Jump to content

Alureon.h, Patched, Adware


Recommended Posts

Here are logs I could get. GMER would not run for me, would just stall then "GMER has encountered an error and needs to close, etc."

I also cannot zip the attach.txt file. I am using Windows XP but when I right-click the only send-to options I have are my d: and F: drives.

Thanks in advance.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Sandy Sowder at 19:28:51.84 on Wed 09/08/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.353 [GMT -6:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\AVG\AVG9\avgfws9.exe

C:\WINDOWS\system32\CSHelper.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe

C:\Program Files\AVG\AVG9\avgam.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Cricket\Cricket Broadband 1.0\Cricket Broadband.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Sandy Sowder\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uSearch Page =

uSearch Bar =

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [{B49210BE-308D-2C95-3A65-20CC89FB8741}] "c:\documents and settings\sandy sowder\application data\yxev\ysex.exe"

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {1F1F34A1-F539-434A-AEBA-D7CB7FA839F1} = 172.28.221.53 172.28.221.54

Handler: AutorunsDisabled\cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxdev.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

LSA: Authentication Packages = msv1_0 wvauth

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-8-20 25168]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-8-20 52872]

R0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys [2009-11-10 24192]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-20 216400]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-20 29584]

R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-20 243024]

R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2009-11-10 15360]

R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-20 308136]

R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-8-20 2331032]

R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-8-20 5897808]

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-4-26 266240]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-7-9 88176]

R3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\ATMFBUS.sys [2010-2-19 47360]

R3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\ATMFCVsp.sys [2010-2-19 153600]

R3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\ATMFMdm.sys [2010-2-19 153472]

R3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\ATMFNET.sys [2010-2-19 103424]

R3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\ATMFNVsp.sys [2010-2-19 153600]

R3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\ATMFVsp.sys [2010-2-19 153472]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-8-20 30104]

R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-8-20 122448]

R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-8-20 30288]

R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-8-20 26192]

R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2009-11-10 9088]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-15 133104]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\ATMFFLT.sys [2010-2-19 13312]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-8-20 30104]

S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [2009-11-10 9088]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-11 14336]

S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2010-3-25 120232]

=============== Created Last 30 ================

2010-09-09 01:27:17 0 ----a-w- c:\documents and settings\sandy sowder\defogger_reenable

2010-09-08 15:26:39 42112 ----a-w- c:\windows\system32\drivers\tozwrkeo.sys

2010-09-08 04:57:29 42112 ----a-w- c:\windows\system32\drivers\cnerjpph.sys

2010-09-08 03:35:44 0 d-----w- c:\windows\system32\MpEngineStore

2010-09-01 01:13:14 0 d-----w- c:\docume~1\sandys~1\applic~1\Malwarebytes

2010-09-01 01:13:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-01 01:13:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-01 01:13:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-01 01:13:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-08-31 20:42:00 37458 ----a-w- c:\windows\system32\nvzw

2010-08-30 05:25:57 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-22 21:50:01 0 d-----w- c:\docume~1\sandys~1\applic~1\AVG9

2010-08-20 19:40:24 0 d--h--w- C:\$AVG

2010-08-20 19:33:49 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-08-20 19:33:48 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-08-20 19:33:35 0 d-----w- c:\windows\system32\drivers\Avg

2010-08-20 19:32:01 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys

2010-08-20 19:32:00 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2010-08-20 19:31:57 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-08-20 19:30:05 0 d-----w- c:\program files\AVG

2010-08-20 19:29:31 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-08-20 19:19:57 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2010-08-20 19:19:57 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2010-08-16 09:43:11 0 d-----w- c:\program files\Ask.com

2010-08-16 09:42:19 0 d-----w- c:\docume~1\sandys~1\applic~1\CocoonSoftware

2010-08-16 09:42:08 0 d-----w- c:\program files\QuickMediaConverter

2010-08-16 07:31:16 0 d-----w- c:\docume~1\sandys~1\applic~1\MSNInstaller

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll

2010-06-24 23:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll

2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll

2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll

2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll

2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll

2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll

2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll

2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll

2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll

2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys

2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys

2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll

2009-11-10 00:30:13 682896 -c--a-w- c:\program files\StumbleUpon.exe

2009-10-21 00:07:48 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102020091021\index.dat

============= FINISH: 19:30:30.48 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 12/28/2006 1:10:54 PM

System Uptime: 9/8/2010 7:05:28 PM (0 hours ago)

Motherboard: Dell Inc. | | 0TD761

Processor: Genuine Intel® CPU T2400 @ 1.83GHz | Microprocessor | 1828/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 59.673 GiB free.

