CLB Driver Infection - RootRepeal Log

[kentuckycuz]

Reading through the forum, the "TDL2 Rootkit-WinNT.Alureon" symptoms fit my problems to a tee. So I followed the self-help instructions involving running RootRepeal but didn't do anything afterwards b/c I wanted someone to look at the log. It just doesn't seem right to me. There's only the one .sys file at the beginning but it says "locked to the windows API" and none of the examples do.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/06/20 21:31

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\GameHouse Games\SCRABBLE\GHScrabble.exe:{FAED59CE-C847-35A0-4814-1CB8DC6358E5}

Status: Visible to the Windows API, but not on disk.

Path: C:\GameHouse Games\Super Collapse\collapse.exe:{FBDEADFB-360C-A6D2-78B2-C58C33B76F52}

Status: Visible to the Windows API, but not on disk.

Path: C:\GameHouse Games\Super Collapse! 3\SuperCollapseIII.exe:{44670AFD-0932-2DA8-A251-97E3ED2C962C}

Status: Visible to the Windows API, but not on disk.

Path: C:\GameHouse Games\Super Collapse! II\Relapse.exe:{AD5FDD07-B2AB-227F-B610-06DEB2F4A16B}

Status: Visible to the Windows API, but not on disk.

Path: C:\GameHouse Games\Super Collapse! Puzzle Gallery 5\CollapsePuzzleGallery.exe:{F931FF58-BD3F-5715-271C-5E2E44A71F39}

Status: Visible to the Windows API, but not on disk.

Path: C:\GameHouse Games\TextTwist 2\TextTwist2.exe:{60B330E7-339F-9F4E-77F3-9A0E00312E08}

Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Letter Lab\Letter_Lab.exe:{ED128DDB-0E5E-1A02-94F1-1152A244E8A9}

Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\lisa morrow\local settings\temp\~df6aa2.tmp

Status: Allocation size mismatch (API: 24576, Raw: 0)

Path: c:\documents and settings\lisa morrow\local settings\temp\~df84b3.tmp

Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\lisa morrow\local settings\temp\~dfeac0.tmp

Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\lisa morrow\local settings\temp\~dff5a4.tmp

Status: Allocation size mismatch (API: 49152, Raw: 20480)

Path: c:\documents and settings\all users\application data\avg9\cfg\sched.cfg

Status: Size mismatch (API: 71633, Raw: 71599)

Path: C:\Documents and Settings\Lisa Morrow\My Documents\My Music\Rod Stewart\PEOPLE~1.MOV:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\lisa morrow\local settings\application data\microsoft\internet explorer\recovery\active\{690a25df-7cd0-11df-830a-001e4ff26eba}.dat

Status: Size mismatch (API: 33792, Raw: 33280)

==EOF==

A little background: I've had "something" on my computer for a week that has caused the following 1-5 list. Some of the things I've done include: TSDDkiller, rkill, Super AntiSpyware, ATF-Cleaner, FixExe.reg ... and I think a few more things but this is only what I can remember. At the end of all of this, my Firewall and Volume Control are fixed but 1-4 are still problems.

1. Browser redirects

2. MBAM will not run. It stays open for about 3-4 seconds and then closes down. I've uninstalled and reinstalled many times and it doesn't help.

3. None of my other anti-virus/anti-malware applications will update. Spybot is the only one that will update but only after I reinstalled it and it doesn't find anything anyway.

4. I get an error box occasionally (usually on restart) that says:

Data Execution Prevention - Microsoft Window

To help your computer, Windows has closed this program.

Name: Generic Host Process for WIN32 services

Following that, another box pops up that says:

Generic Host Process for WIN32 Services encountered a problem and needed to close.

5. My Windows Firewall was down. The Security Center posted a message: Currently unavailable b/c security center has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service) and then open Security Center again. I restarted it several times and when I clicked on Windows Firewall, I got this message:

Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service? When I clicked Yes, it told me that "windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service."

6. Whether related or not, I had no sound! When I click on Volume Control, it said "There are no active mixer devices available. To install mixer devices, go to control Panel, click Printers and Other Hardware and then click Add Hardware." When I do that, it doesn't recognize any new hardware. I went to Sounds and Audio Devices and it says "no audio device". I've never had trouble with the sound.

ANY guidance would be greatly appreciated! Thanks in advance!

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• GMER log
  

[kentuckycuz]

You wanted:

[kentuckycuz]

You wanted:

You've got to be kidding me!!!!!! I had this whole thing typed out with all the logs and explanations. Grrr.... okay, I'll do it again.

