Jump to content

Recommended Posts

Howdy,new here.

I Ran MWB and HJT there seems to be a nasty problem left behind .Advertising sound files continue to play at random intervals ?? "Congratulations You Won" "Dinners Ready" etc.

Below is the MWB Log of items removed. Three full scans later it reads 0 infected files. I'm at a loss here, any ideas ??

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4056

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/1/2010 7:47:09 PM

mbam-log-2010-05-01 (19-47-09).txt

Scan type: Quick scan

Objects scanned: 118050

Time elapsed: 12 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 9

Registry Values Infected: 7

Registry Data Items Infected: 6

Folders Infected: 2

Files Infected: 25

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\armanager (Rogue.ARManager) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Rogue.ARManager) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\m5t8ql3yw3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apmanager.exe (Rogue.APManager) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\owemytpt (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\owemytpt (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsdefrag (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.92,93.188.166.154 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2d5f4842-2d64-4097-8712-ad4598a6984c}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.92,93.188.166.154 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{42997d4e-03ae-44c4-8c3f-82728594b827}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.92,93.188.166.154 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{42997d4e-03ae-44c4-8c3f-82728594b827}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.92,93.188.166.154 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4af5ded6-2c0f-4596-8b23-41157bdb0ed5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.92,93.188.166.154 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4af5ded6-2c0f-4596-8b23-41157bdb0ed5}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.92,93.188.166.154 -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Marc\Application Data\ARManager (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages (Rogue.ARManager) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Local Settings\Temp\scnmwexaro.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Local Settings\Temp\stp88c00.exe (Trojan.FraudTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Local Settings\Temp\wsrmecxnao.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\b00004d41.dll (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\settings.ini (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\uninstall.exe (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\wallpaper.jpg (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\Czech.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\Danish.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\Dutch.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\English.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\French.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\German.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\Italian.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\Portuguese.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\Slovak.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\Spanish.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Application Data\ARManager\languages\template.lng (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Desktop\ARManager.lnk (Rogue.ARManager) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Local Settings\Temp\Ywh.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Local Settings\Application Data\fflkmvcqr\dbibqjutssd.exe (Rogue.AntivirusSuite.Gen) -> Delete on reboot.

C:\Documents and Settings\Marc\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Local Settings\Temp\axsewnmcor.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 7:26:59 PM, on 5/2/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\System Volume Information\Whistler\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\System Volume Information\Whistler\smss.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Tether\TBService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Elantech\ETDCtrl.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\CapsLKNotify\CapsLKNotify.exe

C:\Program Files\Battery Meter\BTMeter.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe

O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter

O4 - HKLM\..\Run: [CapsLKNotify] C:\Program Files\CapsLKNotify\CapsLKNotify.exe

O4 - HKLM\..\Run: [bTMeter] C:\Program Files\Battery Meter\BTMeter.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241877833734

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: TetherBerry - Unknown owner - C:\Program Files\Tether\TBService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 6231 bytes

Link to post
Share on other sites

Here is a copy of the HJT Open UnInstall Mgr. :

Acrobat.com

Acrobat.com

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9

Advanced Audio FX Engine

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AusLogics BoostSpeed

AVG Free 9.0

Battery Meter

BlackBerry Desktop Software 5.0.1

BlackBerry Desktop Software 5.0.1

BlackBerry Smartphone Simulators 4.6.1.315 (8900-ATT)

Bonjour

CapsLKNotify

CCleaner (remove only)

Choice Guard

ClearType Tuning Control Panel Applet

Compatibility Pack for the 2007 Office system

CrackMem

CyberLink PowerDVD 8.0 SE

CyberLink PowerDVD 8.0 SE

Dell Media Experience

Dell Media Experience

Dell Support Center (Support Software)

