Jump to content

Trojan horse Downloader.Generic10.JCL


kgo

Recommended Posts

Hello - Malwarebytes log shows it deleted but AVG shows it is still there.

C:\WINDOWS\system32\userinit.exe;Trojan horse Downloader.Generic10.JCL;Object is white-listed (critical/system file that should not be removed)

NOTE: I ran Malwarebytes, Defogger and DDS but my computer rebooted during the running of GMER Rootkit Scanner, and GMER did not start up automatically again, did this several times so I cannot attach the ark.txt file, GMER never completed. Did the Trojan horse block GMER or could AVG be stopping it from completing?

Here is the contents of the DDS.txt and under that is the Malwarebytes log.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Kevin at 20:51:45.40 on Wed 08/25/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.198 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

"C:\WINDOWS\system32\svchost.exe"

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\PROMon.exe

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Belkin Storage Manager\StorageManager.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Documents and Settings\Kevin\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\lotus\organize\easyclip.exe

C:\lotus\smartctr\SUITEST.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Aim6]

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Google Update] "c:\documents and settings\kevin\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [sansaDispatch] c:\documents and settings\kevin\application data\sandisk\sansa updater\SansaDispatch.exe

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://games.yahoo.com/daily-games/dailyjigsaw"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

mRun: [PROMon.exe] PROMon.exe

mRun: [smapp] c:\program files\analog devices\soundmax\Smtray.exe

mRun: [Tgcmd] "c:\program files\support.com\bin\tgcmd.exe /server"

mRun: [uC_SMB]

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [belkin Storage Manager] "c:\program files\belkin storage manager\StorageManager.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [emmfvbyh] c:\documents and settings\networkservice\local settings\application data\sipoxtwbr\niwxocltssd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuso~1.lnk - c:\lotus\organize\easyclip.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotusq~1.lnk - c:\lotus\wordpro\ltsstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuss~2.lnk - c:\lotus\smartctr\SMARTCTR.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuss~1.lnk - c:\lotus\smartctr\SUITEST.EXE

IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://consumerswh.2020.net/Core/Player/2020PlayerAX_Win32.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://137.123.216.127/activex/AMC.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

mASetup: {4925B664-BDFA-4E68-B325-EC00937E8110} - rundll32 vecrits93.dll,laspi

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin\applic~1\mozilla\firefox\profiles\2mi4wheh.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\kevin\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-31 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-9 29584]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-31 243024]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]

R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-7-16 30560]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-14 135664]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-8-16 430152]

S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2008-7-24 24784]

S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2008-7-24 25044]

S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2008-7-24 52309]

=============== Created Last 30 ================

2010-08-26 00:43:43 0 ----a-w- c:\documents and settings\kevin\defogger_reenable

2010-08-19 01:27:50 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2010-08-19 01:12:52 0 d-----w- c:\windows\ERUNT

2010-08-19 01:01:16 0 d-----w- C:\SDFix

2010-08-16 23:40:19 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar

2010-08-07 20:02:02 26112 ----a-w- c:\windows\system32\stu2.exe

==================== Find3M ====================

2010-08-07 20:01:59 25600 ----a-w- c:\windows\system32\userinit.exe

2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-15 21:33:15 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 21:33:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-15 21:29:29 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2007-07-31 03:09:30 709 ----a-w- c:\program files\GoogleEarthWin.lnk

2008-09-17 15:52:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 20:53:56.82 ===============

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4479

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/25/2010 7:26:50 PM

mbam-log-2010-08-25 (19-26-50).txt

Scan type: Quick scan

Objects scanned: 166781

Time elapsed: 22 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Kevin\Local Settings\Temp\ie1B.tmp (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kevin\Local Settings\Temp\ie3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Attach.zip

Link to post
Share on other sites

Hi kqo:

icon11.gif Please download MBRCheck.exe to your desktop.

  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Please include the following in your next post:

  • MBRCheck log

Link to post
Share on other sites

Hi kqo:

icon11.gif Please download MBRCheck.exe to your desktop.

  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Please include the following in your next post:

  • MBRCheck log

Thanks again for all your help. Below you will find the results of the MBRCheck log. I also wanted to know if you know what this Trojan horse is set up to do? What can it do to a system?