[kentuckycuz]

I'm going to try to post this again

You wanted:

[kentuckycuz]

I don't know what I'm doing that is cutting it off unless it's b/c I put bullets in. If it doesn't work this time, I'll just attach it.

You wanted:

Detailed description of problems

New OTL log and extra.txt

GMER log

Here

[kentuckycuz]

I give up. I attached a word document with everything listed. Sorry.

CLB_Driver_Post.doc

[Elise]

Hello again,

This is typical for a certain rootkit infection, don't worry, its not you doing something wrong

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[kentuckycuz]

That sure helped!! I don't know if it's gone or not though.

I ran ComboFix and it was getting ready to finish when a black screen came up on the computer stating:

A problem has been detected and windows has been shut down to prevent damage to your computer

DRIVER_IRQL_NOT_LESS_OR_EQUAL

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps.

The steps listed stuff about it being a software/hardware problem and that they needed to be uninstalled and reinstalled. It mentioned doing a Windows Update and something about disabling BIOS memory options. It ended with the "beginning dump of physical memory."

I had to manually restart it and the "System has recovered from a serious error" screen popped up but then it started fine. It sent me to a microsoft troubleshoot page that said there was a problem with a device driver and use Windows Update to check for updated drivers. I didn't since I'm not going to download anything "new" without you telling me to.

BUT ........ now, everything seems fine!! I updated MBAM and ran it. It didn't find anything. I updated AVG Anti-Virus and ran it. It found 2 trojan horse files: PSW.Generic8.CNG and put them in quarantine. I didn't get a ComboFix log though b/c it did the black screen thing at the very end. I went looking for a .txt file after it restarted and only found this:

ComboFix 10-06-22.02 - Lisa Morrow 06/23/2010 1:34:42.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.997.504 [GMT -4:00]

Running from: C:\Documents and Settings\Lisa Morrow\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

Here's the MBAM log afterwards:

Scan type: Full scan (C:\|)

Objects scanned: 196549

Time elapsed: 53 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

So, is it gone? Or is it fooling me? I haven't had any error screens and everything will update and scan now. Those were the biggest things. But b/c ComboFix didn't go all the way through to give me a .txt file, should I run it again?

[Elise]

Hi, I think I know what happened

Could you please rerun Combofix. I think this time it will run just fine and produce a log. Please post that here.

[kentuckycuz]

Here ya go. It ran just fine this time and produced this log:

ComboFix 10-06-23.01 - Lisa Morrow 06/23/2010 13:07:38.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.997.565 [GMT -4:00]

Running from: c:\documents and settings\Lisa Morrow\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\docume~1\LISAMO~1\LOCALS~1\Temp\gatfrcl.old

c:\documents and settings\Lisa Morrow\Application Data\02000000b54b1771869C.manifest

c:\documents and settings\Lisa Morrow\Application Data\02000000b54b1771869O.manifest

c:\documents and settings\Lisa Morrow\Application Data\02000000b54b1771869P.manifest

c:\documents and settings\Lisa Morrow\Application Data\02000000b54b1771869S.manifest

c:\documents and settings\Lisa Morrow\Local Settings\Temp\gatfrcl.old

c:\windows\system32\unrar.exe

.

((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))

.

2010-06-20 22:12 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-20 22:12 . 2010-06-20 22:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-20 22:12 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-20 04:34 . 2010-06-20 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-20 04:34 . 2010-06-20 04:34 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-20 04:11 . 2010-06-20 04:11 -------- d-----w- C:\post to bleeping computer

2010-06-19 05:25 . 2010-06-22 17:53 63488 ----a-w- c:\documents and settings\Lisa Morrow\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-19 05:25 . 2010-06-19 05:25 52224 ----a-w- c:\documents and settings\Lisa Morrow\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-19 05:25 . 2010-06-22 17:52 117760 ----a-w- c:\documents and settings\Lisa Morrow\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-19 05:21 . 2010-06-19 05:21 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\SUPERAntiSpyware.com

2010-06-19 02:26 . 2010-06-19 04:57 -------- d-----w- c:\documents and settings\Lisa Morrow\.SunDownloadManager

2010-06-18 16:22 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-18 14:16 . 2010-06-18 14:16 -------- d-----w- c:\documents and settings\Lisa Morrow\Local Settings\Application Data\Threat Expert

2010-06-18 07:33 . 2010-06-18 14:38 -------- d-----w- c:\program files\Spyware Doctor