D: is CDROM ()

E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 8/29/2010 9:27:47 PM - System Checkpoint

RP2: 8/31/2010 1:27:05 AM - Software Distribution Service 3.0

RP3: 9/1/2010 3:16:39 PM - System Checkpoint

RP4: 9/2/2010 3:49:39 PM - System Checkpoint

RP5: 9/4/2010 3:57:54 PM - System Checkpoint

RP6: 9/5/2010 7:21:04 PM - System Checkpoint

RP7: 9/6/2010 8:33:54 PM - System Checkpoint

RP8: 9/7/2010 9:15:40 PM - System Checkpoint

RP9: 9/8/2010 12:00:10 AM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer

Actiontec Gateway

Adobe AIR

Adobe Download Manager

Adobe Flash Player 10 ActiveX

Adobe Reader 9.2

Adobe Shockwave Player 11.5

ALPS Touch Pad Driver

AOLIcon

Apple Software Update

Ask Toolbar

AVG 9.0

Bonjour

Broadcom Advanced Control Suite

Broadcom TPM Driver Installer

BufferChm

CCScore

Chinese Solitaire 1.20

Conexant HDA D110 MDC V.92 Modem

Copy

Coupon Printer for Windows

CP_Package_Variety1

CP_Package_Variety2

CP_Package_Variety3

Cricket Broadband 1.0

Cricket EVDO Modem

Dell Embassy Trust Suite by Wave Systems

Dell Support 3.2.1

Dell Wireless WLAN Card

Destination Component

DeviceDiscovery

DeviceFunctionQFolder

Digital Line Detect

DivX Setup

DocProc

Document Manager Lite

DocumentViewer

DocumentViewerQFolder

EMBASSY Security Center

EMBASSY Trust Suite by Wave Systems

ESSBrwr

ESSCDBK

ESScore

ESSgui

ESShelp

ESSini

ESSPCD

ESSPDock

ESSSONIC

ESSTOOLS

essvatgt

essvcpt

ETS Launch Pad

ETS Upgrade

Google Earth

Google Update Helper

High Definition Audio Driver Package - KB835221

HijackThis 2.0.2

HLPPDOCK

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Document Viewer 5.3

HP Imaging Device Functions 9.0

hp LaserJet 2300 Uninstaller

HP Photosmart Essential 2.01

HP Photosmart Essential2.01

HP Product Detection

HP Smart Web Printing

HP Software Update

HP Solution Center 9.0

HP Update

HPProductAssistant

HPSSupply

Intel® Graphics Media Accelerator Driver

iTunes

J2SE Runtime Environment 5.0 Update 6

Java 6 Update 2

Keynote Connector

kgcbaby

kgcbase

kgchday

kgchlwn

kgcinvt

kgckids

kgcmove

kgcvday

Kodak EasyShare software

KSU

Learn2 Player (Uninstall Only)

Malwarebytes' Anti-Malware

MarketResearch

McAfee SiteAdvisor

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft National Language Support Downlevel APIs