MBRCheck log

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000013d

Kernel Drivers (total 181):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806EE000 \WINDOWS\system32\hal.dll

0xF7B17000 \WINDOWS\system32\KDCOM.DLL

0xF7A27000 \WINDOWS\system32\BOOTVID.dll

0xF75C8000 ACPI.sys

0xF7B19000 \WINDOWS\System32\DRIVERS\WMILIB.SYS

0xF75B7000 pci.sys

0xF7617000 isapnp.sys

0xF7BDF000 pciide.sys

0xF7897000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

0xF7B1B000 aliide.sys

0xF7B1D000 cmdide.sys

0xF7B1F000 toside.sys

0xF7B21000 viaide.sys

0xF7B23000 intelide.sys

0xF7627000 MountMgr.sys

0xF7598000 ftdisk.sys

0xF7B25000 dmload.sys

0xF7572000 dmio.sys

0xF789F000 PartMgr.sys

0xF7637000 VolSnap.sys

0xF7A2B000 cpqarray.sys

0xF755A000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS

0xF7542000 atapi.sys

0xF7A2F000 aha154x.sys

0xF78A7000 sparrow.sys

0xF7A33000 symc810.sys

0xF7647000 aic78xx.sys

0xF7A37000 dac960nt.sys

0xF7657000 ql10wnt.sys

0xF7A3B000 amsint.sys

0xF78AF000 asc.sys

0xF7A3F000 asc3550.sys

0xF78B7000 mraid35x.sys

0xF78BF000 i2omp.sys

0xF7A43000 ini910u.sys

0xF7667000 ql1240.sys

0xF7677000 aic78u2.sys

0xF78C7000 symc8xx.sys

0xF78CF000 sym_hi.sys

0xF78D7000 sym_u3.sys

0xF78DF000 ABP480N5.SYS

0xF78E7000 asc3350p.sys

0xF7B27000 cd20xrnt.sys

0xF7687000 ultra.sys

0xF7529000 adpu160m.sys

0xF78EF000 dpti2o.sys

0xF7697000 ql1080.sys

0xF76A7000 ql1280.sys

0xF76B7000 ql12160.sys

0xF78F7000 perc2.sys

0xF7B29000 perc2hib.sys

0xF78FF000 hpn.sys

0xF7A47000 cbidf2k.sys

0xF74FD000 dac2w2k.sys

0xF76C7000 disk.sys

0xF76D7000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

0xF74DD000 fltmgr.sys

0xF74CB000 sr.sys

0xF7907000 PxHelp20.sys

0xF74B6000 drvmcdb.sys

0xF749F000 KSecDD.sys

0xF748C000 WudfPf.sys

0xF73FF000 Ntfs.sys

0xF73D2000 NDIS.sys

0xF76E7000 sisagp.sys

0xF76F7000 viaagp.sys

0xF73B8000 Mup.sys

0xF7707000 agp440.sys

0xF7717000 alim1541.sys

0xF7727000 amdagp.sys

0xF7737000 agpCPQ.sys

0xF7757000 \SystemRoot\System32\DRIVERS\intelppm.sys

0xF71F9000 \SystemRoot\System32\DRIVERS\ialmnt5.sys

0xF71E5000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS

0xF7977000 \SystemRoot\System32\DRIVERS\usbuhci.sys

0xF71C1000 \SystemRoot\System32\DRIVERS\USBPORT.SYS

0xF797F000 \SystemRoot\System32\DRIVERS\usbehci.sys

0xF71A8000 \SystemRoot\System32\DRIVERS\e1000325.sys

0xF7767000 \SystemRoot\System32\DRIVERS\i8042prt.sys

0xF798F000 \SystemRoot\System32\DRIVERS\kbdclass.sys

0xF799F000 \SystemRoot\System32\DRIVERS\mouclass.sys

0xF79AF000 \SystemRoot\System32\DRIVERS\fdc.sys

0xF7777000 \SystemRoot\System32\DRIVERS\serial.sys

0xF7AC7000 \SystemRoot\System32\DRIVERS\serenum.sys

0xF7194000 \SystemRoot\System32\DRIVERS\parport.sys

0xF7B33000 \SystemRoot\system32\drivers\sscdbhk5.sys

0xF7787000 \SystemRoot\System32\DRIVERS\cdrom.sys

0xF7797000 \SystemRoot\System32\DRIVERS\redbook.sys

0xF7171000 \SystemRoot\System32\DRIVERS\ks.sys

0xF77A7000 \SystemRoot\System32\DRIVERS\imapi.sys

0xF70CA000 \SystemRoot\system32\drivers\smwdm.sys

