Jump to content

XP Security Tool 2010 infection


Recommended Posts

For the last few days I've been trying to clean up my brother's computer, where I am hopefully apparently getting near the point of having everything clean, and starting to wonder if some of the things I'm doing to clean up his computer might uncover any problems that might be lurking on mine. I had been hit by the Internet Security 2010 trojan earlier this year, had it most of the way cleaned up within a day but it took close to a week before I had the rest of them cleared. I haven't seen anything suspicious in over two months, and neither has MBAM, AVG 9.0, Ad-Aware, or Spybot S&D.

Until earlier this afternoon. Quite suddenly I was getting windows and tray popups that indicated that I'd just been hit by another trojan. The first thing I did was to unplug my LAN cable (this computer doesn't have any wireless capability). The new infection calls itself 'XP Security Tool 2010'. I closed most of my other apps and started trying to run the various anti-malware programs I have. MBAM, AVG, and Ad-Aware all would not open, but Spybot S&D did. I ran it (without an update obviously, since I was no longer connected, but it's current within a few days) and it found three registry keys that appeared to be Windows core keys with unexpected values; plus one tracking cookie. I fixed those. Unfortunately I don't have a log. At some point in there I also ran HijackThis. The log is below. I'm surprised at how little I panicked, although I am rather annoyed that I have to deal with this instead of a number of other things I'd hoped to be doing on this computer tonight.

I rebooted in safe mode, and was able to run an MBAM quick scan (didn't update since I'm still disconnected from the LAN). It found and fixed several problems. The log is below (mbam-log-2010-03-21 (16-48-44).txt).

Rebooted again and the main infection appears to be gone for the moment. A few things are out of whack. Windows Firewall is turned off (the LAN is still unplugged so I'm not worried). Firefox and Internet Explorer have traded places on the start button list.

AVG was working again so I ran a full scan (without update; same reason). It didn't find anything.

Ran RootkitReveal. The log is below. The 1/9/2010 date on some of the entries matches the time of the earlier Internet Security 2010 infection. The entries with today's date in C:\System Volume Information\_restore are especially suspect considering the timing. One of the steps I remember taking to clear the earlier infection was to turn off system restore to clear all restore points, then turn it back on.

Also attached is an excerpt of c:\Windows\system32\WindowsUpdate.log; the entire file is about 1.4M and goes back months, so this is just an excerpt of the last few hours worth. The entries from abot 15:55-15:59 would correspond to the time the infection first hit.

Ran MBAM (after discovering something that I discussed in the other thread) intending to do a full scan, but on a whim decided to run a full scan on the two thumb drives I had plugged in at the time. This was out of a concern for the possibility that any malware might be hitching a ride on the thumb drives (how worried should I be about that possibility?). It didn't find anything on the thumb drives per se but during the extras and heuristics portion of the scan it found two problems, which I had it fix. The log is below (mbam-log-2010-03-21 (20-29-46).txt). Then I ran a full scan on my C: drive only, and it found nothing (though it likely would have found the two problems the first scan found if I'd run it first). Last I ran HijackThis again, and that log is also below. I'll run an MBAM full scan on my other two internal hard drives; they are nearly all media files so I'll be surprised if they find anything but I'll be sure to report here if they do.

So out of all this, what else should I do? At this point it appears likely it is not fully cleaned up and there is more I need to do (ComboFix and deleting my restore points come to mind as likely possibilities).

Also annoying me is the question of how I caught the infection. I had a little less than an hour earlier downloaded and installed a Firefox plugin (apparently a popular/recommended plugin that may be used for saving YouTube videos, and it worked as advertised the couple of times I used it during that hour, but I can easily delete it if there's any chance that's how I caught the virus). Other than that I had only been to a few sites I've been to many times in the past. I've had the "Web of Trust" plugin on my browser since shortly after the earlier infection, and it didn't produce any alerts. It's enough to make me wonder if the infection is a "sleeper", one that will hide for hours or perhaps even weeks before coming alive, to obscure any correlation to what activity resulted in it being on your computer. At some point I'll open my browser history and see if it has any links to suspect sites. The possibility that I may have caught it while surfing only websites that I consider familiar and trusted and which I would like to visit again in the future concerns me a lot.

hijackthis-Before.log: (This was before any cleanup to speak of was done; see below for a later log)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:01:04 PM, on 3/21/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\Cpqdiag\Cpqdfwag.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Documents and Settings\Joe\Local Settings\Application Data\ave.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://daily.webshots.com/html/lost_password.html

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17] P17Def.Exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE094A5-05EB-451A-AED9-40B575995175}: NameServer = 68.87.72.130,68.87.77.130

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: Google Update Service (gupdate1ca0a75299722a4) (gupdate1ca0a75299722a4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--

End of file - 9848 bytes

mbam-log-2010-03-21 (16-48-44).txt:

Malwarebytes' Anti-Malware 1.44

Database version: 3886

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

3/21/2010 4:48:44 PM

mbam-log-2010-03-21 (16-48-44).txt

Scan type: Quick Scan

Objects scanned: 156048

Time elapsed: 10 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Joe\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Joe\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Joe\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Joe\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

RootkitReveal.txt

HKU\S-1-5-21-1708537768-2111687655-1801674531-1004\Console 1/9/2010 10:54 PM 0 bytes Security mismatch.

HKU\S-1-5-21-1708537768-2111687655-1801674531-1004 0 bytes Error dumping hive: Internal error.

HKLM\SECURITY\Policy\Secrets\SAC* 1/16/2009 4:56 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 1/16/2009 4:56 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Swearware\backup\winsock2 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 1/9/2010 10:24 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 1/9/2010 10:24 PM 0 bytes Security mismatch.

C:\Documents and Settings\Joe\Recent\Hazeltine National Golf Club 2009 PGA Update.doc.lnk 2/23/2010 8:37 PM 1.26 KB Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\Joe\Recent\Hazeltine National Golf Club 2009.lnk 2/23/2010 9:35 PM 825 bytes Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\Joe\Recent\mbam-log-2010-03-20 (15-40-25).txt.lnk 3/20/2010 3:41 PM 527 bytes Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\Joe\Recent\NewMalware.lnk 3/21/2010 7:36 PM 266 bytes Hidden from Windows API.

C:\Documents and Settings\Joe\Recent\ntbtlog.txt.lnk 3/21/2010 7:37 PM 522 bytes Hidden from Windows API.

C:\Documents and Settings\Joe\Recent\WindowsUpdate.log-Excerpt.txt.lnk 3/21/2010 7:36 PM 450 bytes Hidden from Windows API.

C:\System Volume Information\_restore{D7C26DD7-8D97-4B7E-904F-820453E61724}\RP80\A0011362.lnk 1/16/2009 4:38 PM 1.56 KB Hidden from Windows API.

C:\System Volume Information\_restore{D7C26DD7-8D97-4B7E-904F-820453E61724}\RP80\A0011363.lnk 3/21/2010 4:04 PM 554 bytes Hidden from Windows API.

C:\System Volume Information\_restore{D7C26DD7-8D97-4B7E-904F-820453E61724}\RP80\A0011364.lnk 3/21/2010 4:04 PM 392 bytes Hidden from Windows API.

C:\System Volume Information\_restore{D7C26DD7-8D97-4B7E-904F-820453E61724}\RP80\A0011365.lnk 2/23/2010 8:35 PM 825 bytes Hidden from Windows API.

C:\System Volume Information\_restore{D7C26DD7-8D97-4B7E-904F-820453E61724}\RP80\A0011366.lnk 3/21/2010 4:04 PM 529 bytes Hidden from Windows API.

C:\System Volume Information\_restore{D7C26DD7-8D97-4B7E-904F-820453E61724}\RP80\A0011367.lnk 3/21/2010 4:04 PM 529 bytes Hidden from Windows API.

C:\System Volume Information\_restore{D7C26DD7-8D97-4B7E-904F-820453E61724}\RP80\A0011368.lnk 2/23/2010 8:37 PM 1.26 KB Hidden from Windows API.

C:\System Volume Information\_restore{D7C26DD7-8D97-4B7E-904F-820453E61724}\RP80\A0011369.lnk 3/20/2010 3:41 PM 527 bytes Hidden from Windows API.

C:\System Volume Information\_restore{D7C26DD7-8D97-4B7E-904F-820453E61724}\RP80\A0011370.lnk 3/21/2010 4:04 PM 529 bytes Hidden from Windows API.

WindowsUpdate.log-Excerpt.txt

2010-03-21 15:00:25:390 3748 698 Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0500) ===========

2010-03-21 15:00:25:390 3748 698 Misc = Process: C:\WINDOWS\system32\rundll32.exe

2010-03-21 15:00:25:390 3748 698 Misc = Module: C:\WINDOWS\system32\wuapi.dll

2010-03-21 15:00:25:390 3748 698 ARP Connected to update session.

2010-03-21 15:00:25:390 3748 698 ARP User is allowed to install published content.

2010-03-21 15:00:26:234 3748 698 ARP Managed service NOT found.