Microsoft Office XP Media Content

Microsoft Office XP Professional

Microsoft Publisher 2002

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Modem Helper

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

NetWaiting

Nielsen//NetRatings

Notifier

NTRU Hybrid TSS v2.0.25

OfotoXMI

OGA Notifier 2.0.0048.0

OTtBP

OTtBPSDK

PanoStandAlone

PowerDVD 5.7

Preboot Manager

Private Information Manager

PSSWCORE

QMC

QuickBooks Pro 2007

QuickBooks Product Listing Service

QuickConnect

QuickLink Mobile

QuickSet

QuickTime

Qwest eChat Support Tools

RealPlayer Basic

Rhapsody

Rhapsody Player Engine

ScannerCopy

Secure Update

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Wizards

SFR

SHASTA

SKIN0001

SKINXSDK

SolutionCenter

staticcr

Status

StumbleUpon IE Toolbar

SupportSoft Assisted Service

TrayApp

Unload

UnloadSupport

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB978506)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

upekmsi

VC80CRTRedist - 8.0.50727.4053

VideoToolkit01

Viewpoint Media Player

VLC media player 1.0.1

VPRINTOL

Wave Infrastructure Installer

Wave Support Software

WebFldrs XP

Windows Defender

Windows Genuine Advantage Notifications (KB905474)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows XP Service Pack 3

WIRELESS

Yahoo! BrowserPlus 2.8.1

Yahoo! Messenger

Yahoo! Search Protection

Yahoo! Software Update

Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

9/8/2010 9:38:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402

9/8/2010 8:38:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402

9/8/2010 7:38:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402

9/8/2010 6:38:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402

9/8/2010 6:38:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402

9/8/2010 5:38:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402

9/8/2010 5:38:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402

9/8/2010 4:38:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402

9/8/2010 4:38:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402

9/8/2010 3:38:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402

9/8/2010 3:38:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402

9/8/2010 2:38:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402

9/8/2010 2:38:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402

9/8/2010 12:38:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402

9/8/2010 12:38:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402

9/8/2010 12:16:07 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Office XP Service Pack 3.

9/8/2010 11:38:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402

9/8/2010 10:38:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402

9/8/2010 1:38:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402

9/8/2010 1:38:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402

9/7/2010 9:38:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: General access denied error

9/7/2010 8:38:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: General access denied error

9/7/2010 7:38:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: General access denied error

9/7/2010 6:38:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: General access denied error

9/7/2010 11:38:01 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402

9/7/2010 10:38:01 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: General access denied error

9/2/2010 6:37:17 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

9/2/2010 12:06:33 AM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.

9/2/2010 12:06:26 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

9/2/2010 12:06:26 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

9/1/2010 2:19:36 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'winlogon.exe' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

==== End Of File ===========================

Link to post
Share on other sites

post-32477-1261866970.gif

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

post-32477-1261866970.gif

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Download TDSSKiller and save it to your Desktop.

  • Make sure all other windows are closed and to let it run uninterrupted.
  • Extract the file and run it.
  • Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
  • Reboot your machine and see if the infection is gone
  • Please post the contents of that log TDSSKiller and GooredFix log.

Link to post
Share on other sites

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Download TDSSKiller and save it to your Desktop.

  • Make sure all other windows are closed and to let it run uninterrupted.
  • Extract the file and run it.
  • Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
  • Reboot your machine and see if the infection is gone
  • Please post the contents of that log TDSSKiller and GooredFix log.

I rebooted but I am not sure how you want me to check and see if the infection is gone, so I ran my AVG again. It is showing the the trojan horse Adload_r.AKC.

Here are the logs from the last two programs run:

GooredFix by jpshortstuff (03.07.10.1)

Log created at 13:28 on 14/09/2010 (Sandy Sowder)

Firefox version [unable to determine]

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [07:39 09/07/2010]

-=E.O.F=-

2010/09/14 14:01:39.0140 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2010/09/14 14:01:39.0140 ================================================================================

2010/09/14 14:01:39.0140 SystemInfo:

2010/09/14 14:01:39.0140

2010/09/14 14:01:39.0140 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/14 14:01:39.0140 Product type: Workstation

2010/09/14 14:01:39.0140 ComputerName: MYLAPTOP

2010/09/14 14:01:39.0140 UserName: Sandy Sowder

2010/09/14 14:01:39.0140 Windows directory: C:\WINDOWS

2010/09/14 14:01:39.0140 System windows directory: C:\WINDOWS

2010/09/14 14:01:39.0140 Processor architecture: Intel x86

2010/09/14 14:01:39.0140 Number of processors: 2

2010/09/14 14:01:39.0140 Page size: 0x1000

2010/09/14 14:01:39.0140 Boot type: Normal boot

2010/09/14 14:01:39.0140 ================================================================================

2010/09/14 14:01:39.0406 Initialize success

Thanks so much for all your help. I am not noticing any change in my computer yet. I am not getting the google redirects. So that is a plus.

Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I dl'd combofix but I can't figure out how to turn off AVG. I even tried to uninstall and got an error message about unable to access registry? Sorry for my ignorance. How should I proceed? I am going to check with AVG to see if I can figure out why it won't uninstall unless I hear something different back from you. Thanks.

Link to post
Share on other sites

I uninstalled avg, ran combofix, which said it deleted one virus/malware. I now cannot get avg reloaded, (sheesh!) but I will continue to work on that. Is my next step to re-run avg and see if all viruses are deleted? The computer is booting faster, webpages are loading faster, no pop ups or redirects so far today. I ran combofix last night late. Thanks again for all your help and speedy replies.

Link to post
Share on other sites

I need to see the scan results from the Combofix scan.

It should be here: C:\combofix\ combofix.txt

Open that with Notepad and use copy / paste and post it here.

Sorry!!!!

ComboFix 10-09-15.01 - Sandy Sowder 09/16/2010 0:14.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.577 [GMT -6:00]

Running from: c:\documents and settings\Sandy Sowder\Desktop\ComboFix.exe

FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Sandy Sowder\Application Data\Ugabdo

c:\documents and settings\Sandy Sowder\Application Data\Ugabdo\owfi.pya

c:\documents and settings\Sandy Sowder\Local Settings\Application Data\Windows Server

c:\documents and settings\Sandy Sowder\Local Settings\Application Data\Windows Server\admin.txt

c:\documents and settings\Sandy Sowder\Local Settings\Application Data\Windows Server\flags.ini

c:\documents and settings\Sandy Sowder\Local Settings\Application Data\Windows Server\server.dat

c:\documents and settings\Sandy Sowder\Local Settings\Application Data\Windows Server\uses32.dat

c:\windows\$NtUninstallMTF1011$

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

c:\windows\system32\AutoRun.inf

c:\windows\system32\fsc.txt

c:\windows\system32\ide.txt

c:\windows\system32\lpe.txt

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_MYWEBSEARCHSERVICE

-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2010-08-16 to 2010-09-16 )))))))))))))))))))))))))))))))

.

2010-09-08 15:26 . 2010-09-08 15:26 42112 ----a-w- c:\windows\system32\drivers\tozwrkeo.sys

2010-09-08 04:57 . 2010-09-08 04:57 42112 ----a-w- c:\windows\system32\drivers\cnerjpph.sys

2010-09-08 03:35 . 2010-09-08 15:27 -------- d-----w- c:\windows\system32\MpEngineStore

2010-09-04 02:36 . 2010-09-04 02:36 -------- d-----w- c:\program files\NOS

2010-09-01 01:13 . 2010-09-01 01:13 -------- d-----w- c:\documents and settings\Sandy Sowder\Application Data\Malwarebytes

2010-09-01 01:13 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-01 01:13 . 2010-09-01 01:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-01 01:13 . 2010-09-01 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-01 01:13 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-30 05:34 . 2010-08-30 05:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-08-30 05:25 . 2010-09-14 17:58 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-22 21:52 . 2010-08-22 21:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-08-22 21:50 . 2010-08-22 21:50 -------- d-----w- c:\documents and settings\Sandy Sowder\Application Data\AVG9

2010-08-20 19:40 . 2010-08-20 19:40 -------- d-----w- C:\$AVG

2010-08-20 19:30 . 2010-08-20 19:30 -------- d-----w- c:\program files\AVG

2010-08-20 19:29 . 2010-09-16 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-16 05:39 . 2009-10-21 00:10 66392 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-09-16 03:33 . 2010-07-15 03:07 -------- d-----w- c:\documents and settings\Sandy Sowder\Application Data\vlc

2010-09-14 19:33 . 2004-08-04 05:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys

2010-09-08 05:13 . 2008-10-27 02:55 -------- d-----w- c:\documents and settings\Sandy Sowder\Application Data\Naym