0xF70A6000 \SystemRoot\system32\drivers\portcls.sys

0xF77B7000 \SystemRoot\system32\drivers\drmk.sys

0xF708E000 \SystemRoot\system32\drivers\aeaudio.sys

0xF7D27000 \SystemRoot\System32\DRIVERS\audstub.sys

0xF77C7000 \SystemRoot\System32\DRIVERS\rasl2tp.sys

0xF7AE7000 \SystemRoot\System32\DRIVERS\ndistapi.sys

0xF7077000 \SystemRoot\System32\DRIVERS\ndiswan.sys

0xF77D7000 \SystemRoot\System32\DRIVERS\raspppoe.sys

0xF77E7000 \SystemRoot\System32\DRIVERS\raspptp.sys

0xF7957000 \SystemRoot\System32\DRIVERS\TDI.SYS

0xF7066000 \SystemRoot\System32\DRIVERS\psched.sys

0xF77F7000 \SystemRoot\System32\DRIVERS\msgpc.sys

0xF7997000 \SystemRoot\System32\DRIVERS\ptilink.sys

0xF79B7000 \SystemRoot\System32\DRIVERS\raspti.sys

0xF6F96000 \SystemRoot\System32\DRIVERS\rdpdr.sys

0xF7807000 \SystemRoot\System32\DRIVERS\termdd.sys

0xF7B39000 \SystemRoot\System32\DRIVERS\swenum.sys

0xF6F38000 \SystemRoot\System32\DRIVERS\update.sys

0xF7B0F000 \SystemRoot\System32\DRIVERS\mssmbios.sys

0xF7817000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF7837000 \SystemRoot\System32\DRIVERS\usbhub.sys

0xF7B3F000 \SystemRoot\System32\DRIVERS\USBD.SYS

0xF79A7000 \SystemRoot\System32\DRIVERS\flpydisk.sys

0xF716D000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xF7B43000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7D6C000 \SystemRoot\System32\Drivers\Null.SYS

0xF7B47000 \SystemRoot\System32\Drivers\Beep.SYS

0xF79D7000 \SystemRoot\system32\drivers\ssrtln.sys

0xF79E7000 \SystemRoot\System32\drivers\vga.sys

0xF7B4B000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF7B4F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF79F7000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF7A07000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF7165000 \SystemRoot\System32\DRIVERS\rasacd.sys

0xEEDC5000 \SystemRoot\System32\DRIVERS\ipsec.sys

0xEED6C000 \SystemRoot\System32\DRIVERS\tcpip.sys

0xEED32000 \SystemRoot\System32\Drivers\avgtdix.sys

0xEED0C000 \SystemRoot\System32\DRIVERS\ipnat.sys

0xF7857000 \SystemRoot\System32\DRIVERS\wanarp.sys

0xF7927000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xEECE4000 \SystemRoot\System32\DRIVERS\netbt.sys

0xEECC2000 \SystemRoot\System32\drivers\afd.sys

0xF7867000 \SystemRoot\System32\DRIVERS\netbios.sys

0xF7887000 \SystemRoot\System32\Drivers\nx6000.sys

0xF79EF000 \SystemRoot\System32\Drivers\StarOpen.SYS

0xEECA4000 \SystemRoot\System32\Drivers\usbvideo.sys

0xF734F000 \SystemRoot\system32\drivers\usbaudio.sys

0xEEC79000 \SystemRoot\System32\DRIVERS\rdbss.sys

0xEEC09000 \SystemRoot\System32\DRIVERS\mrxsmb.sys

0xF733F000 \SystemRoot\System32\Drivers\Fips.SYS

0xEEE18000 \SystemRoot\System32\Drivers\avgmfx86.sys

0xEEB35000 \SystemRoot\System32\Drivers\avgldx86.sys

0xEEB79000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF7ACF000 \SystemRoot\System32\drivers\Dxapi.sys

0xF79FF000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7C53000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF020000 \SystemRoot\System32\ialmdnt5.dll

