Jump to content

Malware Causing Redirects and Frustration


Recommended Posts

This is my daughter's PC. She is having redirect problems. She does a Google search and clicking on a link is highly likely to send her to who knows where. :)

I tried running MBAM on her machine and it won't run. It gets kicked out of memory immediately upon load.

Here is the DDS log. The HijackThis log follows that.

I would very much appreciate any help that you might be able to provide. Mr. Charlie was kind enough to help me with my own malware issues earlier today and I plan to reward him with a PayPal token of my appreciation, once I have all this garbage under control.

Thanks in advance.

Oy

DDS (Ver_10-10-10.03) - NTFSx86

Run by janet at 17:11:30.87 on Thu 10/21/2010

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1492 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\MCECardBusTV.exe

C:\Program Files\a la mode\Sched\eSched.exe

C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Documents and Settings\janet\Local Settings\Apps\2.0\X45QY1LA.QYM\94G05HGO.EDH\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\CurseClient.exe

C:\Program Files\FastStone Capture\FSCapture.exe

C:\Documents and Settings\janet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

{daf04938-4bb9-4755-990a-ca393c2a70b9}

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

mRun: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [CHotkey] mHotkey.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [MCECardBusTV] c:\windows\system32\MCECardBusTV.exe

mRun: [The Assistant] c:\program files\a la mode\sched\eSched.exe

mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\documents and settings\marie august\start menu\programs\startup\CurseClientStartup.ccip

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 93.188.162.250,93.188.160.60

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: avgrsstarter - avgrsstx.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

AppInit_DLLs: c:\windows\system32\timinebe.dll,c:\windows\system32\lebenesa.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

LSA: Notification Packages = scecli c:\windows\system32\timinebe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mariea~1\applic~1\mozilla\firefox\profiles\y1p4by8p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\marie august\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\marie august\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-19 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-19 29584]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-19 243024]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 74480]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-7 308136]

R2 MSSQL$ALAMODE;MSSQL$ALAMODE;c:\program files\microsoft sql server\mssql$alamode\binn\sqlservr.exe [2005-5-4 9150464]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-2 24652]

R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\sldrv\slazldrv.sys [2008-3-14 230448]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]

S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;c:\program files\microsoft sql server\mssql$alamode\binn\sqlagent.EXE [2005-5-3 323584]

S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\wn111v2.sys --> c:\windows\system32\drivers\WN111v2.sys [?]

=============== Created Last 30 ================

2010-10-21 21:06:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-21 21:06:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-10-21 21:06:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-21 21:06:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-20 20:28:39 -------- d-----w- C:\virus info

2010-10-20 20:27:46 -------- d-----w- c:\program files\FastStone Capture

2010-10-14 00:24:00 -------- d-----w- C:\1Marie

2010-10-10 02:41:49 -------- d-----w- C:\spoolerlogs

==================== Find3M ====================

2010-10-20 16:51:31 12536 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 17:13:09.42 ===============

*************************************************************

***< HijackThis log >********************************************

*************************************************************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:19:44 PM, on 10/21/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\MCECardBusTV.exe

C:\Program Files\a la mode\Sched\eSched.exe

C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Documents and Settings\janet\Local Settings\Apps\2.0\X45QY1LA.QYM\94G05HGO.EDH\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\CurseClient.exe

C:\Program Files\FastStone Capture\FSCapture.exe

C:\Documents and Settings\janet\Desktop\HiJackThis.exe

R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {daf04938-4bb9-4755-990a-ca393c2a70b9} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MCECardBusTV] C:\WINDOWS\system32\MCECardBusTV.exe

O4 - HKLM\..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe

O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - Startup: CurseClientStartup.ccip

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.250,93.188.160.60

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.250,93.188.160.60

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.250,93.188.160.60

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\timinebe.dll,c:\windows\system32\lebenesa.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--

End of file - 5649 bytes

Link to post
Share on other sites

Hello OyTheBillybumbler

Welcome to Malwarebytes.

=====================

Please re-open Hijackthis and click on "Do a system scan only"

Then place a check mark next to these entries below:

R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {daf04938-4bb9-4755-990a-ca393c2a70b9} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.250,93.188.160.60

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.250,93.188.160.60

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.250,93.188.160.60

O20 - AppInit_DLLs: C:\WINDOWS\system32\timinebe.dll,c:\windows\system32\lebenesa.dll

Now click on Fix Checked and then close Hijackthis.