2010-06-10 04:15 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-02 12:43 . 2010-06-02 12:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-02 12:43 . 2010-06-02 12:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-23 00:36 . 2009-12-23 19:10 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\NBC Direct

2010-06-18 14:36 . 2009-10-13 06:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-15 20:04 . 2009-04-01 21:49 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-13 21:47 . 2010-04-04 19:51 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\DVD Flick

2010-06-10 08:21 . 2008-07-13 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-05 20:06 . 2009-04-01 20:22 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-05 16:33 . 2008-08-01 01:41 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\LimeWire

2010-06-02 12:43 . 2008-07-13 03:54 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-02 12:43 . 2008-07-13 03:54 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-22 17:28 . 2010-02-01 18:57 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-22 14:09 . 2009-11-15 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-13 01:07 . 2010-04-10 17:21 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\Nero

2010-05-06 10:41 . 2004-08-11 21:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2004-08-11 21:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 04:51 . 2008-07-20 17:18 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\Image Zone Express

2010-04-20 05:30 . 2004-08-11 21:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2006-05-03 10:06 . 2010-02-14 06:35 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 . 2010-02-14 06:35 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2010-02-14 06:35 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

"DirectPlayerCore"="c:\program files\NBC Direct\DirectPlayerCore.exe" [2009-11-11 1150016]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-18 202256]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-17 13:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\UPDATE.EXE"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\DFBHD.EXE"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"57422:TCP"= 57422:TCP:Pando Media Booster

"57422:UDP"= 57422:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/1/2009 4:22 PM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/12/2008 11:54 PM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/12/2008 11:54 PM 242896]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 3:58 AM 133968]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 9:48 AM 308064]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [7/7/2008 10:26 AM 2521880]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]

S2 MSIU-46987b98;MSIU-46987b98;c:\windows\system32\-46987b98.exe --> c:\windows\system32\-46987b98.exe [?]

S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 3:45 AM 42832]

S3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\Common Files\SureThing Shared\stllssvr.exe [7/11/2007 9:33 AM 74384]

.

Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 20:03]

2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-23 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-06-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2212053846-3361690381-3139543025-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2212053846-3361690381-3139543025-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://photos2.walmart.com/WalmartActivia3.cab

DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} - hxxps://care.windstream.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab

DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} - hxxps://care.windstream.com/lwp/static/installers/ALLTELControls.cab

FF - ProfilePath - c:\documents and settings\Lisa Morrow\Application Data\Mozilla\Firefox\Profiles\bfl6brth.default\

FF - prefs.js: browser.search.selectedEngine - MyHeritage Search

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 5555

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\Lisa Morrow\Application Data\Facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\Lisa Morrow\Application Data\IDM\bin\flash\platform\WINNT\plugins\npidmdcp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\NBC Direct\npDirectPlayerMozilla.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{0135728A-043E-48B3-911E-8ECF492BD957} - (no file)

BHO-{b2475f4c-9372-46d3-a407-ff155aa1fb91} - (no file)

AddRemove-Letter Lab - c:\program files\Yahoo! Games\Letter Lab\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-23 13:12

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4248)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-23 13:14:58

ComboFix-quarantined-files.txt 2010-06-23 17:14

Pre-Run: 38,630,281,216 bytes free

Post-Run: 38,624,985,088 bytes free

- - End Of File - - 5DF2DAD852059DC7249815BAD830A1A8

[Elise]

Hello again,

Still a few leftovers to clean here

CF-SCRIPT

-------------

We need to execute a CF-script.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
  

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>

Firefox::
FF - ProfilePath - c:\documents and settings\Lisa Morrow\Application Data\Mozilla\Firefox\Profiles\bfl6brth.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5555

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[kentuckycuz]

Here's the log after the CF-Script:

ComboFix 10-06-23.01 - Lisa Morrow 06/23/2010 15:22:01.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.997.606 [GMT -4:00]

Running from: c:\documents and settings\Lisa Morrow\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Lisa Morrow\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))

.

