Malware on my pc - please help

sylmart7 · June 18, 2010

Hi - I think I'm infected with malware, maybe a rootkit virus. When doing a Google search I'm sometimes redirected to an unexpected site, also I can't go to Malwarebytes.org on that computer (it says IE can't display the webpage but other webpages work).

I started following the instructions in "I'm infected - What do I do now?, Please follow these instructions to clean your system" but GMER Rootkit Scanner won't run at all (nothing happens after double-clicking) and I'm not sure the defogger worked, either.

I'd appreciate any help!

Here are my results:

MalwareBytes:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/18/2010 2:12:02 AM

mbam-log-2010-06-18 (02-12-02).txt

Scan type: Quick scan

Objects scanned: 139412

Time elapsed: 11 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL (Hijack.StartPage) -> Bad: (http://www.googlesayfa.com/en) Good: (http://www.google.com) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.168,93.188.166.199 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52ac28ac-2f54-4836-a343-78f8222838bc}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.168,93.188.166.199 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

defogger_disable.log:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 13:20 on 18/06/2010 (xxxxx)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Sylvie at 13:27:04.01 on Fri 06/18/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.565 [GMT -5:00]

AV: PC Tools AntiVirus Free *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\WINDOWS\system32\CSHelper.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\ICO.EXE

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\PC Tools Security\pctsTray.exe

C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe

C:\Program Files\PC Tools Security\pctsAuxs.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PC Tools Security\pctsSvc.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Sylvie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://search.live.com

uSearch Bar = hxxp://search.live.com/sphome.aspx

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Page_URL = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

mSearchAssistant = hxxp://search.live.com/sphome.aspx

uURLSearchHooks: FCToolbarURLSearchHook Class: {da879c19-9088-418b-a63a-2e6fb294eaf0} - c:\program files\aadvantage eshoppingsm toolbar\Helper.dll

uURLSearchHooks: H - No File

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Freecause Toolbar BHO: {5712a6bb-b6c8-4e52-a152-1ba741c9a6a2} - c:\program files\aadvantage eshoppingsm toolbar\Toolbar.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: Club Bing Toolbar Helper: {b771fea3-2a05-4c21-b1e2-55551a97d520} - c:\program files\club bing toolbar helper\Bmbho.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Club Bing Toolbar: {719d74ab-1af9-43a1-8c62-d8750628d93e} - c:\program files\club bing toolbar\Toolbar.dll

TB: Club Bing Toolbar Helper: {b771fea3-2a05-4c21-b1e2-55551a97d520} - c:\program files\club bing toolbar helper\Bmbho.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AAdvantage eShoppingSM Toolbar: {85741f1d-ed47-4dcf-9109-07d10213c4d0} - c:\program files\aadvantage eshoppingsm toolbar\Toolbar.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [PMCRemote] c:\program files\pinnacle\shared files\programs\remote\Remoterm.exe

uRun: [Google Update] "c:\documents and settings\sylvie\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [PMX Daemon] ICO.EXE

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [iSTray] "c:\program files\pc tools security\pctsTray.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office xp\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico

mPolicies-system: EnableLUA = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\mi699f~1\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi699f~1\office11\REFIEBAR.DLL

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab

DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v47/scrabblecubes/scrabblecubes.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264407051781

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://mail203.mmm.com/dwa85W.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab

DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}

DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://us-mail-18.mmm.com/dwa7W.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

TCP: NameServer = 93.188.162.168,93.188.166.199

TCP: {52AC28AC-2F54-4836-A343-78F8222838BC} = 93.188.162.168,93.188.166.199

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sylvie\applic~1\mozilla\firefox\profiles\15ny5g5a.default\

FF - component: c:\program files\bitdefender\bitdefender 2010\bdaphffext\components\bdaphff2.dll

FF - component: c:\program files\bitdefender\bitdefender 2010\bdaphffext\components\bdaphff3.6.dll

FF - component: c:\program files\bitdefender\bitdefender 2010\bdaphffext\components\bdaphff3.dll

FF - component: c:\program files\pc tools security\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll

FF - plugin: c:\documents and settings\sylvie\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\sylvie\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\sylvie\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\sylvie\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {FABA4F21-0E5A-4DC6-936B-8A7205CA6ED2} - c:\documents and settings\sylvie\local settings\application data\{FABA4F21-0E5A-4DC6-936B-8A7205CA6ED2}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-6-1 218592]

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-3-4 266240]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2010-6-1 366840]

R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2010-6-1 1142224]

S2 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\pc tools security\bdt\bdtupdateservice.exe" --> c:\program files\pc tools security\bdt\BDTUpdateService.exe [?]