2010-03-21 15:55:43:171 1204 ea0 AU AU found 0 updates for install at shutdown

2010-03-21 15:55:43:187 3436 e00 Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0500) ===========

2010-03-21 15:55:43:187 3436 e00 Misc = Process: C:\WINDOWS\Explorer.EXE

2010-03-21 15:55:43:187 3436 e00 Misc = Module: C:\WINDOWS\system32\wuaueng.dll

2010-03-21 15:55:43:187 3436 e00 Shutdwn Install at shutdown: no updates to install

2010-03-21 15:55:54:953 1204 8ac AU ########### AU: Uninitializing Automatic Updates ###########

2010-03-21 15:55:59:390 1204 8ac Service *********

2010-03-21 15:55:59:390 1204 8ac Service ** END ** Service: Service exit [Exit code = 0x240001]

2010-03-21 15:55:59:390 1204 8ac Service *************

2010-03-21 15:57:59:921 1156 5a4 Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0500) ===========

2010-03-21 15:57:59:953 1156 5a4 Misc = Process: C:\WINDOWS\System32\svchost.exe

2010-03-21 15:57:59:968 1156 5a4 Misc = Module: C:\WINDOWS\system32\wuaueng.dll

2010-03-21 15:57:59:921 1156 5a4 Service *************

2010-03-21 15:57:59:984 1156 5a4 Service ** START ** Service: Service startup

2010-03-21 15:57:59:984 1156 5a4 Service *********

2010-03-21 15:58:00:000 1156 5a4 Agent * WU client version 7.4.7600.226

2010-03-21 15:58:00:000 1156 5a4 Agent * Base directory: C:\WINDOWS\SoftwareDistribution

2010-03-21 15:58:00:000 1156 5a4 Agent * Access type: No proxy

2010-03-21 15:58:00:015 1156 5a4 Agent * Network state: Disconnected

2010-03-21 15:58:47:296 1156 5a4 Agent *********** Agent: Initializing Windows Update Agent ***********

2010-03-21 15:58:47:343 1156 5a4 Agent *********** Agent: Initializing global settings cache ***********

2010-03-21 15:58:47:343 1156 5a4 Agent * WSUS server: <NULL>

2010-03-21 15:58:47:343 1156 5a4 Agent * WSUS status server: <NULL>

2010-03-21 15:58:47:343 1156 5a4 Agent * Target group: (Unassigned Computers)

2010-03-21 15:58:47:343 1156 5a4 Agent * Windows Update access disabled: No

2010-03-21 15:58:47:500 1156 5a4 DnldMgr Download manager restoring 0 downloads

2010-03-21 15:58:53:640 1156 5a4 AU ########### AU: Initializing Automatic Updates ###########

2010-03-21 15:58:53:718 1156 5a4 AU AU setting next sqm report timeout to 2010-03-21 20:58:53

2010-03-21 15:58:53:734 1156 5a4 AU # Approval type: Pre-download notify (User preference)

2010-03-21 15:58:53:812 1156 5a4 AU Initializing featured updates

2010-03-21 15:58:53:812 1156 5a4 AU Found 0 cached featured updates

2010-03-21 15:58:57:921 1156 5a4 Report *********** Report: Initializing static reporting data ***********

2010-03-21 15:58:57:921 1156 5a4 Report * OS Version = 5.1.2600.3.0.65792

2010-03-21 15:58:58:281 1156 5a4 Report * Computer Brand = Hewlett-Packard

2010-03-21 15:58:58:281 1156 5a4 Report * Computer Model = hp workstation xw8200

2010-03-21 15:58:58:312 1156 5a4 Report * Bios Revision = 786B8 v2.02

2010-03-21 15:58:58:312 1156 5a4 Report * Bios Name = Default System BIOS

2010-03-21 15:58:58:343 1156 5a4 Report * Bios Release Date = 2005-06-02T00:00:00

2010-03-21 15:58:58:343 1156 5a4 Report * Locale ID = 1033

2010-03-21 15:58:58:734 1156 5a4 AU AU finished delayed initialization

2010-03-21 15:58:58:734 1156 5a4 AU #############

2010-03-21 15:58:58:734 1156 5a4 AU ## START ## AU: Search for updates

2010-03-21 15:58:58:734 1156 5a4 AU #########

2010-03-21 15:58:58:765 1156 5a4 AU <<## SUBMITTED ## AU: Search for updates [CallId = {AE16D67B-8CB3-4126-9DD0-E0B00B6E4F4D}]

2010-03-21 15:59:03:625 1156 e04 Agent *************

2010-03-21 15:59:03:625 1156 e04 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]

2010-03-21 15:59:03:625 1156 e04 Agent *********

2010-03-21 15:59:03:625 1156 e04 Agent * Online = No; Ignore download priority = No

2010-03-21 15:59:03:625 1156 e04 Agent * Criteria = "IsHidden=0 and IsInstalled=0 and DeploymentAction='Installation' and IsAssigned=1 or IsHidden=0 and IsPresent=1 and DeploymentAction='Uninstallation' and IsAssigned=1 or IsHidden=0 and IsInstalled=1 and DeploymentAction='Installation' and IsAssigned=1 and RebootRequired=1 or IsHidden=0 and IsInstalled=0 and DeploymentAction='Uninstallation' and IsAssigned=1 and RebootRequired=1"

2010-03-21 15:59:03:625 1156 e04 Agent * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service

2010-03-21 15:59:03:625 1156 e04 Agent * Search Scope = {Machine}

2010-03-21 15:59:22:406 1156 e04 Agent WARNING: Failed to evaluate Installed rule, updateId = {F4B9C883-F4DB-4FB5-B204-3343C11FA021}.100, hr = 8024E001

2010-03-21 15:59:22:406 1156 e04 Agent WARNING: Failed to evaluate Installed rule, updateId = {BFE5B177-A086-47A0-B102-097E4FA1F807}.102, hr = 8024E001

2010-03-21 15:59:37:937 1156 e04 Agent * Found 0 updates and 56 categories in search; evaluated appl. rules of 823 out of 1759 deployed entities

2010-03-21 15:59:38:312 1156 e04 Agent *********

2010-03-21 15:59:38:312 1156 e04 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]

2010-03-21 15:59:38:312 1156 e04 Agent *************

2010-03-21 15:59:38:343 1156 ef0 AU >>## RESUMED ## AU: Search for updates [CallId = {AE16D67B-8CB3-4126-9DD0-E0B00B6E4F4D}]

2010-03-21 15:59:38:343 1156 ef0 AU # 0 updates detected

2010-03-21 15:59:38:343 1156 ef0 AU #########

2010-03-21 15:59:38:343 1156 ef0 AU ## END ## AU: Search for updates [CallId = {AE16D67B-8CB3-4126-9DD0-E0B00B6E4F4D}]

2010-03-21 15:59:38:343 1156 ef0 AU #############

2010-03-21 15:59:38:343 1156 ef0 AU Featured notifications is disabled.

2010-03-21 15:59:38:375 1156 e04 Report REPORT EVENT: {52E76CEB-6169-4F73-B867-91EC402F09A9} 2010-03-21 15:58:53:875-0500 1 202 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Reboot completed.

2010-03-21 16:31:51:156 1156 950 AU AU found 0 updates for install at shutdown

2010-03-21 16:31:51:156 2828 b2c Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0500) ===========

2010-03-21 16:31:51:156 2828 b2c Misc = Process: C:\WINDOWS\Explorer.EXE

2010-03-21 16:31:51:156 2828 b2c Misc = Module: C:\WINDOWS\system32\wuaueng.dll

2010-03-21 16:31:51:156 2828 b2c Shutdwn Install at shutdown: no updates to install

2010-03-21 16:32:03:281 1156 5a4 AU ########### AU: Uninitializing Automatic Updates ###########

2010-03-21 16:32:04:031 1156 5a4 Service *********

2010-03-21 16:32:04:031 1156 5a4 Service ** END ** Service: Service exit [Exit code = 0x240001]

2010-03-21 16:32:04:031 1156 5a4 Service *************

2010-03-21 16:49:26:265 248 cc Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0500) ===========

2010-03-21 16:49:26:281 248 cc Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe

2010-03-21 16:49:26:281 248 cc Misc = Module: C:\WINDOWS\system32\wuaueng.dll

2010-03-21 16:49:26:265 248 cc Shutdwn FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF

2010-03-21 16:51:19:531 1176 930 Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0500) ===========

2010-03-21 16:51:21:125 1176 930 Misc = Process: C:\WINDOWS\System32\svchost.exe

2010-03-21 16:51:21:140 1176 930 Misc = Module: C:\WINDOWS\system32\wuaueng.dll

2010-03-21 16:51:19:531 1176 930 Service *************

2010-03-21 16:51:21:140 1176 930 Service ** START ** Service: Service startup

2010-03-21 16:51:21:140 1176 930 Service *********

2010-03-21 16:51:21:937 1176 930 Agent * WU client version 7.4.7600.226

2010-03-21 16:51:21:937 1176 930 Agent * Base directory: C:\WINDOWS\SoftwareDistribution

2010-03-21 16:51:21:953 1176 930 Agent * Access type: No proxy

2010-03-21 16:51:21:953 1176 930 Agent * Network state: Disconnected

2010-03-21 16:52:12:234 1176 930 Agent *********** Agent: Initializing Windows Update Agent ***********