0xBF012000 \SystemRoot\System32\ialmrnt5.dll

0xBF03F000 \SystemRoot\System32\ialmdev5.DLL

0xBF06B000 \SystemRoot\System32\ialmdd5.DLL

0xF730F000 \SystemRoot\system32\drivers\drvnddm.sys

0xF7C9B000 \SystemRoot\system32\dla\tfsndres.sys

0xEE8D0000 \SystemRoot\system32\dla\tfsnifs.sys

0xEE929000 \SystemRoot\system32\dla\tfsnopio.sys

0xF7B49000 \SystemRoot\system32\dla\tfsnpool.sys

0xF7A1F000 \SystemRoot\system32\dla\tfsnboio.sys

0xEE9ED000 \SystemRoot\system32\dla\tfsncofs.sys

0xF7CC4000 \SystemRoot\system32\dla\tfsndrct.sys

0xEE8B8000 \SystemRoot\system32\dla\tfsnudf.sys

0xEE89F000 \SystemRoot\system32\dla\tfsnudfa.sys

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xEE85A000 \SystemRoot\System32\DRIVERS\ndisuio.sys

0xEE405000 \SystemRoot\system32\drivers\wdmaud.sys

0xF731F000 \SystemRoot\system32\drivers\sysaudio.sys

0xEDFFF000 \SystemRoot\System32\DRIVERS\mrxdav.sys

0xEE522000 \SystemRoot\system32\DRIVERS\MaVc2K.sys

0xF7BD1000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xEDEA2000 \SystemRoot\System32\Drivers\HTTP.sys

0xEDE2E000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xF7BA9000 \SystemRoot\System32\Drivers\MCSTRM.SYS

0xEDD0F000 \SystemRoot\System32\DRIVERS\srv.sys

0xF7B81000 \??\C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS

0xEDF9B000 \SystemRoot\system32\DRIVERS\usbscan.sys

0xF7967000 \SystemRoot\system32\DRIVERS\usbprint.sys

0xEDDE6000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0xED23E000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 51):

0 System Idle Process

4 System

608 C:\WINDOWS\system32\smss.exe

656 csrss.exe

680 C:\WINDOWS\system32\winlogon.exe

728 C:\WINDOWS\system32\services.exe

740 C:\WINDOWS\system32\lsass.exe

928 C:\WINDOWS\system32\svchost.exe

1040 svchost.exe

1192 C:\WINDOWS\system32\svchost.exe

1252 C:\WINDOWS\system32\svchost.exe

1268 C:\Program Files\AVG\AVG9\avgchsvx.exe

1276 C:\Program Files\AVG\AVG9\avgrsx.exe

1384 svchost.exe

1560 C:\Program Files\AVG\AVG9\avgcsrvx.exe

1600 svchost.exe

232 C:\WINDOWS\system32\spoolsv.exe

336 C:\WINDOWS\system32\svchost.exe

416 C:\WINDOWS\explorer.exe

1092 svchost.exe

1140 C:\Program Files\AVG\AVG9\avgwdsvc.exe

1232 C:\Program Files\Bonjour\mDNSResponder.exe

1980 C:\Program Files\Canon\IJPLM\ijplmsvc.exe

2088 C:\Program Files\Java\jre6\bin\jqs.exe

2260 C:\Program Files\AVG\AVG9\avgnsx.exe

2288 C:\Program Files\Microsoft LifeCam\MSCamS32.exe

2692 C:\WINDOWS\system32\igfxtray.exe

2720 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

2776 C:\WINDOWS\system32\hkcmd.exe

2888 C:\WINDOWS\system32\PROMon.exe

2940 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

2980 C:\WINDOWS\system32\dla\tfswctrl.exe

3004 C:\WINDOWS\system32\svchost.exe

3096 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

3212 C:\Program Files\Viewpoint\Common\ViewpointService.exe

3336 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

3368 C:\Program Files\Belkin Storage Manager\StorageManager.exe

3388 C:\PROGRA~1\AVG\AVG9\avgtray.exe

3416 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE

3508 C:\Program Files\Common Files\Java\Java Update\jusched.exe

3516 C:\Program Files\Canon\CAL\CALMAIN.exe

3540 C:\WINDOWS\system32\ctfmon.exe

3652 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

3768 C:\Documents and Settings\Kevin\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

3860 C:\lotus\organize\easyclip.exe

3936 C:\lotus\smartctr\SUITEST.EXE

2828 alg.exe

3948 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

3628 C:\WINDOWS\system32\notepad.exe

2144 C:\Program Files\Mozilla Firefox\firefox.exe

552 C:\Documents and Settings\Kevin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: IC35L060AVV207-0, Rev: V22OA66A