S3 cpuz132;cpuz132;\??\c:\docume~1\sylvie\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\sylvie\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2006-12-30 18432]

S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2006-12-30 14336]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

S4 gupdate1c9d359281aab1a;Google Update Service (gupdate1c9d359281aab1a);c:\program files\google\update\GoogleUpdate.exe [2009-5-12 133104]

=============== Created Last 30 ================

2010-06-18 18:17:58 0 ----a-w- c:\documents and settings\sylvie\defogger_reenable

2010-06-17 20:17:17 44544 ----a-w- c:\windows\system32\ernel32.dll

2010-06-17 20:17:16 44544 ----a-w- c:\docume~1\sylvie\applic~1\0b1d0ef5.exe

2010-06-01 22:31:49 0 d-----w- c:\docume~1\sylvie\applic~1\BitDefender

2010-06-01 22:20:11 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat

2010-06-01 22:20:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-06-01 22:20:07 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-06-01 22:20:07 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2010-06-01 22:20:07 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2010-06-01 22:20:07 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-06-01 22:20:03 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat

2010-06-01 22:20:03 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-06-01 22:19:58 0 d-----w- c:\program files\PC Tools Security

2010-06-01 22:19:58 0 d-----w- c:\program files\common files\PC Tools

2010-06-01 22:19:58 0 d-----w- c:\docume~1\sylvie\applic~1\PC Tools

2010-06-01 22:19:58 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-05-26 17:44:31 0 d-----w- c:\docume~1\sylvie\applic~1\FCTB000062125

2010-05-26 17:43:59 0 d-----w- c:\program files\AAdvantage eShoppingSM Toolbar

2010-05-23 07:06:49 19469 ------w- c:\windows\hpoins01.dat

2010-05-23 07:06:49 16606 ------w- c:\windows\hpomdl01.dat

2010-05-23 06:56:05 0 d-----w- c:\temp\HP All-in-One Series Web Release

2010-05-23 06:44:01 0 d-----w- c:\program files\Windows Installer Clean Up

2010-05-23 06:43:45 0 d-----w- c:\program files\MSECACHE

2010-05-23 04:40:03 0 d-----w- c:\docume~1\alluse~1\applic~1\UAB

2010-05-23 04:39:25 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters

2010-05-23 04:38:42 0 d-----w- c:\program files\PC Drivers HeadQuarters

2010-05-22 18:45:14 0 d-----w- c:\windows\system32\NtmsData

2010-05-22 04:43:08 17218 ------w- c:\windows\hpomdl04.dat.temp

2010-05-22 04:43:08 102007 ------w- c:\windows\hpoins04.dat.temp

==================== Find3M ====================

2010-05-20 05:08:51 3686418 ----a-w- C:\FossSwimSchool.zip

2010-05-15 02:41:27 40960 ---ha-w- c:\windows\system32\cisvdl32.dll

2010-05-15 02:39:57 20 ----a-w- c:\docume~1\sylvie\applic~1\wqhtpi.dat

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-04 15:38:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010020420100205\index.dat

============= FINISH: 13:30:29.56 ===============

melboy · June 19, 2010

Hi and welcome to the Malwarebytes forums.

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
If you don't know or understand something, please don't hesitate to ask.
Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

NOTE: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.

===================================================

GooredFix

Please download GooredFix and save it to your Desktop.
Ensure all Firefox windows are closed.
Double-click Goored.exe to run it.
When prompted to run the scan, click Yes. GooredFix will check for infections
When completed, a log will open. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

TFC

Please download TFC by Old Timer to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
Click the Start button in the bottom left of TFC
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Select Perform Quick scan, then click on Scan
When done, you will be prompted. Click OK. If Items are found, then click on Show Results
Check all items then click on Remove Selected
After it has removed the items, Notepad will open. Please post this log in your next reply.
The log can also be found here:
1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.

Failure to reboot will prevent MBAM from removing all the malware.

Re-run DDS

Please disable any anti-malware program that will block scripts from running before running DDS.

Disable any script blocker, and then double click dds.scr to run the tool.
When done, save both reports to your desktop.
Please copy & paste the contents of :
- DDS.txt
- attach.txt
And post them in your next reply.
In your next reply:
1. DDS.txt
2. attach.txt
3. MBAM log
4. GooredLog.txt

sylmart7 · June 20, 2010

Thank you very much for your offer to help. Before I got your reply I decided to try the "I'm infected - What do I do now?" steps again, and this time I got different results and was able to run GMER Rootkit Scanner. I am posting the results here WITHOUT following any of your next steps (have not run GooredFix, TFC) so I don't complicate things further, and in case these results point you in a different direction. Now that we're talking, I won't do anything else until I hear back. Thanks again.

MalwareBytes:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/18/2010 9:17:40 PM

mbam-log-2010-06-18 (21-17-40).txt

Scan type: Quick scan

Objects scanned: 143379

Time elapsed: 16 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.168,93.188.166.199 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52ac28ac-2f54-4836-a343-78f8222838bc}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.168,93.188.166.199 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

defogger_disable.log (ran but did not prompt for reboot):

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 21:23 on 18/06/2010 (xxxxx)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86

Run by xxxxx at 22:38:33.26 on Fri 06/18/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.571 [GMT -5:00]