2010-03-21 16:52:12:234 1176 930 Agent *********** Agent: Initializing global settings cache ***********

2010-03-21 16:52:12:234 1176 930 Agent * WSUS server: <NULL>

2010-03-21 16:52:12:234 1176 930 Agent * WSUS status server: <NULL>

2010-03-21 16:52:12:234 1176 930 Agent * Target group: (Unassigned Computers)

2010-03-21 16:52:12:234 1176 930 Agent * Windows Update access disabled: No

2010-03-21 16:52:12:281 1176 930 DnldMgr Download manager restoring 0 downloads

2010-03-21 16:52:12:562 1176 930 AU ########### AU: Initializing Automatic Updates ###########

2010-03-21 16:52:12:625 1176 930 AU AU setting next sqm report timeout to 2010-03-21 21:52:12

2010-03-21 16:52:12:640 1176 930 AU # Approval type: Pre-download notify (User preference)

2010-03-21 16:52:12:781 1176 930 AU Initializing featured updates

2010-03-21 16:52:12:843 1176 930 AU Found 0 cached featured updates

2010-03-21 16:52:13:000 1176 930 AU AU finished delayed initialization

2010-03-21 16:52:17:687 1176 930 Report *********** Report: Initializing static reporting data ***********

2010-03-21 16:52:17:687 1176 930 Report * OS Version = 5.1.2600.3.0.65792

2010-03-21 16:52:18:015 1176 930 Report * Computer Brand = Hewlett-Packard

2010-03-21 16:52:18:015 1176 930 Report * Computer Model = hp workstation xw8200

2010-03-21 16:52:18:062 1176 930 Report * Bios Revision = 786B8 v2.02

2010-03-21 16:52:18:062 1176 930 Report * Bios Name = Default System BIOS

2010-03-21 16:52:18:078 1176 930 Report * Bios Release Date = 2005-06-02T00:00:00

2010-03-21 16:52:18:093 1176 930 Report * Locale ID = 1033

mbam-log-2010-03-21 (20-29-46).txt:

Malwarebytes' Anti-Malware 1.44

Database version: 3886

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/21/2010 8:29:46 PM

mbam-log-2010-03-21 (20-29-46).txt

Scan type: Full Scan (H:\|J:\|)

Objects scanned: 151187

Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

hijackthis-After.log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:42:03 PM, on 3/21/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\Cpqdiag\Cpqdfwag.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Program Files\AVG\AVG9\avgui.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://daily.webshots.com/html/lost_password.html

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17] P17Def.Exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE094A5-05EB-451A-AED9-40B575995175}: NameServer = 68.87.72.130,68.87.77.130

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: Google Update Service (gupdate1ca0a75299722a4) (gupdate1ca0a75299722a4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--

End of file - 10034 bytes

Link to post
Share on other sites

  • Root Admin

My guess is that it quite possibly came from Webshots - though they are a very respectable company I think that advertisers sometimes get hacked and possibly help to infect your system at least according to a few users that claim that was how they got infected (I do not have any proof of that though and is only conjecture based on response from some other users that could think of no reason they got infected but had recently started using Webshots).

Please run the DDS report and post back the logs along with a new MBAM log after UPDATING MBAM first and doing another scan.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.

    When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop

  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

Link to post
Share on other sites

I'm skeptical that Webshots was the problem since I haven't been to that website in over a week. I do run their screensaver/wallpaper changer, and periodically download more pictures from their sit, but I've disabled the features I know of that would involve any regular interaction between the website and the client.

Any blocks or settings you can suggest to make it impossible for a website to install any software on my computer simply by visiting a website would be much appreciated.

I only ran MBAM once in safe mode on this computer, and that was the one in my earlier post that apparently removed most of the infection. The later runs were all in normal mode under my regular userid. By the way, the scan I mentioned in that post (for the two data drives) came up clean. The most recent scan per your instructions is attached below the DDS files.

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Joe at 23:56:01.06 on Sun 03/21/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3584.2487 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\Cpqdiag\Cpqdfwag.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://daily.webshots.com/html/lost_password.html

uURLSearchHooks: H - No File

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: AutorunsDisabled - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

dRunOnce: [DefaultP17MIDI] MIDIDEF.EXE

dRunOnce: [DefaultP17] P17Def.Exe

StartupFolder: c:\docume~1\joe\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab

TCP: {6CE094A5-05EB-451A-AED9-40B575995175} = 68.87.72.130,68.87.77.130

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\xm8ci6xx.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - plugin: c:\documents and settings\joe\my documents\sparkplay media\sparkplayer (beta)\npSparkPlayerNS.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-25 64288]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-19 216200]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-19 29512]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-19 242696]

R1 ClntMgmt;HP Client Management Driver;c:\windows\system32\drivers\Clntmgmt.sys [2009-1-19 55336]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-14 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]

R2 cpqWebDmi;Insight Web Agent;c:\progra~1\compaq\compaq~1\cpqweb~1\WebDmi.exe [2009-1-19 24576]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\super ad blocker\sabkutil.sys --> c:\program files\super ad blocker\SABKUTIL.sys [?]

S2 gupdate1ca0a75299722a4;Google Update Service (gupdate1ca0a75299722a4);c:\program files\google\update\GoogleUpdate.exe [2009-7-21 133104]

=============== Created Last 30 ================

2010-03-21 20:16:17 0 d-----w- c:\documents and settings\joe\dwhelper

2010-03-15 05:06:30 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-14 13:44:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-14 07:12:14 0 d-----w- c:\program files\Ruud

2010-03-12 02:33:55 0 d-----w- c:\program files\FFmpeg for Audacity

2010-03-12 00:17:25 0 d-----w- c:\docume~1\joe\applic~1\ApexDC++

2010-03-11 01:48:45 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-02-26 00:49:48 0 d-----w- c:\documents and settings\joe\.p4scc

2010-02-26 00:47:48 0 d-----w- c:\program files\VS60

2010-02-23 00:06:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Links 2003

2010-02-23 00:03:05 0 d-----w- c:\program files\Links 2003

==================== Find3M ====================

2010-03-15 05:09:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-15 05:09:15 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-14 13:44:45 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-14 13:44:04 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-04 16:01:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll

2010-02-04 16:01:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll

2010-02-04 16:01:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll

2010-02-04 16:01:14 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

2010-02-04 15:53:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-01-25 08:16:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011220090119\index.dat

2009-01-25 08:16:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012520090126\index.dat

============= FINISH: 23:56:54.62 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 1/16/2009 3:39:48 PM

System Uptime: 3/21/2010 4:50:30 PM (7 hours ago)

Motherboard: Hewlett-Packard | | 08B4h

Processor: Intel® Xeon CPU 3.20GHz | XU1 PROCESSOR | 3200/800mhz

Processor: Intel® Xeon CPU 3.20GHz | XU2 PROCESSOR | 3200/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 221.639 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is FIXED (NTFS) - 466 GiB total, 75.677 GiB free.

G: is FIXED (NTFS) - 932 GiB total, 310.632 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: SCSI Controller

Device ID: PCI\VEN_1000&DEV_0030&SUBSYS_12F1103C&REV_07\5&D4388E4&0&280018

Manufacturer:

Name: SCSI Controller

PNP Device ID: PCI\VEN_1000&DEV_0030&SUBSYS_12F1103C&REV_07\5&D4388E4&0&280018

Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: SCSI Controller

Device ID: PCI\VEN_1000&DEV_0030&SUBSYS_12F1103C&REV_07\5&D4388E4&0&290018

Manufacturer:

Name: SCSI Controller

PNP Device ID: PCI\VEN_1000&DEV_0030&SUBSYS_12F1103C&REV_07\5&D4388E4&0&290018

Service:

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}

Description: Synaptics PS/2 Port Pointing Device

Device ID: ACPI\PNP0F13\4&369939D9&0

Manufacturer: Synaptics

Name: Synaptics PS/2 Port Pointing Device

PNP Device ID: ACPI\PNP0F13\4&369939D9&0

Service: i8042prt

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}

Description: Quick Launch Buttons

Device ID: ACPI\PNP0303\4&369939D9&0

Manufacturer: Hewlett-Packard

Name: Quick Launch Buttons

PNP Device ID: ACPI\PNP0303\4&369939D9&0

Service: i8042prt

==== System Restore Points ===================

RP13: 1/19/2010 12:18:20 AM - Installed Super Ad Blocker

RP14: 1/19/2010 6:53:03 PM - Software Distribution Service 3.0

RP15: 1/21/2010 1:35:33 AM - System Checkpoint

RP16: 1/21/2010 6:48:52 PM - Removed Super Ad Blocker

RP17: 1/22/2010 8:51:29 AM - Software Distribution Service 3.0

RP18: 1/23/2010 9:06:29 AM - System Checkpoint

RP19: 1/24/2010 11:02:50 AM - System Checkpoint

RP20: 1/25/2010 11:06:29 AM - System Checkpoint

RP21: 1/26/2010 11:09:09 AM - System Checkpoint

RP22: 1/27/2010 9:16:15 AM - Avg8 Update

RP23: 1/28/2010 9:24:14 AM - System Checkpoint

RP24: 1/29/2010 9:30:33 AM - System Checkpoint

RP25: 1/30/2010 10:55:26 AM - System Checkpoint

RP26: 1/31/2010 11:10:28 AM - System Checkpoint

RP27: 2/1/2010 11:34:52 AM - System Checkpoint

RP28: 2/2/2010 12:34:52 PM - System Checkpoint

RP29: 2/3/2010 1:34:53 PM - System Checkpoint

RP30: 2/4/2010 2:34:12 PM - System Checkpoint

RP31: 2/5/2010 2:53:17 PM - System Checkpoint

RP32: 2/6/2010 4:39:32 PM - System Checkpoint

RP33: 2/7/2010 4:53:22 PM - System Checkpoint

RP34: 2/8/2010 4:59:46 PM - System Checkpoint

RP35: 2/9/2010 5:59:47 PM - System Checkpoint

RP36: 2/10/2010 7:23:55 AM - Software Distribution Service 3.0

RP37: 2/11/2010 7:43:31 AM - System Checkpoint

RP38: 2/12/2010 9:35:42 AM - System Checkpoint

RP39: 2/13/2010 9:38:35 AM - System Checkpoint

RP40: 2/14/2010 9:43:31 AM - System Checkpoint

RP41: 2/15/2010 9:44:39 AM - System Checkpoint

RP42: 2/16/2010 10:43:33 AM - System Checkpoint

RP43: 2/17/2010 11:43:34 AM - System Checkpoint

RP44: 2/17/2010 8:11:03 PM - Installed Visual C++ 8.0 Runtime Setup Package

RP45: 2/17/2010 8:12:35 PM - Installed DirectX

RP46: 2/19/2010 12:29:21 AM - System Checkpoint

RP47: 2/20/2010 1:06:16 AM - System Checkpoint

RP48: 2/21/2010 1:13:37 AM - System Checkpoint

RP49: 2/22/2010 2:06:15 AM - System Checkpoint

RP50: 2/23/2010 3:06:18 AM - System Checkpoint

RP51: 2/24/2010 4:06:25 AM - System Checkpoint

RP52: 2/24/2010 7:59:19 AM - Software Distribution Service 3.0

RP53: 2/25/2010 8:06:18 AM - System Checkpoint

RP54: 2/26/2010 8:52:26 AM - System Checkpoint

RP55: 2/27/2010 4:49:08 PM - System Checkpoint

RP56: 3/1/2010 1:01:24 AM - System Checkpoint

RP57: 3/2/2010 1:06:18 AM - System Checkpoint

RP58: 3/3/2010 1:15:30 AM - System Checkpoint

RP59: 3/4/2010 1:21:07 AM - System Checkpoint

RP60: 3/5/2010 1:29:38 AM - System Checkpoint

RP61: 3/6/2010 2:24:03 AM - System Checkpoint

RP62: 3/7/2010 3:06:18 AM - System Checkpoint

RP63: 3/8/2010 3:08:00 AM - System Checkpoint

RP64: 3/9/2010 3:09:04 AM - System Checkpoint

RP65: 3/10/2010 4:08:30 AM - System Checkpoint

RP66: 3/11/2010 5:08:00 AM - System Checkpoint

RP67: 3/11/2010 8:53:13 AM - Software Distribution Service 3.0

RP68: 3/12/2010 9:06:18 AM - System Checkpoint

RP69: 3/13/2010 9:58:38 AM - System Checkpoint

RP70: 3/14/2010 2:12:13 AM - Installed SumoCue

RP71: 3/14/2010 8:43:00 AM - Avg8 Update

RP72: 3/14/2010 8:44:57 AM - Avg Update

RP73: 3/15/2010 9:33:16 AM - System Checkpoint

RP74: 3/16/2010 10:15:29 AM - System Checkpoint

RP75: 3/17/2010 9:27:24 AM - Avg Update

RP76: 3/18/2010 9:58:46 AM - System Checkpoint

RP77: 3/19/2010 10:11:25 AM - System Checkpoint

RP78: 3/20/2010 11:09:09 AM - System Checkpoint

RP79: 3/21/2010 11:09:40 AM - System Checkpoint

RP80: 3/21/2010 3:04:02 PM - Removed Ask Toolbar.

==== Installed Programs ======================

7-Zip 4.64

AAC Decoder

Acrobat.com

Ad-Aware

Ad-Aware Email Scanner for Outlook

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.2

Adobe Reader 9.3.1

Advertising Center

Album Art Downloader XUI 0.34.1

ApexDC++ 1.3.1 (32-bit)

Apple Application Support

Apple Software Update

AQScript LM-2.5

Audacity 1.3.10 (Unicode)

AutoUpdate

AVG Free 9.0

Broadcom Gigabit Integrated Controller

Compaq Wireless LAN

Creative MediaSource

Creative MediaSource 5

Creative Software AutoUpdate

Creative System Information

Creative WaveStudio 7

Defraggler (remove only)

Diagnostics for Windows

DivX Codec

DivX Converter

DivX Player

DivX Plus DirectShow Filters

DivX Version Checker

DivX Web Player

DolbyFiles

DoremiSoft FLV to WAV Converter 1.6

EULAlyzer 2.0

Exact Audio Copy v0.9 beta 4

FFmpeg for Audacity on Windows

FileAlyzer

foobar2000 v0.9.6.1

Freez FLV to MP3 Converter

GameSpy Comrade

Google Chrome

Google Earth

Google Update Helper

Google Updater

H.264 Decoder

HD Tune 2.55

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

HP Integrated Wireless LAN W400-W500 Driver

HP Mobile Printing

HP Product Detection

ImagXpress

Insight Management Agent

Intel® PRO Network Connections 12.1.14.1

InterVideo WinDVD

Java 2 Runtime Environment, SE v1.4.2

Java 6 Update 12

Katawa Shoujo Act 1

LAME v3.98.2 for Audacity

Last.fm 1.5.4.24567

LightScribe System Software 1.12.29.2

LJ Comment Stats Wizard 1.7

Malwarebytes' Anti-Malware

MediaMonkey 3.2

Menu Templates - Starter Kit

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Links 2003

Microsoft National Language Support Downlevel APIs

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

MKV Splitter

Mozilla Firefox (3.6)

Mozilla Thunderbird (3.0.3)

mp3splt

Mp3tag v2.46a

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser

MusicIP Mixer 1.9

Nero 9 Trial

Nero BurnRights

Nero ControlCenter

Nero CoverDesigner

Nero DiscSpeed

Nero DriveSpeed

Nero InfoTool

Nero Installer

Nero Recode

Nero Rescue Agent

Nero StartSmart

Nero WaveEditor

NeroBurningROM

NeroExpress

neroxml

NVIDIA Drivers

O2Micro MemoryCardBus Windows Driver

O2Micro SmartCardBus Reader Windows Driver Installer

PeerGuardian 2.0

Perforce Visual Components

Python 2.6.2

Python 3.0.1

Quick Launch Buttons 5.00 C2

QuickTime

RegAlyzer (OpenSBI Edition)

Remote Diagnostics Enabling Agent

Remote Services Driver

Roxio Audio Module

Roxio Copy Module

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE

Roxio Creator Tools

Roxio Data Module

Roxio DLA

Roxio Drag-to-Disc

Roxio Express Labeler

Roxio Update Manager

RunAlyzer

Seagate Manager Installer

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB978380)

Security Update for Microsoft Office Excel 2007 (KB978382)

Security Update for Microsoft Office Outlook 2007 (KB972363)

Security Update for Microsoft Office PowerPoint 2007 (KB957789)

Security Update for Microsoft Office Publisher 2007 (KB969693)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB969613)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB969604)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978706)

SHOUTcast Source DSP 1.9.0 (remove only)

Sid Meier's Civilization 4 Gold

Simple Sudoku 4.2

Sonic Activation Module

Sound Blaster Audigy

SoundMAX

Sparkplayer (Beta)

Spelling Dictionaries Support For Adobe Reader 9

Spybot - Search & Destroy

SumoCue

Synaptics Pointing Device Driver

Texas Instruments PCIxx20 drivers.

TIPCIxx20

Trillian

Tweak UI

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office InfoPath 2007 (KB976416)

Update for Outlook 2007 Junk Email Filter (kb979895)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VC80CRTRedist - 8.0.50727.762

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

Visual C++ 8.0 Runtime Setup Package

WebFldrs XP

Webshots Desktop

Winamp

Winamp Application Detect

Winamp Toolbar for Firefox

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format Runtime

Windows XP Service Pack 3

WinRAR archiver

WinZip 12.0

World of Warcraft

==== Event Viewer Messages From Past Week ========

3/21/2010 4:51:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eabfiltr IntelIde SABKUTIL

3/21/2010 4:36:06 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

3/21/2010 4:35:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/21/2010 4:35:26 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX ClntMgmt eabfiltr Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SABKUTIL Tcpip

3/21/2010 4:35:26 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

3/21/2010 4:35:26 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/21/2010 4:35:26 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/21/2010 4:35:26 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

3/15/2010 12:12:07 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SABKUTIL

3/14/2010 1:43:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eabfiltr SABKUTIL

==== End Of File ===========================

mbam-log-2010-03-22 (00-10-58).txt:

Malwarebytes' Anti-Malware 1.44

Database version: 3898

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/22/2010 12:10:58 AM

mbam-log-2010-03-22 (00-10-58).txt

Scan type: Quick Scan

Objects scanned: 158277

Time elapsed: 6 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

More on the comments at the beginning of my last post...