Dell Video Chat

Dell Webcam Central

Dell Wireless WLAN Card Utility

EMSC

ETDWare PS/2-x86 7.0.4.9_WHQL

Foxit PDF Editor

Foxit PDF IFilter

Foxit Reader

FrostWire 4.18.0

Garmin City Navigator North America NT 2008

Garmin City Navigator North America NT 2010.40

Garmin Communicator Plugin

Garmin MapSource

Garmin POI Loader

Garmin USB Drivers

Garmin USB Drivers

Garmin WebUpdater

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB954708)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

ieSpell

Integrated Webcam Driver (1.01.01.0116)

Intel® Integrated Performance Primitives RTI 4.0

iTunes

Jasc Animation Shop 3

Jasc Paint Shop Pro 9

Java 6 Update 17

Junk Mail filter update

Karen's Replicator

Live! Cam Avatar Creator

Magic ISO Maker v5.5 (build 0276)

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1

Microsoft English TTS Engine

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Streets & Trips 2007

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Works

MSVCRT

MSXML 6.0 Parser (KB927977)

Nvu 1.0PR

PC Study Bible (remove only)

PIXresizer 2.0.4

QuickTime

Realtek High Definition Audio Driver

Revo Uninstaller 1.85

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB978380)

Security Update for Microsoft Office Excel 2007 (KB978382)

Security Update for Microsoft Office Outlook 2007 (KB972363)

Security Update for Microsoft Office PowerPoint 2007 (KB957789)

Security Update for Microsoft Office Publisher 2007 (KB980470)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB969613)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB969604)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB979402)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981349)

Segoe UI

Tether 1.1.0.0

Total Video Converter 3.12 080330

TTS Wrapper

Update for 2007 Microsoft Office System (KB967642)

Update for 2007 Microsoft Office System (KB981715)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office InfoPath 2007 (KB976416)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Outlook 2007 Junk Email Filter (kb981433)

Update for Windows XP (KB898461)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

Update for Windows XP (KB978207)

Update for Windows XP (KB980182)

Virtual DJ - Atomix Productions

Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Essentials

Windows Live Mail

Windows Live Messenger

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Toolbar

Windows Live Upload Tool

Windows Live Writer

Windows Media Format Runtime

Windows Presentation Foundation

Windows Search 4.0

WinRAR archiver

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, then post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Link to post
Share on other sites

Thanks for taking the time!!

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4060

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/2/2010 7:06:18 PM

mbam-log-2010-05-02 (19-06-18).txt

Scan type: Quick scan

Objects scanned: 126368

Time elapsed: 17 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.txt

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4060

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/3/2010 5:22:06 AM

mbam-log-2010-05-03 (05-22-06).txt

Scan type: Quick scan

Objects scanned: 126946

Time elapsed: 19 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Here's the DDS.txt :

DDS (Ver_10-03-17.01) - NTFSx86

Run by Marc at 4:44:33.46 on Mon 05/03/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.278 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

"C:\System Volume Information\Whistler\svchost.exe"

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\Tether\TBService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Elantech\ETDCtrl.exe

C:\Program Files\CapsLKNotify\CapsLKNotify.exe

C:\Program Files\Battery Meter\BTMeter.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Marc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [CapsLKNotify] c:\program files\capslknotify\CapsLKNotify.exe

mRun: [bTMeter] c:\program files\battery meter\BTMeter.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://supportapj.dell.com/systemprofiler/SysPro.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241877833734

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2010-1-9 14248]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-3 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-3 29512]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-3 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]

R2 TetherBerry;TetherBerry;c:\program files\tether\TBService.exe [2010-1-10 49040]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-4-3 135936]

R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2009-4-3 93952]

R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-4-3 5088416]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-4-3 110080]

R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-4-3 148056]

R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-4-3 133472]

R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-4-3 271328]

R3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [2010-1-10 45608]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-4-3 157696]

S1 sdpiosys;sdpiosys;c:\windows\system32\drivers\sdpiosys.sys --> c:\windows\system32\drivers\sdpiosys.sys [?]

S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090125.005\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090125.005\NAVENG.SYS [?]