2010-09-08 05:03 . 2007-02-19 02:51 -------- d-----w- c:\program files\QuickTime

2010-09-04 02:40 . 2010-09-04 02:36 2826192 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2010-09-04 02:36 . 2010-01-08 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-09-01 20:57 . 2006-12-28 21:35 7290 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys

2010-08-26 05:54 . 2010-07-09 07:39 -------- d-----w- c:\program files\McAfee

2010-08-20 20:01 . 2010-08-16 09:43 -------- d-----w- c:\program files\Ask.com

2010-08-16 09:43 . 2010-08-16 09:42 -------- d-----w- c:\program files\QuickMediaConverter

2010-08-16 09:42 . 2010-08-16 09:42 -------- d-----w- c:\documents and settings\Sandy Sowder\Application Data\CocoonSoftware

2010-08-16 09:25 . 2010-06-16 06:55 -------- d-----w- c:\documents and settings\Sandy Sowder\Application Data\DivX

2010-08-16 07:31 . 2010-08-16 07:31 -------- d-----w- c:\documents and settings\Sandy Sowder\Application Data\MSNInstaller

2010-08-16 07:26 . 2006-12-28 21:32 -------- d-----w- c:\program files\Google

2010-07-07 03:44 . 2010-07-07 03:44 2605008 ----a-w- c:\documents and settings\Sandy Sowder\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

2010-06-30 12:31 . 2004-08-11 23:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-11 23:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-11 23:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2009-11-10 00:30 . 2009-11-10 00:29 682896 -c--a-w- c:\program files\StumbleUpon.exe

.

<pre>
c:\program files\QuickTime\qttask .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:HTTPS

"21:TCP"= 21:TCP:FTP

R0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys [11/10/2009 10:11 PM 24192]

R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [11/10/2009 10:13 PM 15360]

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [4/26/2010 1:19 AM 266240]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [7/9/2010 1:40 AM 88176]

R3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\ATMFBUS.sys [2/19/2010 6:46 PM 47360]

R3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\ATMFCVsp.sys [2/19/2010 6:46 PM 153600]

R3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\ATMFMdm.sys [2/19/2010 6:46 PM 153472]

R3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\ATMFNET.sys [2/19/2010 6:46 PM 103424]

R3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\ATMFNVsp.sys [2/19/2010 6:46 PM 153600]

R3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\ATMFVsp.sys [2/19/2010 6:46 PM 153472]

R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [11/10/2009 10:13 PM 9088]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2009 11:31 AM 133104]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\ATMFFLT.sys [2/19/2010 6:46 PM 13312]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]

S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [11/10/2009 10:11 PM 9088]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/11/2004 5:00 PM 14336]

S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [3/25/2010 2:21 PM 120232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 17:31]

2010-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 17:31]

2010-09-16 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 21:23]

2010-09-16 c:\windows\Tasks\User_Feed_Synchronization-{96D37F8A-FD12-4CAB-9FF8-3113A252EF96}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

SafeBoot-klmdb.sys

AddRemove-HijackThis - c:\documents and settings\Sandy Sowder\Desktop\HijackThis.exe

AddRemove-QuickLink Mobile - c:\progra~1\Cricket\QUICKL~1\UNWISE.EXE

AddRemove-{ABBA2EA4-740E-4052-902B-9CA70B081E3F} - c:\windows\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Installer.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-16 00:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2319827164-111905647-764882440-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(1084)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(2856)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

.

**************************************************************************

.

Completion time: 2010-09-16 00:24:32 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-16 06:24

Pre-Run: 64,481,562,624 bytes free

Post-Run: 64,732,508,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

- - End Of File - - 03946BB51E80334015BB3C44DDA9A97A

Link to post
Share on other sites

We need to have a look at some of the unknown files.

You'll also need to download Quicktime again if you use it as it was infected.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

File::
c:\program files\QuickTime\qttask .exe

Collect::
c:\windows\system32\drivers\tozwrkeo.sys
c:\windows\system32\drivers\cnerjpph.sys

Folder::
c:\program files\Ask.com
c:\program files\QuickTime

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.