1. I had been running Java Console 6.0.12, which one tool flagged as an outdated version. I've now upgraded to 6.0.17. Any chance the old version had an exploit the malware took advantage of? And what Java-related settings should I have in my browser?

2. I haven't touched my Firefox browser cache; if there are any clues in there that might tell me which site I got infected from, that would be great to know.

3. What's adblocker do you recommend (both for Firefox and IE), especially if there's a chance it'll stop an ad carrying malware?

Link to post
Share on other sites

Got home from work today and found my computer is definitely not clean yet. AVG had stopped two instances of 'Trojan horse SHeur3.LMR'. One was in c:\Documents and Settings\Joe\Local settings\Temporary Internet Files\Content.IE5\2G3CDBTC\(some long file name) and the other in c:\System Volume Information\restore{etc...}\RP80\A0011342.exe

Link to post
Share on other sites

Some additional info... Before I made the last post I ran MBAM again and it came out clean. Ran it again just now after updating and still clean.

The details I've seen pretty closely match this thread but that probably comes as no surprise from what I've already posted. In my case the file that appears in the same four places listed under 'Technical details for experts - Alterations made by the installer - File system' is called "VH56DJI7u87yo" and is still present (a couple of other files in those directories may be leftovers from my previous infection). I can send samples if it would help in your malware-fighting efforts.

I may have found a smoking gun in C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\ which has an entry pointing to hxxp://kfomikyg.info/page/index/n002102318801r0409J0c000601Re533fd73W6be34445X4af35004Y0155751eZ0100f0360 (the 'hxxp' is slightly munged to prevent accidental clickage) which shows a size close to the size of ave.exe and a Last Accessed / Last Checked timestamp within minutes before the infection appeared.

Link to post
Share on other sites

Since there hadn't been a response to this thread in over a week, this is a combination bump, and repost of current versions of the logs below (to reflect any changes since the original ones were produced). MBAM 1.45 is currently giving me a clean scan.

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 1/16/2009 3:39:48 PM

System Uptime: 3/25/2010 8:23:27 AM (110 hours ago)

Motherboard: Hewlett-Packard | | 08B4h

Processor: Intel® Xeon CPU 3.20GHz | XU1 PROCESSOR | 3200/800mhz

Processor: Intel® Xeon CPU 3.20GHz | XU2 PROCESSOR | 3200/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 220.765 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is FIXED (NTFS) - 466 GiB total, 75.677 GiB free.

G: is FIXED (NTFS) - 932 GiB total, 308.31 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: SCSI Controller

Device ID: PCI\VEN_1000&DEV_0030&SUBSYS_12F1103C&REV_07\5&D4388E4&0&280018

Manufacturer:

Name: SCSI Controller

PNP Device ID: PCI\VEN_1000&DEV_0030&SUBSYS_12F1103C&REV_07\5&D4388E4&0&280018

Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: SCSI Controller

Device ID: PCI\VEN_1000&DEV_0030&SUBSYS_12F1103C&REV_07\5&D4388E4&0&290018

Manufacturer:

Name: SCSI Controller

PNP Device ID: PCI\VEN_1000&DEV_0030&SUBSYS_12F1103C&REV_07\5&D4388E4&0&290018

Service:

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}

Description: Synaptics PS/2 Port Pointing Device

Device ID: ACPI\PNP0F13\4&369939D9&0

Manufacturer: Synaptics

Name: Synaptics PS/2 Port Pointing Device

PNP Device ID: ACPI\PNP0F13\4&369939D9&0

Service: i8042prt

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}

Description: Quick Launch Buttons

Device ID: ACPI\PNP0303\4&369939D9&0

Manufacturer: Hewlett-Packard

Name: Quick Launch Buttons

PNP Device ID: ACPI\PNP0303\4&369939D9&0

Service: i8042prt

==== System Restore Points ===================

RP13: 1/19/2010 12:18:20 AM - Installed Super Ad Blocker

RP14: 1/19/2010 6:53:03 PM - Software Distribution Service 3.0

RP15: 1/21/2010 1:35:33 AM - System Checkpoint

RP16: 1/21/2010 6:48:52 PM - Removed Super Ad Blocker

RP17: 1/22/2010 8:51:29 AM - Software Distribution Service 3.0

RP18: 1/23/2010 9:06:29 AM - System Checkpoint

RP19: 1/24/2010 11:02:50 AM - System Checkpoint

RP20: 1/25/2010 11:06:29 AM - System Checkpoint

RP21: 1/26/2010 11:09:09 AM - System Checkpoint

RP22: 1/27/2010 9:16:15 AM - Avg8 Update

RP23: 1/28/2010 9:24:14 AM - System Checkpoint

RP24: 1/29/2010 9:30:33 AM - System Checkpoint

RP25: 1/30/2010 10:55:26 AM - System Checkpoint

RP26: 1/31/2010 11:10:28 AM - System Checkpoint

RP27: 2/1/2010 11:34:52 AM - System Checkpoint

RP28: 2/2/2010 12:34:52 PM - System Checkpoint

RP29: 2/3/2010 1:34:53 PM - System Checkpoint

RP30: 2/4/2010 2:34:12 PM - System Checkpoint

RP31: 2/5/2010 2:53:17 PM - System Checkpoint

RP32: 2/6/2010 4:39:32 PM - System Checkpoint

RP33: 2/7/2010 4:53:22 PM - System Checkpoint

RP34: 2/8/2010 4:59:46 PM - System Checkpoint

RP35: 2/9/2010 5:59:47 PM - System Checkpoint

RP36: 2/10/2010 7:23:55 AM - Software Distribution Service 3.0

RP37: 2/11/2010 7:43:31 AM - System Checkpoint

RP38: 2/12/2010 9:35:42 AM - System Checkpoint

RP39: 2/13/2010 9:38:35 AM - System Checkpoint

RP40: 2/14/2010 9:43:31 AM - System Checkpoint

RP41: 2/15/2010 9:44:39 AM - System Checkpoint

RP42: 2/16/2010 10:43:33 AM - System Checkpoint

RP43: 2/17/2010 11:43:34 AM - System Checkpoint

RP44: 2/17/2010 8:11:03 PM - Installed Visual C++ 8.0 Runtime Setup Package

RP45: 2/17/2010 8:12:35 PM - Installed DirectX

RP46: 2/19/2010 12:29:21 AM - System Checkpoint

RP47: 2/20/2010 1:06:16 AM - System Checkpoint

RP48: 2/21/2010 1:13:37 AM - System Checkpoint

RP49: 2/22/2010 2:06:15 AM - System Checkpoint

RP50: 2/23/2010 3:06:18 AM - System Checkpoint

RP51: 2/24/2010 4:06:25 AM - System Checkpoint

RP52: 2/24/2010 7:59:19 AM - Software Distribution Service 3.0

RP53: 2/25/2010 8:06:18 AM - System Checkpoint

RP54: 2/26/2010 8:52:26 AM - System Checkpoint

RP55: 2/27/2010 4:49:08 PM - System Checkpoint

RP56: 3/1/2010 1:01:24 AM - System Checkpoint

RP57: 3/2/2010 1:06:18 AM - System Checkpoint

RP58: 3/3/2010 1:15:30 AM - System Checkpoint

RP59: 3/4/2010 1:21:07 AM - System Checkpoint

RP60: 3/5/2010 1:29:38 AM - System Checkpoint

RP61: 3/6/2010 2:24:03 AM - System Checkpoint

RP62: 3/7/2010 3:06:18 AM - System Checkpoint

RP63: 3/8/2010 3:08:00 AM - System Checkpoint

RP64: 3/9/2010 3:09:04 AM - System Checkpoint

RP65: 3/10/2010 4:08:30 AM - System Checkpoint

RP66: 3/11/2010 5:08:00 AM - System Checkpoint

RP67: 3/11/2010 8:53:13 AM - Software Distribution Service 3.0

RP68: 3/12/2010 9:06:18 AM - System Checkpoint

RP69: 3/13/2010 9:58:38 AM - System Checkpoint

RP70: 3/14/2010 2:12:13 AM - Installed SumoCue

RP71: 3/14/2010 8:43:00 AM - Avg8 Update

RP72: 3/14/2010 8:44:57 AM - Avg Update

RP73: 3/15/2010 9:33:16 AM - System Checkpoint

RP74: 3/16/2010 10:15:29 AM - System Checkpoint

RP75: 3/17/2010 9:27:24 AM - Avg Update

RP76: 3/18/2010 9:58:46 AM - System Checkpoint

RP77: 3/19/2010 10:11:25 AM - System Checkpoint

RP78: 3/20/2010 11:09:09 AM - System Checkpoint

RP79: 3/21/2010 11:09:40 AM - System Checkpoint

RP80: 3/21/2010 3:04:02 PM - Removed Ask Toolbar.