S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090125.005\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090125.005\NAVEX15.SYS [?]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-12-5 9472]

S4 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]

=============== Created Last 30 ================

==================== Find3M ====================

2010-04-25 21:26:45 56924 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-24 14:00:10 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-15 23:48:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-15 23:46:29 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2004-07-30 13:56:22 90112 ----a-w- c:\program files\common files\PCSBclean.exe

2004-07-26 19:30:14 291840 ----a-w- c:\program files\common files\PCSBoff.exe

2009-04-03 13:36:44 75 --sh--r- c:\windows\CT4CET.bin

2009-05-04 01:12:45 88 --sh--r- c:\windows\system32\1DF1FF8083.sys

2009-05-04 01:13:31 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 4:45:40.43 ===============

Link to post
Share on other sites

While I was waiting I updated MWB to version 4063 and did a Quick Scan:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4063

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/3/2010 5:13:57 PM

mbam-log-2010-05-03 (17-13-57).txt

Scan type: Quick scan

Objects scanned: 120747

Time elapsed: 14 minute(s), 54 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

C:\WINDOWS\temp\svchost.exe (Trojan.Agent) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\temp\svchost.exe (Trojan.Agent) -> Delete on reboot.

Then ran a Full Scan :

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4063

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/3/2010 6:22:20 PM

mbam-log-2010-05-03 (18-22-20).txt

Scan type: Full scan (C:\|)

Objects scanned: 194959

Time elapsed: 42 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\Ypebea.exe.vir (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Link to post
Share on other sites

ComboFix 10-05-03.05 - Marc 05/04/2010 1:49.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.344 [GMT -5:00]

Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))

.

2010-05-04 00:45 . 2010-05-04 00:45 -------- d-----w- c:\documents and settings\Marc\Application Data\AVG9

2010-05-03 23:35 . 2010-05-03 23:35 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData

2010-05-02 23:20 . 2010-05-02 23:20 388096 ----a-r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-05-02 23:20 . 2010-05-02 23:20 -------- d-----w- c:\program files\Trend Micro

2010-05-02 21:41 . 2010-05-02 22:13 -------- d-----w- c:\program files\Spyware Doctor

2010-05-02 01:28 . 2010-05-02 01:28 -------- d-----w- c:\windows\system32\LogFiles

2010-05-02 00:44 . 2010-05-02 00:44 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Windows Search

2010-05-02 00:24 . 2010-05-02 00:24 -------- d-----w- C:\spoolerlogs

2010-05-02 00:21 . 2010-05-02 00:48 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\fflkmvcqr

2010-04-24 14:00 . 2010-04-24 14:00 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-04-24 13:58 . 2010-04-24 13:58 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-18 16:38 . 2010-04-18 16:38 -------- d-----w- c:\documents and settings\Marc\Application Data\Malwarebytes

2010-04-18 16:38 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-18 16:38 . 2010-05-01 13:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-18 16:38 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-18 16:38 . 2010-04-18 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-11 11:35 . 2010-04-11 11:38 -------- d-----w- c:\documents and settings\Marc\Application Data\BonkEnc

2010-04-11 11:35 . 2010-04-11 11:35 -------- d-----w- c:\program files\BonkEnc

2010-04-09 20:20 . 2010-04-09 20:20 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-02 22:13 . 2009-04-03 13:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp

2010-05-02 00:08 . 2009-05-03 21:05 256 ----a-w- c:\windows\system32\pool.bin

2010-04-27 23:10 . 2010-01-11 00:42 -------- d-----w- c:\documents and settings\Marc\Application Data\Tether

2010-04-25 21:26 . 2009-12-19 21:26 56924 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-24 14:00 . 2009-05-03 17:44 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-18 18:36 . 2009-11-14 22:36 -------- d-----w- c:\documents and settings\Marc\Application Data\Apple Computer

2010-04-18 18:28 . 2009-11-14 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2010-04-16 11:07 . 2009-05-03 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-04-12 09:45 . 2009-05-08 23:52 -------- d-----w- c:\documents and settings\Marc\Application Data\uTorrent