2010-06-20 22:12 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-20 22:12 . 2010-06-20 22:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-20 22:12 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-20 04:34 . 2010-06-20 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-20 04:34 . 2010-06-20 04:34 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-20 04:11 . 2010-06-20 04:11 -------- d-----w- C:\post to bleeping computer

2010-06-19 05:25 . 2010-06-22 17:53 63488 ----a-w- c:\documents and settings\Lisa Morrow\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-19 05:25 . 2010-06-19 05:25 52224 ----a-w- c:\documents and settings\Lisa Morrow\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-19 05:25 . 2010-06-22 17:52 117760 ----a-w- c:\documents and settings\Lisa Morrow\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-19 05:21 . 2010-06-19 05:21 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\SUPERAntiSpyware.com

2010-06-19 02:26 . 2010-06-19 04:57 -------- d-----w- c:\documents and settings\Lisa Morrow\.SunDownloadManager

2010-06-18 16:22 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-18 14:16 . 2010-06-18 14:16 -------- d-----w- c:\documents and settings\Lisa Morrow\Local Settings\Application Data\Threat Expert

2010-06-18 07:33 . 2010-06-18 14:38 -------- d-----w- c:\program files\Spyware Doctor

2010-06-10 04:15 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-02 12:43 . 2010-06-02 12:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-02 12:43 . 2010-06-02 12:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-23 00:36 . 2009-12-23 19:10 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\NBC Direct

2010-06-18 14:36 . 2009-10-13 06:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-15 20:04 . 2009-04-01 21:49 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-13 21:47 . 2010-04-04 19:51 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\DVD Flick

2010-06-10 08:21 . 2008-07-13 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-05 20:06 . 2009-04-01 20:22 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-05 16:33 . 2008-08-01 01:41 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\LimeWire

2010-06-02 12:43 . 2008-07-13 03:54 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-02 12:43 . 2008-07-13 03:54 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-22 17:28 . 2010-02-01 18:57 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-22 14:09 . 2009-11-15 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-13 01:07 . 2010-04-10 17:21 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\Nero

2010-05-06 10:41 . 2004-08-11 21:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2004-08-11 21:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 04:51 . 2008-07-20 17:18 -------- d-----w- c:\documents and settings\Lisa Morrow\Application Data\Image Zone Express

2010-04-20 05:30 . 2004-08-11 21:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2006-05-03 10:06 . 2010-02-14 06:35 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 . 2010-02-14 06:35 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2010-02-14 06:35 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

"DirectPlayerCore"="c:\program files\NBC Direct\DirectPlayerCore.exe" [2009-11-11 1150016]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-18 202256]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-17 13:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\UPDATE.EXE"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\DFBHD.EXE"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"57422:TCP"= 57422:TCP:Pando Media Booster

"57422:UDP"= 57422:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/1/2009 4:22 PM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/12/2008 11:54 PM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/12/2008 11:54 PM 242896]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 3:58 AM 133968]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 9:48 AM 308064]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [7/7/2008 10:26 AM 2521880]

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]

S2 MSIU-46987b98;MSIU-46987b98;c:\windows\system32\-46987b98.exe --> c:\windows\system32\-46987b98.exe [?]

S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 3:45 AM 42832]

S3 SureThing Labelflash service;SureThing Labelflash service;c:\program files\Common Files\SureThing Shared\stllssvr.exe [7/11/2007 9:33 AM 74384]

.

Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 20:03]

2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-23 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-06-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2212053846-3361690381-3139543025-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2212053846-3361690381-3139543025-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://photos2.walmart.com/WalmartActivia3.cab

DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} - hxxps://care.windstream.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab

DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} - hxxps://care.windstream.com/lwp/static/installers/ALLTELControls.cab

FF - ProfilePath - c:\documents and settings\Lisa Morrow\Application Data\Mozilla\Firefox\Profiles\bfl6brth.default\

FF - prefs.js: browser.search.selectedEngine - MyHeritage Search

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-23 15:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1892)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-23 15:30:13

ComboFix-quarantined-files.txt 2010-06-23 19:30

ComboFix2.txt 2010-06-23 17:14

Pre-Run: 38,610,677,760 bytes free

Post-Run: 38,619,951,104 bytes free

- - End Of File - - C0E7FF6D39F3B312CD2FC773D8E67A18

[kentuckycuz]

By the way, what virus/malware do I have? Just so I know.

[Elise]

Hello there,

You were infected with the TDL3 rootkit. This rootkit patches a random file in the Drivers folder and so is started when you start your computer. It can control pretty much anything and causes persistent redirects. In other words, a nasty thing

Please let me know if you have any problems left.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Push the Start button.
      
   9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   10. When the scan completes, push
       
   11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       Note - when ESET doesn't find any threats, no report will be created.
       
   12. Push the button.
       
   13. Push
       
       

[kentuckycuz]

That took forever! I thought I was clean ... but maybe not?? Here's the log from it. I had to run it twice b/c it came up some kind of error the first time and I had to restart it.