RP81: 3/22/2010 12:32:46 AM - Installed Java 6 Update 17

RP82: 3/23/2010 10:03:52 AM - System Checkpoint

RP83: 3/24/2010 10:23:12 AM - System Checkpoint

RP84: 3/25/2010 12:16:25 AM - Removed Java 6 Update 12

RP85: 3/25/2010 12:17:00 AM - Installed Java 6 Update 18

RP86: 3/26/2010 2:06:24 AM - System Checkpoint

RP87: 3/27/2010 2:10:43 AM - System Checkpoint

RP88: 3/28/2010 3:12:24 AM - System Checkpoint

RP89: 3/29/2010 9:09:54 AM - System Checkpoint

==== Installed Programs ======================

7-Zip 4.64

AAC Decoder

Acrobat.com

Ad-Aware

Ad-Aware Email Scanner for Outlook

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.2

Adobe Reader 9.3.1

Advertising Center

Album Art Downloader XUI 0.34.1

ApexDC++ 1.3.1 (32-bit)

Apple Application Support

Apple Software Update

AQScript LM-2.5

Audacity 1.3.10 (Unicode)

Auslogics Disk Defrag

AutoUpdate

AVG Free 9.0

Broadcom Gigabit Integrated Controller

Compaq Wireless LAN

Creative MediaSource

Creative MediaSource 5

Creative Software AutoUpdate

Creative System Information

Creative WaveStudio 7

Defraggler (remove only)

Diagnostics for Windows

DivX Codec

DivX Converter

DivX Player

DivX Plus DirectShow Filters

DivX Version Checker

DivX Web Player

DolbyFiles

DoremiSoft FLV to WAV Converter 1.6

EULAlyzer 2.0

Exact Audio Copy v0.9 beta 4

FFmpeg for Audacity on Windows

FileAlyzer

foobar2000 v0.9.6.1

Freez FLV to MP3 Converter

GameSpy Comrade

Google Chrome

Google Earth

Google Update Helper

Google Updater

H.264 Decoder

HD Tune 2.55

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

HP Integrated Wireless LAN W400-W500 Driver

HP Mobile Printing

HP Product Detection

ImagXpress

Insight Management Agent

Intel® PRO Network Connections 12.1.14.1

InterVideo WinDVD

Java 2 Runtime Environment, SE v1.4.2

Java Auto Updater

Java 6 Update 18

Katawa Shoujo Act 1

LAME v3.98.2 for Audacity

Last.fm 1.5.4.24567

LightScribe System Software 1.12.29.2

LJ Comment Stats Wizard 1.7

Malwarebytes' Anti-Malware

MediaMonkey 3.2

Menu Templates - Starter Kit

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Links 2003

Microsoft National Language Support Downlevel APIs

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

MKV Splitter

Mozilla Firefox (3.6.2)

Mozilla Thunderbird (3.0.3)

mp3splt

Mp3tag v2.46a

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser

MusicIP Mixer 1.9

Nero 9 Trial

Nero BurnRights

Nero ControlCenter

Nero CoverDesigner

Nero DiscSpeed

Nero DriveSpeed

Nero InfoTool

Nero Installer

Nero Recode

Nero Rescue Agent

Nero StartSmart

Nero WaveEditor

NeroBurningROM

NeroExpress

neroxml

NVIDIA Drivers

O2Micro MemoryCardBus Windows Driver

O2Micro SmartCardBus Reader Windows Driver Installer

PeerGuardian 2.0

Perforce Visual Components

Python 2.6.2

Python 3.0.1

Quick Launch Buttons 5.00 C2

QuickTime

RegAlyzer (OpenSBI Edition)

Remote Diagnostics Enabling Agent

Remote Services Driver

Roxio Audio Module

Roxio Copy Module

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE

Roxio Creator Tools

Roxio Data Module

Roxio DLA

Roxio Drag-to-Disc

Roxio Express Labeler

Roxio Update Manager

RunAlyzer

Seagate Manager Installer

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB978380)

Security Update for Microsoft Office Excel 2007 (KB978382)

Security Update for Microsoft Office Outlook 2007 (KB972363)

Security Update for Microsoft Office PowerPoint 2007 (KB957789)

Security Update for Microsoft Office Publisher 2007 (KB969693)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB969613)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB969604)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978706)

SHOUTcast Source DSP 1.9.0 (remove only)

Sid Meier's Civilization 4 Gold

Simple Sudoku 4.2

Sonic Activation Module

Sound Blaster Audigy

SoundMAX

Sparkplayer (Beta)

Spelling Dictionaries Support For Adobe Reader 9

Spybot - Search & Destroy

SumoCue

Synaptics Pointing Device Driver

Texas Instruments PCIxx20 drivers.

TIPCIxx20

Trillian

Tweak UI

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office InfoPath 2007 (KB976416)

Update for Outlook 2007 Junk Email Filter (kb979895)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VC80CRTRedist - 8.0.50727.762

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

Visual C++ 8.0 Runtime Setup Package

WebFldrs XP

Webshots Desktop

Winamp

Winamp Application Detect

Winamp Toolbar for Firefox

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format Runtime

Windows XP Service Pack 3

WinRAR archiver

WinZip 12.0

World of Warcraft

==== Event Viewer Messages From Past Week ========

3/24/2010 9:01:13 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eabfiltr SABKUTIL

3/24/2010 8:48:25 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg9wd service.

3/24/2010 7:01:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SABKUTIL

3/24/2010 6:17:44 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 0000001c, parameter3 00000001, parameter4 86dd6c04.

==== End Of File ===========================

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Joe at 22:31:09.82 on Mon 03/29/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3584.2685 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\Cpqdiag\Cpqdfwag.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\Program Files\Last.fm\LastFM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [AVG Security Toolbar_FF_UpdateProcess] "c:\program files\avg\avg9\toolbar\firefox\avg@igeared\..\..\toolbarbroker.exe" /ffcheckupdate "c:\program files\avg\avg9\toolbar\firefox\avg@igeared"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iSUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRunOnce: [DefaultP17MIDI] MIDIDEF.EXE

dRunOnce: [DefaultP17] P17Def.Exe

StartupFolder: c:\docume~1\joe\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab

TCP: {6CE094A5-05EB-451A-AED9-40B575995175} = 68.87.72.130,68.87.77.130

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\xm8ci6xx.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - plugin: c:\documents and settings\joe\my documents\sparkplay media\sparkplayer (beta)\npSparkPlayerNS.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-25 64288]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-19 216200]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-19 29512]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-19 242696]

R1 ClntMgmt;HP Client Management Driver;c:\windows\system32\drivers\Clntmgmt.sys [2009-1-19 55336]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-14 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]

R2 cpqWebDmi;Insight Web Agent;c:\progra~1\compaq\compaq~1\cpqweb~1\WebDmi.exe [2009-1-19 24576]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]

S1 SABKUTIL;SABKUTIL;\??\c:\program files\super ad blocker\sabkutil.sys --> c:\program files\super ad blocker\SABKUTIL.sys [?]

S2 gupdate1ca0a75299722a4;Google Update Service (gupdate1ca0a75299722a4);c:\program files\google\update\GoogleUpdate.exe [2009-7-21 133104]

=============== Created Last 30 ================

2010-03-25 05:23:04 0 d-----w- c:\docume~1\joe\applic~1\Auslogics

2010-03-25 05:23:00 0 d-----w- c:\program files\Auslogics

2010-03-25 05:17:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-24 23:36:15 0 d-----w- c:\docume~1\joe\applic~1\AVG9

2010-03-21 20:16:17 0 d-----w- c:\documents and settings\joe\dwhelper

2010-03-15 05:06:30 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-14 13:44:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-14 07:12:14 0 d-----w- c:\program files\Ruud

2010-03-12 02:33:55 0 d-----w- c:\program files\FFmpeg for Audacity

2010-03-12 00:17:25 0 d-----w- c:\docume~1\joe\applic~1\ApexDC++

2010-03-11 01:48:45 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-29 20:24:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 20:24:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-25 05:17:07 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-15 05:09:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-15 05:09:15 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-14 13:44:45 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-14 13:44:04 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-04 16:01:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll

2010-02-04 16:01:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll

2010-02-04 16:01:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll

2010-02-04 16:01:14 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

2010-02-04 15:53:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-01-25 08:16:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011220090119\index.dat

2009-01-25 08:16:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012520090126\index.dat

============= FINISH: 22:31:41.17 ===============

hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:34:43 PM, on 3/29/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\Cpqdiag\Cpqdfwag.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\Program Files\Last.fm\LastFM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iSUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [AVG Security Toolbar_FF_UpdateProcess] "C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared\..\..\ToolbarBroker.exe" /FFCHECKUPDATE "C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared"

O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17] P17Def.Exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE094A5-05EB-451A-AED9-40B575995175}: NameServer = 68.87.72.130,68.87.77.130

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: Google Update Service (gupdate1ca0a75299722a4) (gupdate1ca0a75299722a4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--

End of file - 10035 bytes

Link to post
Share on other sites

  • Root Admin

I'm very sorry about that. I forgot to log your post so that I would come back to it. I've now logged it so I'll be able to track it.