PhysicalDrive1 Model Number: WDCWD400BB-00JHC0, Rev: 05.01C05

Size Device Name MBR Status

--------------------------------------------

37 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 4C8B6466C132CB19D9FCADF546658F91EF74A4AF

37 GB \\.\PhysicalDrive1 Unknown MBR code

SHA1: 92C5695D992875F015709B7366DD39EB9AE179E0

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Link to post
Share on other sites

kqo:

report.gif You are infected with a Rootkit. I recommend that you limit your online activity until we have your system clean and change all your passwords from a different, clean computer.

Click Start > Run or Press Windows Key + R and copy/paste the following single-line command into the Run box and click OK:

"%userprofile%\Desktop\MBRCheck.exe" -s 0 -d mbrdump.dat

This will place a file named mbrdump.dat on your desktop. Zip the mbrdump.dat file and add it as an attachment to your next reply.

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log
  • Zip and attach the mbrdump.dat file

Link to post
Share on other sites

kqo:

report.gif You are infected with a Rootkit. I recommend that you limit your online activity until we have your system clean and change all your passwords from a different, clean computer.

Click Start > Run or Press Windows Key + R and copy/paste the following single-line command into the Run box and click OK:

"%userprofile%\Desktop\MBRCheck.exe" -s 0 -d mbrdump.dat

This will place a file named mbrdump.dat on your desktop. Zip the mbrdump.dat file and add it as an attachment to your next reply.

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log
  • Zip and attach the mbrdump.dat file

Hello - Thanks for the advise regarding password changes on a clean computer and limited on-line use until this problem is cleared up. I am only using the infected computer to carry out your suggestions right now.

I ran the MBRCheck.exe and it ran well and I did get a file back for that. When I ran Combofix I did have to install (or update) the Microsoft Recovery Console and that seemed to work. When I ron the Combofix it asked me to reboot at one point. I clicked OK. When it rebooted it stopped at the Window XP (with the Windows logo) screen and did not move on. I am writing this from another clean computer. I read somwhere that the Microsoft file that my Trojan horse is in is involved with booting the machine and if the Windows file was removed then the machine would start the boot process but get into a loop and never rinish the boot process. Could that be what has happened? I don't know weather to turn the machine off and try to reboot again or it may be that Combofix is working on something still and I should not disturb it. Since the machine did not reboot I cannot send you the ComboFix log or the mbrdump.dat file. I will leave the infected computer in this limbo state of mid-reboot until I hear back from you. Thanks again for your help.

Link to post
Share on other sites

It's hard to say right now what happened. If it is still hung shut it down and try to start it normally again. Let me know what happens.

Hello - good news, I forced a shut down and it rebooted normally. It then started to run Combofix again and rebooted itself and finished. Here is the ComboFix log and the zipped and attached mbrdump.dat file.

ComboFix 10-09-01.02 - Kevin 09/01/2010 21:36:27.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.401 [GMT -4:00]

Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\fsc.txt

c:\windows\system32\ide.txt

c:\windows\system32\klgd.bmp

c:\windows\system32\lrg.txt

c:\windows\system32\Process.exe

c:\windows\system32\qks.txt

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\xef.txt

----- BITS: Possible infected sites -----

hxxp://dsgfopllllc.com

Infected copy of c:\windows\system32\drivers\toside.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))

.

2010-08-22 20:47 . 2010-08-22 20:47 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\AVG Security Toolbar

2010-08-19 01:27 . 2010-08-19 01:27 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2010-08-19 01:12 . 2010-08-19 01:12 -------- d-----w- c:\windows\ERUNT

2010-08-19 01:01 . 2010-08-19 01:57 -------- d-----w- C:\SDFix

2010-08-17 01:44 . 2010-08-17 01:44 -------- d-----w- c:\program files\Common Files\Java

2010-08-16 23:40 . 2010-08-16 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-08-15 20:58 . 2010-08-15 20:58 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\Threat Expert

2010-08-10 23:36 . 2010-08-11 02:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\sipoxtwbr