2010-03-28 00:10 . 2009-05-08 02:11 -------- d-----w- c:\documents and settings\Marc\Application Data\FrostWire

2010-03-26 22:21 . 2010-03-26 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion

2010-03-19 01:28 . 2009-05-03 20:58 -------- d-----w- c:\program files\Common Files\Research In Motion

2010-03-19 01:27 . 2009-05-03 20:58 -------- d-----w- c:\program files\Research In Motion

2010-03-15 23:48 . 2010-03-15 23:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-15 23:48 . 2009-05-03 17:44 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-15 23:46 . 2009-05-03 17:44 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-14 21:36 . 2009-05-05 18:07 -------- d-----w- c:\documents and settings\Marc\Application Data\GARMIN

2010-03-14 19:56 . 2010-03-14 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN

2010-03-14 18:09 . 2010-03-14 18:09 -------- d-----w- c:\program files\Garmin GPS Plugin

2010-03-09 11:09 . 2008-04-25 20:33 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-26 05:43 . 2008-04-25 20:33 667136 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 05:43 . 2008-04-25 20:33 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-02-24 13:11 . 2008-04-25 20:33 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-19 23:57 . 2010-02-19 23:57 26694 ----a-r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{439B2F3D-0AFA-402B-A67F-500321D4EDC2}\BlackBerry.exe

2010-02-16 14:08 . 2008-04-25 20:33 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-13 22:36 . 2010-02-13 22:36 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2010-02-12 04:33 . 2008-04-25 20:33 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2008-04-25 20:33 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2004-07-30 13:56 . 2009-05-03 22:01 90112 ----a-w- c:\program files\Common Files\PCSBclean.exe

2004-07-26 19:30 . 2009-05-03 22:01 291840 ----a-w- c:\program files\Common Files\PCSBoff.exe

2009-04-03 13:36 . 2009-04-03 13:36 75 --sh--r- c:\windows\CT4CET.bin

2009-05-04 01:12 . 2009-05-03 23:32 88 --sh--r- c:\windows\system32\1DF1FF8083.sys

2009-05-04 01:13 . 2009-05-03 23:32 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-05-02_03.15.35 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2010-05-04 01:01 . 2010-05-04 01:01 16384 c:\windows\temp\Perflib_Perfdata_2dc.dat

- 2008-04-25 20:33 . 2010-05-02 03:11 80032 c:\windows\system32\perfc009.dat

+ 2008-04-25 20:33 . 2010-05-03 22:22 80032 c:\windows\system32\perfc009.dat

+ 2010-05-03 23:35 . 2010-05-03 23:48 32768 c:\windows\system32\config\systemprofile\UserData\index.dat

+ 2010-05-04 06:58 . 2010-05-04 06:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2010-05-03 23:29 . 2010-05-03 23:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012010050320100504\index.dat

+ 2010-05-03 23:29 . 2010-05-03 23:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012010042620100503\index.dat

+ 2009-05-03 16:20 . 2010-05-04 06:56 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2008-04-25 20:33 . 2010-05-03 22:22 466982 c:\windows\system32\perfh009.dat

- 2008-04-25 20:33 . 2010-05-02 03:11 466982 c:\windows\system32\perfh009.dat

+ 2009-05-03 16:20 . 2010-05-04 06:56 163840 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-05-02 21:41 . 2010-05-02 21:41 228352 c:\windows\Installer\a9a62.msi

+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

+ 2010-05-02 23:20 . 2010-05-02 23:20 1094656 c:\windows\Installer\127ff9.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-24 354840]

"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-05-08 488960]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-03-18 320808]

"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-02-18 2441216]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-24 137752]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"RTHDCPL"="RTHDCPL.EXE" [2008-12-23 18063872]

"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]

"PersistenceThread"="c:\windows\system32\PersistenceThread.exe" [2008-12-24 92696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-15 23:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Browser Defender Update Service"=2 (0x2)