Let me have you run Combofix on the system please.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Done... That ran faster than I expected (and it didn't even reboot).

Three files that are not mentioned anywhere in the log that I had somewhat expected are these:

C:\Documents and Settings\All Users\Application Data\VH56DJI7u87yo

C:\Documents and Settings\Joe\Local Settings\Application Data\VH56DJI7u87yo

C:\Documents and Settings\Joe\Templates\VH56DJI7u87yo

A fourth file that was present a couple of days ago was no longer present. I'm guessing ComboFix removed it, but it's possible I did and didn't realize it:

C:\Documents and Settings\Joe\Local Settings\temp\VH56DJI7u87yo

A few other files in these directories that look suspicious to me:

C:\Documents and Settings\Joe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

C:\Documents and Settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

C:\Documents and Settings\Joe\Local Settings\Application Data\fusioncache.dat

C:\Documents and Settings\Joe\Local Settings\temp\c98e020c-aebc-46d7-a491-7d91bd2b7e60.mht

One other symptom I hadn't mentioned previously - my default broswer was changed to MSIE a few days ago (this was well after I had cleaned up the initial infection and changed it back to Firefox). Just now after running ComboFix I noticed it had been changed to MSIE again. This time I know it had bee Firefox as recently as a couple of hours ago and I don't think I did anything to change it. Would ComboFix do that?

Without further ado, here is the log...

ComboFix.txt:

ComboFix 10-03-29.04 - Joe 03/30/2010 22:04:02.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3584.2770 [GMT -5:00]

Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\CPQDIAG.EXE

c:\windows\system32\CMMGR32.EXE

c:\windows\YOURAPP.EXE

.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))

.

2010-03-30 13:57 . 2010-03-30 13:57 516480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll

2010-03-26 04:19 . 2010-01-22 18:11 62800 ----a-w- c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\ls0u18xg.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

2010-03-26 04:19 . 2010-03-26 04:19 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\AVG Security Toolbar

2010-03-26 04:15 . 2010-03-26 04:15 -------- d-sh--w- c:\documents and settings\Me\IETldCache

2010-03-25 05:23 . 2010-03-25 05:23 -------- d-----w- c:\documents and settings\Joe\Application Data\Auslogics

2010-03-25 05:23 . 2010-03-25 05:23 -------- d-----w- c:\program files\Auslogics

2010-03-25 05:17 . 2010-03-25 05:17 503808 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2de80eef-n\msvcp71.dll

2010-03-25 05:17 . 2010-03-25 05:17 499712 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2de80eef-n\jmc.dll

2010-03-25 05:17 . 2010-03-25 05:17 348160 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2de80eef-n\msvcr71.dll

2010-03-25 05:17 . 2010-03-25 05:17 61440 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-64a700e1-n\decora-sse.dll

2010-03-25 05:17 . 2010-03-25 05:17 12800 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-64a700e1-n\decora-d3d.dll

2010-03-24 23:36 . 2010-03-24 23:36 -------- d-----w- c:\documents and settings\Joe\Application Data\AVG9

2010-03-24 17:05 . 2010-03-24 17:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

2010-03-22 05:32 . 2010-03-22 05:32 152576 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2010-03-22 05:30 . 2010-03-22 05:31 79488 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-21 21:37 . 2010-03-21 21:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-03-21 20:16 . 2010-03-21 20:26 -------- d-----w- c:\documents and settings\Joe\dwhelper

2010-03-15 05:09 . 2010-03-15 05:09 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll

2010-03-15 05:09 . 2010-03-15 05:09 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll

2010-03-15 05:06 . 2010-03-15 05:06 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-15 05:06 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-03-14 13:44 . 2010-03-14 13:44 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-03-14 13:44 . 2010-03-14 13:44 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-03-14 13:44 . 2010-03-14 13:44 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-03-14 13:44 . 2010-03-14 13:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-14 07:12 . 2010-03-14 07:12 766 ----a-r- c:\documents and settings\Joe\Application Data\Microsoft\Installer\{9362ED08-0D76-4C8B-B039-614D45B0C786}\_4ae13d6c.exe

2010-03-14 07:12 . 2010-03-14 07:12 -------- d-----w- c:\program files\Ruud

2010-03-12 02:33 . 2010-03-12 02:33 -------- d-----w- c:\program files\FFmpeg for Audacity

2010-03-12 00:17 . 2010-03-31 02:56 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\ApexDC++

2010-03-12 00:17 . 2010-03-31 02:56 -------- d-----w- c:\documents and settings\Joe\Application Data\ApexDC++

2010-03-11 01:48 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-31 03:00 . 2009-01-25 08:21 -------- d-----w- c:\program files\Trillian

2010-03-30 23:25 . 2009-01-25 06:38 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-03-30 05:50 . 2009-02-01 04:20 -------- d-----w- c:\documents and settings\Joe\Application Data\Simple Sudoku

2010-03-30 03:14 . 2009-01-25 20:52 -------- d-----w- c:\documents and settings\Joe\Application Data\Winamp

2010-03-30 03:13 . 2009-01-28 05:43 -------- d-----w- c:\program files\AQScript

2010-03-30 03:13 . 2009-01-30 00:45 -------- d-----w- c:\documents and settings\Joe\Application Data\foobar2000

2010-03-30 00:54 . 2010-01-09 07:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-30 00:54 . 2010-01-09 18:55 5918720 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-29 20:24 . 2010-01-09 11:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 20:24 . 2010-01-09 11:10 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-25 05:22 . 2010-01-11 14:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-03-25 05:17 . 2009-02-15 20:36 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-22 05:33 . 2009-01-19 05:56 -------- d-----w- c:\program files\Java

2010-03-21 20:32 . 2009-05-26 02:17 -------- d-----w- c:\program files\Mp3tag

2010-03-21 04:42 . 2010-01-09 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-20 04:10 . 2010-02-23 00:03 -------- d-----w- c:\program files\Links 2003

2010-03-15 05:09 . 2009-11-26 18:15 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-15 05:09 . 2009-11-26 18:14 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys

2010-03-15 05:09 . 2009-11-26 18:14 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll

2010-03-15 05:09 . 2009-05-31 06:50 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2010-03-15 05:09 . 2009-01-25 08:05 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-15 05:09 . 2009-11-26 18:14 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll

2010-03-15 05:09 . 2009-11-26 18:14 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll

2010-03-15 05:09 . 2009-06-21 06:50 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2010-03-15 05:06 . 2009-01-25 07:49 -------- d-----w- c:\program files\Lavasoft

2010-03-14 13:44 . 2009-01-19 06:07 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-14 13:44 . 2009-01-19 06:07 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-14 13:44 . 2009-01-19 06:07 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-14 09:19 . 2009-01-25 04:08 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-03-12 02:36 . 2009-06-07 06:34 -------- d-----w- c:\documents and settings\Joe\Application Data\Audacity

2010-03-12 00:30 . 2009-12-05 02:16 -------- d-----w- c:\program files\ApexDC++

2010-03-11 14:59 . 2009-11-26 18:15 482288 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-03-11 14:57 . 2009-01-19 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-01 12:15 . 2009-09-27 06:50 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

2010-02-26 00:48 . 2010-02-26 00:47 -------- d-----w- c:\program files\VS60

2010-02-23 00:08 . 2010-02-23 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Links 2003

2010-02-08 14:52 . 2010-01-19 05:42 -------- d-----w- c:\program files\SpywareGuard

2010-02-08 14:51 . 2010-01-19 05:37 -------- d-----w- c:\program files\SpywareBlaster

2010-02-06 06:57 . 2009-07-22 02:31 -------- d-----w- c:\program files\Google

2010-02-04 16:01 . 2010-02-18 02:13 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll

2010-02-04 16:01 . 2010-02-18 02:13 528216 ----a-w- c:\windows\system32\XAudio2_6.dll

2010-02-04 16:01 . 2010-02-18 02:13 238936 ----a-w- c:\windows\system32\xactengine3_6.dll

2010-02-04 16:01 . 2010-02-18 02:13 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

2010-02-04 15:53 . 2009-01-25 07:50 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-01-30 22:38 . 2009-02-04 03:35 -------- d-----w- c:\program files\Paint Shop Pro 7

2010-01-27 12:15 . 2009-06-21 06:50 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll

2010-01-09 11:14 . 2009-02-01 00:50 91840 ----a-w- c:\documents and settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]

@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"

[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]

2009-05-13 21:38 679936 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]

@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"

[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]

2009-05-13 21:38 679936 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]

@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"

[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]

2009-05-13 21:38 679936 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-30 818256]

"P17Helper"="P17.dll" [2005-05-04 64512]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2004-07-27 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"DefaultP17MIDI"="MIDIDEF.EXE" [2002-12-03 49152]

"DefaultP17"="P17Def.Exe" [2005-05-03 20480]

c:\documents and settings\Joe\Start Menu\Programs\Startup\

Webshots.lnk - c:\program files\Webshots\Launcher.exe [2009-1-27 63064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-14 13:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"eabconfg.cpl"=c:\program files\HPQ\Quick Launch Buttons\EabServr.exe /Start

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

"WinampAgent"="c:\program files\Winamp\winampa.exe"

"SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe

"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe

"Smapp"=c:\program files\Analog Devices\SoundMAX\SMTray.exe

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe"

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"

"DrvLsnr"=c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe

"ChkAdmin"=c:\progra~1\Compaq\COMPAQ~1\CHKADMIN.EXE

"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]

"CPQDFWAG"=c:\windows\Cpqdiag\CpqDfwAg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.4.1.8125-to-2.4.2.8278-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=

"c:\\Program Files\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=

"c:\\Program Files\\Trebuchet Tk\\tclkit\\tcl-kit.exe"=

"c:\\Program Files\\LeechFTP\\Leechftp.exe"=

"c:\\Program Files\\

Link to post
Share on other sites

Arrgh! My computer was suddenly getting very laggy performance doing certain things, so I decided to close everything and reboot. And now all of a sudden won't boot up. When I power it on, it just keeps beeping at me five times, over and over. I can't get it to safe mode or even a setup screen.