2010-08-10 22:14 . 2010-08-10 22:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-08-10 04:08 . 2010-08-10 04:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-08-07 20:02 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-02 01:12 . 2008-10-22 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-09-01 00:00 . 2010-02-20 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM

2010-08-17 01:43 . 2009-04-02 00:56 -------- d-----w- c:\program files\Java

2010-08-15 21:20 . 2008-10-12 01:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-10 22:08 . 2010-07-22 00:03 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-06 01:07 . 2010-08-06 01:07 61440 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-42c02ba5-n\decora-sse.dll

2010-08-06 01:07 . 2010-08-06 01:07 503808 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20f472a9-n\msvcp71.dll

2010-08-06 01:07 . 2010-08-06 01:07 499712 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20f472a9-n\jmc.dll

2010-08-06 01:07 . 2010-08-06 01:07 348160 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20f472a9-n\msvcr71.dll

2010-08-06 01:07 . 2010-08-06 01:07 12800 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-42c02ba5-n\decora-d3d.dll

2010-07-24 15:18 . 2009-12-28 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-07-17 09:00 . 2010-05-02 19:37 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-15 21:33 . 2009-03-31 12:17 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 21:33 . 2010-07-15 21:33 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-15 21:29 . 2009-03-31 12:17 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-10 19:29 . 2010-07-10 19:29 -------- d-----w- c:\program files\MSECache

2010-06-14 14:31 . 2002-09-23 20:31 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2007-07-31 03:09 . 2007-07-31 03:07 709 ----a-w- c:\program files\GoogleEarthWin.lnk

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"Google Update"="c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-07 133104]

"SansaDispatch"="c:\documents and settings\Kevin\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-10-17 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]

"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]

"PROMon.exe"="PROMon.exe" [2002-04-19 73728]

"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]

"Tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2001-11-07 1519616]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-09-26 114741]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]

"Belkin Storage Manager"="c:\program files\Belkin Storage Manager\StorageManager.exe" [2009-02-03 858624]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Lotus Organizer EasyClip.lnk - c:\lotus\organize\easyclip.exe [2001-7-25 87040]

Lotus QuickStart.lnk - c:\lotus\wordpro\ltsstart.exe [2001-8-14 32768]

Lotus SmartCenter.lnk - c:\lotus\smartctr\SMARTCTR.EXE [2000-4-25 203776]

Lotus SuiteStart.lnk - c:\lotus\smartctr\SUITEST.EXE [1999-4-23 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 21:33 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Aim\\aim.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Belkin Storage Manager\\StorageManager.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Documents and Settings\\Kevin\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/31/2009 8:17 AM 216400]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/31/2009 8:17 AM 243024]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 5:33 PM 308136]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:10 PM 24652]

R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [7/16/2009 10:12 PM 30560]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/14/2009 9:16 PM 135664]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [8/16/2010 7:40 PM 430152]

S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [7/24/2008 9:48 PM 24784]

S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [7/24/2008 9:48 PM 25044]

S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [7/24/2008 9:48 PM 52309]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG

.

Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-09-02 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-22 01:16]

2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-15 01:15]

2010-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-15 01:15]

2010-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2190338306-1287826478-770117635-1004Core.job

- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 21:30]

2010-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2190338306-1287826478-770117635-1004UA.job

- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 21:30]

2010-09-02 c:\windows\Tasks\User_Feed_Synchronization-{F8F429EE-AAD0-4A0F-8406-5DB952E464D5}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://consumerswh.2020.net/Core/Player/2020PlayerAX_Win32.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://137.123.216.127/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\2mi4wheh.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKLM-Run-UC_SMB - (no file)

ActiveSetup-{4925B664-BDFA-4E68-B325-EC00937E8110} - vecrits93.dll

AddRemove-Free Sound Recorder_is1 - c:\program files\Free Sound Recorder\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-01 21:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SansaDispatch = c:\documents and settings\Kevin\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?=&platform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_conten

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3284)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Canon\IJPLM\IJPLMSVC.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\windows\System32\NMSSvc.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\PROMon.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

**************************************************************************

.