C:\Documents and Settings\Lisa Morrow\Application Data\Sun\Java\Deployment\cache\6.0\15\310e48cf-15ecb04f Java/TrojanDownloader.Agent.NAP trojan deleted - quarantined

C:\Documents and Settings\Lisa Morrow\Application Data\Sun\Java\Deployment\cache\6.0\29\6b2b9ddd-74cba717 multiple threats deleted - quarantined

C:\Documents and Settings\Lisa Morrow\Application Data\Sun\Java\Deployment\cache\6.0\37\7cde92e5-27f80641 a variant of Java/Exploit.Agent.NAC trojan deleted - quarantined

C:\Documents and Settings\Lisa Morrow\Application Data\Sun\Java\Deployment\cache\6.0\6\3900a9c6-4a4180d8 multiple threats deleted - quarantined

[Elise]

Hello there,

No worries, those detections are nothing serious, so that means you are clean indeed

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Please do the following to remove the remaining programs from your PC:

• Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    
  • Delete RootRepeal, GMER (this is a random named file) and OTL.
    

Please read these advices, in order to prevent reinfecting your PC:

1. Install and update the following programs regularly:
   • an outbound firewall
     A comprehensive tutorial and a list of possible firewalls can be found here.
     
   • an AntiVirus Software
     It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
     
   • an Anti-Spyware program
     Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
     SUPERAntiSpyware is another good scanner with high detection and removal rates.
     Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
     
   • Spyware Blaster
     A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
     
   • MVPs hosts file
     A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
     

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

• Miekies' prevention suggestions
  
• So How did I get infected?
  
• Microsoft - 'Security at home'
  
• Calendar of Updates: See which updates have been released.
  
• How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:
  
• Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
  
• osalt: Find (free) open source alternatives to known commercial software.
  

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

[kentuckycuz]

I am sooo happy!!!! I just want to commend you on such a good job. You save people a LOT of money doing this. I've been on the internet for as long as it's been around and have gotten several "bad guys" on my computer. Most of them, I'm able to deal with myself by following guides, etc. This is the 3rd time that I've had to turn to a computer forum like this and have never had anything but good luck.

I still have a few questions

I uninstalled combofix the way you said. What about the other stuff? Can I just drag them to the recycle bin since everything is on the desktop? I've got a bunch of stuff b/c I was at bleepingcomputer.com before I came here, but I think I baffled them lol or just got lost in the pile. I've got the following on my computer now:

RootRepeal, GMER, ESETScan, ResetTeaTimer, OTL, tdsskiller, AFT-Cleaner, rkill, FixExe ........

I think that's all of them. Most of them have several folders and files b/c I've got the install, the app, and the text file for all. Anyway, I just want to be sure that it's safe to just drag them to the recycle bin before I do so.

I've always had Malwarebytes and think it's the best of the bunch, but I'm wondering if the paid version would've prevented this?

Also, is it a good thing to have everything that is listed in #1? For some reason I thought that you could have "too many" malware programs ... that they would clash or something. I've got AdAware and Spybot and they're not on your list. Are they good or not? Also, I've had better luck with AVG Anti-Virus than others so that's what I've been running, and I've been using the Windows Firewall. How are those two?

Once again, thank you thank you thank you.

[Elise]

You are most welcome

What about the other stuff? Can I just drag them to the recycle bin since everything is on the desktop? I've got a bunch of stuff b/c I was at bleepingcomputer.com before I came here, but I think I baffled them lol or just got lost in the pile. I've got the following on my computer now:

I happen to be a moderator at BleepingComputer, and I see you got help there as well

A simple way to delete all tools and logs is run OTL, click the cleanup button and allow a reboot. You can uninstall ESET online from Add/Remove programs.

I've got AdAware and Spybot and they're not on your list. Are they good or not? Also, I've had better luck with AVG Anti-Virus than others so that's what I've been running, and I've been using the Windows Firewall. How are those two?

AdAware and Spybot are not bad, but they are not as good as they were a few years ago. I personally would stick with MBAM. The free version is just as good, however, the PRO version gives you real time protection, which has its advantages.

Please let me know if you have any more questions

[kentuckycuz]

I think I'm done!! Thank you for answering my questions ... and for fixing my computer in the first place. I'm going to run along and backup right now ... while everything is clean!! I always do backups but I had waited too long this time. It's amazing how much we've come to rely on computers for everything.

Ciao!!

[Elise]

Good luck to you

I will request this topic to be closed.