I have no idea whether it's something that happened as a result of running ComboFix, or is a hardware or HD problem that happened to choose this moment to rear its head. I do, however, have a backup computer and have the ability to pull the boot drive from the main computer and plug it into that one.

Link to post
Share on other sites

  • Root Admin

STEP 01

As long as there are no files in these folders you can remove them. There is just no way to 100% detect and auto remove every single file and folder name that Malware comes up with daily that's why these forums exist to help users make an informed decision about items.

C:\Documents and Settings\All Users\Application Data\VH56DJI7u87yo

C:\Documents and Settings\Joe\Local Settings\Application Data\VH56DJI7u87yo

C:\Documents and Settings\Joe\Templates\VH56DJI7u87yo

STEP 02

These files are normal - just leave them alone.

C:\Documents and Settings\Joe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

C:\Documents and Settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

C:\Documents and Settings\Joe\Local Settings\Application Data\fusioncache.dat

STEP 03

This file in temp can be removed

C:\Documents and Settings\Joe\Local Settings\temp\c98e020c-aebc-46d7-a491-7d91bd2b7e60.mht

STEP 04

Disable the Spybot Tea Timer - DO NOT continue until you've disabled the Tea Timer

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)

  • If you have the new version 1.5, Click once on
    Resident Protection
    , then Right click the Spybot icon again and make sure
    Resident Protection
    is now
    Unchecked
    . The Spybot icon in the System tray should now be now colorless.

  • If you have Version 1.4, Click on
    Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D

  • Click
    Mode
    , choose
    Advanced Mode

  • Go To the bottom of the Vertical Panel on the Left, Click
    Tools

  • then, also in left panel, click
    Resident
    shows a red/white shield.

  • If your firewall raises a question, say
    OK

  • In the
    Resident protection status
    frame,
    Uncheck
    the box labeled
    Resident "Tea-Timer"(Protection of over-all system settings) active

  • OK
    any prompts.

  • Use
    File, Exit
    to terminate Spybot

  • Reboot
    your machine for the changes to take effect.

STEP 05

You have an IP entry there in your logs under the Firefox settings. Did you put them in there?

Name: chic-cns.area4.il.chicago.comcast.net

Address: 68.87.72.130

STEP 06

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 19 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 19 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u19 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

STEP 07

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

On your next reply please let me know how the computer is running now and if there are still any signs of an infection or not.

Thanks

Link to post
Share on other sites

Just a few comments off the top of my head...

STEP 01 - Those were files (not directories), and the date/time stamps closely match when the XP Security Tool 2010 infection occurred. I believe they are likely to be random-named counterparts corresponding to the files identified as QJyrk5wvCU1 in this post. I could just delete them, unless you think it would be safer to drop them into a CFScript.txt and run ComboFix.

STEP 05 - That's the same primary DNS I have under my TCP settings, and appears to be valid (Comcast is my ISP).

STEP 06 - Already!? Didn't they just release update 18 less than two weeks ago? (Of course I'll go ahead and update it.)

I shall follow those steps when I get home from work in a couple of hours.

Link to post
Share on other sites

  • Root Admin

You can submit them to virustotal.com for verification but based on the logs and information I think they're safe to remove the random named ones.

The issue with your Java is that you have at least one or two other older versions still installed that need to also be removed as part of the update process.

When all done then post back and we'll go from there. If no other issues we'll probably finish up with a KAV online scan to finish up.

Link to post
Share on other sites

As far as I can tell, everything seems to be running okay at the moment. Since some of the problems I reported earlier were intermittent, I'll be sure and mention any problems I notice in a follow-up post.

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3939

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/31/2010 7:23:37 PM

mbam-log-2010-03-31 (19-23-37).txt

Scan type: Quick scan

Objects scanned: 124680

Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

What we need to do now is run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Link to post
Share on other sites

It looks like it found quite a bit, but all of it is in mail folders. Would I be correct in thinking I should empty trash, compact folders, and rerun the scan? (The ones with Eudora in the path, all of which are marked merely 'Suspicious', are essentially archived mail. But I do want to make certain that all of the 'Infected:' entries have been cleared once I empty trash/compact (and I should do that more often).

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Thursday, April 1, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, April 01, 2010 12:47:01

Records in database: 3912635

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

Scan statistics:

Objects scanned: 409884

Threats found: 52

Infected objects found: 94

Suspicious objects found: 13

Scan duration: 05:34:31

File name / Threat / Threats count

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\Local Folders\Eudora Mail.sbd\Business Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\Local Folders\Eudora Mail.sbd\Furry.sbd\TLK-L Suspicious: Exploit.HTML.Iframe.FileDownload 2

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\Local Folders\Eudora Mail.sbd\Out Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Agent2.kri 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredolab.dq 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredolab.eh 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredolab.fg 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredolab.xb 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredolab.aug 2

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredavi.ak 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan-Downloader.Win32.Murlo.cba 2

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.ihd 3

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.ijw 3

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.ikw 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.ilx 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.imq 2

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.iop 2

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.itv 2

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Inject.akjn 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Packed.Win32.Krap.x 2

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.FraudPack.xek 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Packed.Win32.Krap.ae 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Suspicious: Password-protected-EXE 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Small.zs 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Small.ioa 3

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan-Spy.Win32.Zbot.xcg 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan-Downloader.Win32.Genome.ajjn 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan-Downloader.Win32.Genome.ajld 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan-Downloader.Win32.Genome.ajrm 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.di 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.hl 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.ic 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.oo 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.pp 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.ql 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.os 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.aue 5

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.ws 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.aug 3

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredavi.id 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredavi.iu 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredavi.jr 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredavi.kt 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Vilsel.ijw 2

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Vilsel.ikw 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Vilsel.imq 3

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Vilsel.iop 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Inject.akjn 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Vilsel.itv 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Packed.Win32.Krap.ah 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Packed.Win32.Krap.x 3

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan-Downloader.Win32.FraudLoad.wuis 4

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.FraudPack.xek 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.azc 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.apa 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Small.zo 2

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.asd 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Small.zs 2

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Sasfis.tub 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Email-Worm.Win32.Iksmas.frg 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Small.ioa 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Packed.Win32.TDSS.aa 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Packed.Win32.Krap.aj 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.EggDrop.afz 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\TLK-L Infected: Trojan-Downloader.Win32.Genome.ajld 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Trash Infected: Backdoor.Win32.EggDrop.afz 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Trash Infected: Trojan-Downloader.Win32.Genome.ajjn 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Trash Infected: Trojan-Downloader.Win32.Genome.ajld 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Trash Infected: Packed.Win32.Krap.x 1

C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Trash Infected: Trojan-Downloader.Win32.Genome.ajrm 1

C:\Program Files\Qualcomm\Eudora\Business.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Program Files\Qualcomm\Eudora\Embedded\bill.zip Suspicious: Password-protected-EXE 1

C:\Program Files\Qualcomm\Eudora\Embedded\bill1.zip Suspicious: Password-protected-EXE 1

C:\Program Files\Qualcomm\Eudora\In.mbx.002 Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Program Files\Qualcomm\Eudora\Out.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Program Files\Qualcomm\Eudora\Out.mbx.001 Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Program Files\Qualcomm\Eudora\Out.mbx.002 Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.

Link to post
Share on other sites

Yes, still checking in here from time to time. No new issues or any other evidence of malware.

(I have to wonder if there's any known malware that does things like look in the trash folder of your e-mail client and runs executable e-mail attachments it finds there.)

Link to post
Share on other sites

  • Root Admin

Please click on START - RUN and type in COMBOFIX.EXE /UNINSTALL and allow the program to remove itself.

Ensure your Anti-Virus is up to date as well as MBAM and you should be all set then.

Take a look at the following link: http://forums.malwarebytes.org/index.php?showtopic=9365

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.