Completion time: 2010-09-01 22:01:32 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-02 02:01

Pre-Run: 7,126,089,728 bytes free

Post-Run: 7,421,415,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - CB2F9F68204280DF11ADE457CCA8C4F9

mbrdump.zip

Link to post
Share on other sites

kqo:

Good! We made some progress there. Please do this now:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\sipoxtwbr
DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please include the following in your next post:

  • ComboFix log
  • MBAM log

Link to post
Share on other sites

kqo:

Good! We made some progress there. Please do this now:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\sipoxtwbr
DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please include the following in your next post:

  • ComboFix log
  • MBAM log

I think you did it, I hope so. Here is the ComboFix log and the MBAM log:

ComboFix log

ComboFix 10-09-01.04 - Kevin 09/02/2010 21:08:28.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.497 [GMT -4:00]

Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Kevin\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\NetworkService\Local Settings\Application Data\sipoxtwbr

.

((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))

.

2010-09-03 00:35 . 2010-09-03 00:35 -------- d-----w- c:\windows\LastGood

2010-08-22 20:47 . 2010-08-22 20:47 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\AVG Security Toolbar

2010-08-19 01:27 . 2010-08-19 01:27 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2010-08-19 01:12 . 2010-08-19 01:12 -------- d-----w- c:\windows\ERUNT

2010-08-19 01:01 . 2010-08-19 01:57 -------- d-----w- C:\SDFix

2010-08-19 00:53 . 2010-04-19 14:25 2117704 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll

2010-08-17 01:44 . 2010-08-17 01:44 -------- d-----w- c:\program files\Common Files\Java

2010-08-16 23:40 . 2010-08-16 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-08-15 20:58 . 2010-08-15 20:58 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\Threat Expert

2010-08-10 22:14 . 2010-08-10 22:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-08-10 04:08 . 2010-08-10 04:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-08-07 20:02 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe

2010-08-06 01:07 . 2010-08-06 01:07 61440 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-42c02ba5-n\decora-sse.dll

2010-08-06 01:07 . 2010-08-06 01:07 503808 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20f472a9-n\msvcp71.dll

2010-08-06 01:07 . 2010-08-06 01:07 499712 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20f472a9-n\jmc.dll

2010-08-06 01:07 . 2010-08-06 01:07 348160 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-20f472a9-n\msvcr71.dll

2010-08-06 01:07 . 2010-08-06 01:07 12800 ----a-w- c:\documents and settings\Kevin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-42c02ba5-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-02 01:12 . 2008-10-22 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-09-01 00:00 . 2010-02-20 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM

2010-08-17 01:43 . 2009-04-02 00:56 -------- d-----w- c:\program files\Java

2010-08-15 21:20 . 2008-10-12 01:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-10 22:08 . 2010-07-22 00:03 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-24 15:18 . 2009-12-28 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-07-17 09:00 . 2010-05-02 19:37 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-15 21:33 . 2009-03-31 12:17 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 21:33 . 2010-07-15 21:33 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-15 21:29 . 2009-03-31 12:17 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-10 19:29 . 2010-07-10 19:29 -------- d-----w- c:\program files\MSECache

2010-06-14 14:31 . 2002-09-23 20:31 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2007-07-31 03:09 . 2007-07-31 03:07 709 ----a-w- c:\program files\GoogleEarthWin.lnk

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"Google Update"="c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-07 133104]

"SansaDispatch"="c:\documents and settings\Kevin\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-10-17 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]

"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]

"PROMon.exe"="PROMon.exe" [2002-04-19 73728]

"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]

"Tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2001-11-07 1519616]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-09-26 114741]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]

"Belkin Storage Manager"="c:\program files\Belkin Storage Manager\StorageManager.exe" [2009-02-03 858624]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Lotus Organizer EasyClip.lnk - c:\lotus\organize\easyclip.exe [2001-7-25 87040]

Lotus QuickStart.lnk - c:\lotus\wordpro\ltsstart.exe [2001-8-14 32768]

Lotus SmartCenter.lnk - c:\lotus\smartctr\SMARTCTR.EXE [2000-4-25 203776]

Lotus SuiteStart.lnk - c:\lotus\smartctr\SUITEST.EXE [1999-4-23 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 21:33 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Aim\\aim.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Belkin Storage Manager\\StorageManager.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Documents and Settings\\Kevin\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/31/2009 8:17 AM 216400]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/31/2009 8:17 AM 243024]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 5:33 PM 308136]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:10 PM 24652]

R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [7/16/2009 10:12 PM 30560]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/14/2009 9:16 PM 135664]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [8/16/2010 7:40 PM 430152]

S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [7/24/2008 9:48 PM 24784]

S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [7/24/2008 9:48 PM 25044]

S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [7/24/2008 9:48 PM 52309]

.

Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-09-02 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-22 01:16]

2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-15 01:15]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-15 01:15]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2190338306-1287826478-770117635-1004Core.job

- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 21:30]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2190338306-1287826478-770117635-1004UA.job

- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 21:30]

2010-09-03 c:\windows\Tasks\User_Feed_Synchronization-{F8F429EE-AAD0-4A0F-8406-5DB952E464D5}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://consumerswh.2020.net/Core/Player/2020PlayerAX_Win32.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://137.123.216.127/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\2mi4wheh.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-02 21:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SansaDispatch = c:\documents and settings\Kevin\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?=&platform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_conten

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4088)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-02 21:24:23

ComboFix-quarantined-files.txt 2010-09-03 01:24

ComboFix2.txt 2010-09-02 02:01

Pre-Run: 6,987,243,520 bytes free

Post-Run: 6,957,051,904 bytes free

- - End Of File - - 9F4A721D7EA163BA98528A45CFE3A354

MBAM log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4532

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/2/2010 9:42:03 PM

mbam-log-2010-09-02 (21-42-03).txt

Scan type: Quick scan

Objects scanned: 146923

Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

kqo:

Please run this for me now:

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • Kaspersky log

Link to post
Share on other sites

kqo:

Please run this for me now:

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • Kaspersky log

Thanks again for your help. I thought we were out of the woods but I guess not since this Kaspersky scan found the computer to still be infected. Just as an FYI it did take a very long time to start up Firefox and get to the Malwarebytes forum so I guess what ever the infection is it must be causing the system to run very slowly. Is this the real name of the virus that is in the system - Virus.Win32.TDSS.b ? I also find it strange that although nothing is running right now I can hear the Hardrive running and the Harddrive indicator light on the front on the tower is blinking away.

Here is the Kaspersky log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, September 4, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, September 03, 2010 20:49:13

Records in database: 4187474

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

Scan statistics:

Objects scanned: 130123

Threats found: 1

Infected objects found: 2

Suspicious objects found: 0

Scan duration: 05:03:29

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\toside.sys.vir Infected: Virus.Win32.TDSS.b 1

C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP3\A0003524.sys Infected: Virus.Win32.TDSS.b 1

Selected area has been scanned.

Link to post
Share on other sites

kqo:

Please run this for me now:

Those Kaspersky detections were harmless. They were in the ComboFix quarantine and your System Restore cache; both of which get emptied when we uninstall ComboFix.

Yes, your primary infection was a variant of the TDSS rootkit. As far as your comuputer working with nothing running, it could be doing a background task like checking for software updates, a degrag, etc.

All I have left for you to do are a security update and some very important cleanup:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER
  • Rootkit Unhooker
  • MBRCheck

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
  • Please visit our General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Well I can't thank you enough for your help. You did a terrific job and I really thank you for sticking with me to clean this up.

Question about TFC. Is that a program that I should keep around and run every so often to clean out the Temp files? It dropped 445 Mb's for me with this run.

At what point did you get rid of the Virus that was on my computer? Which step took it away?

I was going to ask you where you think the virus came from or how it got into my computer but I have a feeling after I read all of the info from, "PC Safety and Security--What Do I Need?" I will get the answer. I printed it out and will read the whole article after I finish this post. I scanned the article and saw it said to move away from Internet Explorer due to Active X. I will be using Chrome or Firefox going forward.

As you suggested I turned back on AVG, my system runs a scan each day. I have used Spybot and Malwarebytes in the past and now will run them more frequently.

I deleted all the programs and logs we collected along this journey, except TFC, I hope you will agree that that one is a good program to keep around and use once in a while. I also updated Adobe.

Once again thanks, you were a tremendous help,

KGO

Link to post
Share on other sites

kqo:

You're very welcome. I'm glad we were able to help.

TFC is fine to hang onto and run occasionally - I run it monthly.

The first ComboFix run mitigated the worst of the worst of the infection. The second ComboFix run mopped up some remaining junk. Everything else was diagnostic or precautionary. Sometimes it's obvious, but in your case it's tough to say exactly when or how you became infected.

Thanks again for the kind words. I'll leave the thread open for a day or so in case you have any other questions. Take care.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.