"sdCoreService"=2 (0x2)

"sdAuxService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Research In Motion\\BlackBerry Smartphone Simulators 4.6.1\\4.6.1.315 (8900-ATT)\\fledge.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [1/9/2010 10:01 AM 14248]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/3/2009 12:44 PM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/3/2009 12:44 PM 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 6:48 PM 308064]

R2 TetherBerry;TetherBerry;c:\program files\Tether\TBService.exe [1/10/2010 7:41 PM 49040]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [4/3/2009 8:35 AM 135936]

R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [4/3/2009 10:07 AM 93952]

R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [4/3/2009 10:07 AM 5088416]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [4/3/2009 10:07 AM 110080]

R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [4/3/2009 10:08 AM 148056]

R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [4/3/2009 10:08 AM 133472]

R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [4/3/2009 10:08 AM 271328]

R3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [1/10/2010 7:42 PM 45608]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [4/3/2009 10:07 AM 157696]

S1 sdpiosys;sdpiosys;c:\windows\system32\drivers\sdpiosys.sys --> c:\windows\system32\drivers\sdpiosys.sys [?]

S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [12/5/2009 1:06 PM 9472]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig

mStart Page = hxxp://www.dell.com

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-04 01:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)

c:\windows\System32\BCMLogon.dll

.

Completion time: 2010-05-04 02:01:06

ComboFix-quarantined-files.txt 2010-05-04 07:01

ComboFix2.txt 2010-05-02 22:32

ComboFix3.txt 2010-05-02 03:18

Pre-Run: 108,521,734,144 bytes free

Post-Run: 108,512,698,368 bytes free

- - End Of File - - 857C96E7B042C2621FF55D6E1D521A20

DDS (Ver_10-03-17.01) - NTFSx86

Run by Marc at 2:02:51.67 on Tue 05/04/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.232 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Battery Meter\BTMeter.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Tether\TBService.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\WSED\WSED.exe

C:\WINDOWS\system32\PersistenceThread.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

Executable.exe 4

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Local Settings\Application Data\Chromium\Application\chrome.exe

C:\Documents and Settings\Marc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig

mStart Page = hxxp://www.dell.com

BHO: AcroIEHelperShimObj Class: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: SearchHelperBho Class: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [CapsLKNotify] c:\program files\capslknotify\CapsLKNotify.exe

mRun: [bTMeter] c:\program files\battery meter\BTMeter.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [WSED] c:\program files\wsed\WSED.exe

mRun: [PersistenceThread] c:\windows\system32\PersistenceThread.exe

IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://supportapj.dell.com/systemprofiler/SysPro.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241877833734

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2010-1-9 14248]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-3 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-3 29512]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-3 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]

R2 TetherBerry;TetherBerry;c:\program files\tether\TBService.exe [2010-1-10 49040]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-4-3 135936]

R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2009-4-3 93952]

R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-4-3 5088416]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-4-3 110080]

R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-4-3 148056]

R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-4-3 133472]

R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-4-3 271328]

R3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [2010-1-10 45608]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-4-3 157696]

S1 sdpiosys;sdpiosys;c:\windows\system32\drivers\sdpiosys.sys --> c:\windows\system32\drivers\sdpiosys.sys [?]

S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]

S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090125.005\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090125.005\NAVENG.SYS [?]

S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090125.005\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090125.005\NAVEX15.SYS [?]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-12-5 9472]

