer to SuperAntiSpyware as SAS.

The infections that I could see are gone, and I believe this computer is good to go. If you need anything else, just holler.

If you haven't given the computer back yet, here is my standard prevention speech:

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
  
• Yellow for caution
  
• Red to stop
  

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

[mwalimu]

I returned the computer to him yesterday. I'll send him a link to this thread so he can review your final list of suggestions (as well as everything else we did). Would it be okay to keep this thread unlocked for a week or two, in case he has any questions or encounters any problems? (There were after all a number of key applications that I never once opened or tested (Outlook, for instance), and if any of them are now not working...) He may even register and post here himself.

Until the memory in the computer gets upgraded, any additional applications that are memory resident represent a trade-off of security vs. performance. Where SpywareBalster lands in this regard may depend on how big its "memory footprint" is.

I added the HOSTS file from MVPS to his computer (also added it to my own) before I returned it. That, like other anti-malware measures, appears to need updated periodically.

I have WOT on my computer and am quick to concur with the recommendation.

The computer was current with Windows updates when I returned it. I personally don't recommend having automatic updates set to the "Automatic (recommended)" setting; I don't trust MS 100% and I don't like anything that reboots my computer when it's running unattended, but I absolutely do recommend getting most updates installed in a timely fashion.

Have a happy Easter!

[screen317]

Hi,

My apologies for the delay; hope you enjoyed your Easter as well.

Until the memory in the computer gets upgraded, any additional applications that are memory resident represent a trade-off of security vs. performance. Where SpywareBalster lands in this regard may depend on how big its "memory footprint" is.

SpywareBlaster is passive protection, and though it runs in the background, so to speak, installing it shouldn't result in any noticeable performance loss.

Sure I can keep this thread open for a couple weeks, in case anything else comes up.

-screen317

[screen317]

mwalimu,

Do you need me to keep this thread open still?

[screen317]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.