=============== Created Last 30 ================

2010-05-04 00:45:41 0 d-----w- c:\docume~1\marc\applic~1\AVG9

2010-05-02 23:20:35 0 d-----w- c:\program files\Trend Micro

2010-05-02 21:41:33 0 d-----w- c:\program files\Spyware Doctor

2010-05-02 03:01:33 0 d-sha-r- C:\cmdcons

2010-05-02 02:59:35 98816 ----a-w- c:\windows\sed.exe

2010-05-02 02:59:35 77312 ----a-w- c:\windows\MBR.exe

2010-05-02 02:59:35 256512 ----a-w- c:\windows\PEV.exe

2010-05-02 02:59:35 161792 ----a-w- c:\windows\SWREG.exe

2010-05-02 01:28:44 0 d-----w- c:\windows\system32\LogFiles

2010-05-02 00:24:36 0 d-----w- C:\spoolerlogs

2010-04-18 16:38:42 0 d-----w- c:\docume~1\marc\applic~1\Malwarebytes

2010-04-18 16:38:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-18 16:38:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-18 16:38:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-18 16:38:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-04-11 11:35:33 0 d-----w- c:\docume~1\marc\applic~1\BonkEnc

2010-04-11 11:35:16 0 d-----w- c:\program files\BonkEnc

==================== Find3M ====================

2010-04-25 21:26:45 56924 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-24 14:00:10 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-15 23:48:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-15 23:46:29 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2004-07-30 13:56:22 90112 ----a-w- c:\program files\common files\PCSBclean.exe

2004-07-26 19:30:14 291840 ----a-w- c:\program files\common files\PCSBoff.exe

2009-04-03 13:36:44 75 --sh--r- c:\windows\CT4CET.bin

2009-05-04 01:12:45 88 --sh--r- c:\windows\system32\1DF1FF8083.sys

2009-05-04 01:13:31 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 2:03:27.53 ===============

Link to post
Share on other sites

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 5/3/2009 11:24:49 AM

System Uptime: 5/3/2010 8:00:50 PM (8 hours ago)

Motherboard: Dell Inc. | | 0R990K

Processor: Intel® Atom CPU Z520 @ 1.33GHz | U3E1 | 1330/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 101.083 GiB free.

E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 5/3/2010 6:26:34 PM - System Checkpoint

==== Installed Programs ======================

Link to post
Share on other sites

Hey Screen317,

FWIW.. I bought this PC from my teenage son, the only software that I use is the Browser (Chrome), Blackberry, Garmin MS office, Tether, iTunes, PC Study Bible.

If there is anything installed that is problematic or suspect, I gladly do away with it.

Link to post
Share on other sites

  • Staff

Hi freebee,

My apologies for the delay.

Please update MBAM, run a Quick Scan, and post its log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

The machine remains infected. It launches the browser randomly, usually the You Won or some other game / click here web page.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4076

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/7/2010 3:36:14 PM

mbam-log-2010-05-07 (15-36-14).txt

Scan type: Quick scan

Objects scanned: 118230

Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Marc\Local Settings\Temporary Internet Files\Content.IE5\STEVCHQ3\setup96[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Marc\Local Settings\Application Data\Windows Server\tszznq.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Here is th Fsecure log:

Scanning Report

Saturday, May 8, 2010 06:05:33 - 06:52:01

Computer name: DADSNETBOOK

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

9 malware found

TrackingCookie.Atdmt (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

C:\WINDOWS\SWREG.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

C:\WINDOWS\SWSC.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{64534B76-601D-4598-8429-4DF73C537AF3}\RP5\A0000282.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\DOCUMENTS AND SETTINGS\MARC\RHOYDW.EXE (Not cleaned)

Statistics

Scanned:

Files: 35573

System: 3497

Not scanned: 10

Actions:

Disinfected: 5

Renamed: 0

Deleted: 0

Not cleaned: 4

Submitted: 1

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\SYSTEM VOLUME INFORMATION\WHISTLER\SVCHOST.EXE

C:\SYSTEM VOLUME INFORMATION\WHISTLER\SMSS.EXE

C:\DOCUMENTS AND SETTINGS\MARC\LOCAL SETTINGS\TEMP\HSPERFDATA_MARC\3164

C:\DOCUMENTS AND SETTINGS\MARC\LOCAL SETTINGS\TEMP\HSPERFDATA_MARC\332

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

Copyright

Link to post
Share on other sites

  • Staff

Thanks for letting us know.

After you format, if your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :blink:

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.