===========

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Good morning kahdah,

Thanks so much for addressing my problem with my daughter's machine. I appreciate it very much.

I will execute your instructions (I have not yet done so--just saw your post); however, I want to let you know that I tried running MalwareBytes Anti-Malware program last night on her PC and it would not run. I opened the task manager and watched it show up for a about a 1/4 of a second in memory and then disappear. Something is preventing MBAM from running. I am hoping that your suggestions vis-a-vis HijackThis will fix that issue. Is that true?

Thanks again. I will get back to you with the results of your instructions...

Oy

Link to post
Share on other sites

I ran HijackThis and successfully eliminated the entries you suggested.

I was able to rename MBAM and run it. It found 2 errors and fixed them.

The problem on her machine, however, still exists. I did a Google search on MalwareBytes forum and clicked on the first result. I was redirected to StopZilla.com or some such beast.

The MBAM log is below:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4912

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

10/22/2010 10:32:50 AM

mbam-log-2010-10-22 (10-32-50).txt

Scan type: Quick scan

Objects scanned: 164979

Time elapsed: 15 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Ok please do the following.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Link to post
Share on other sites

I ran TDSSKiller as per your request. It did not find an infection. Here is the log...

2010/10/22 12:18:10.0187 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59

2010/10/22 12:18:10.0187 ================================================================================

2010/10/22 12:18:10.0187 SystemInfo:

2010/10/22 12:18:10.0187

2010/10/22 12:18:10.0187 OS Version: 5.1.2600 ServicePack: 2.0

2010/10/22 12:18:10.0187 Product type: Workstation

2010/10/22 12:18:10.0187 ComputerName: Janet_PC

2010/10/22 12:18:10.0187 UserName: Janet

2010/10/22 12:18:10.0187 Windows directory: C:\WINDOWS

2010/10/22 12:18:10.0187 System windows directory: C:\WINDOWS

2010/10/22 12:18:10.0187 Processor architecture: Intel x86

2010/10/22 12:18:10.0187 Number of processors: 2

2010/10/22 12:18:10.0187 Page size: 0x1000

2010/10/22 12:18:10.0187 Boot type: Normal boot

2010/10/22 12:18:10.0187 ================================================================================

2010/10/22 12:18:10.0546 Initialize success

2010/10/22 12:18:13.0078 ================================================================================

2010/10/22 12:18:13.0078 Scan started

2010/10/22 12:18:13.0078 Mode: Manual;

2010/10/22 12:18:13.0078 ================================================================================

2010/10/22 12:18:16.0656 ================================================================================

2010/10/22 12:18:16.0656 Scan finished

2010/10/22 12:18:16.0656 ================================================================================

Link to post
Share on other sites

Hi was that the entire log?

It looks to be cut off.

First temporarily disable any antivirus program or any real time shields that are present:

If you do not know how then you can refer to this link:

http://www.bleepingcomputer.com/forums/topic114351.html

================

Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.

Link 1

Link 2

--------------------------------------------------------------------

Double click on kahdah.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

============================

Link to post
Share on other sites

ComboFix just finished running. When I ran it I had forgotten that the machine was still offline (I had disabled the network connection to prevent any cross-network spreading of infection). When ComboFix finds that there is no Windows Recovery Console, it will try to download it from Microsoft. When that point came in the ComboFix run, I had to select 'No', do not attempt to install the Windows Recovery Console, because the machine did not have an internet connection and the network adapter was not found, so I could not reconnect to the network.

Is this an issue? ComboFix said that it would not attempt to cure really serious infections if it could not install the Windows Recovery Console. Should I re-run ComboFix? The run I just did had like 50 different "stages" that it went through.

BTW, I checked--the TDSSKiller log was not cut off, at least not that I could tell.

Here is the CF log:

ComboFix 10-10-22.02 - janet 10/22/2010 14:17:11.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1590 [GMT -4:00]

Running from: c:\documents and settings\janet\Desktop\kahdah.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\uzotojib.ini

Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected

Restored copy from - Kitty had a snack :D

.

((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))

.

2010-10-22 18:01 . 2010-10-22 18:01 -------- d-----w- c:\documents and settings\janet\Application Data\AVG9

2010-10-22 13:53 . 2010-10-22 13:53 -------- d-----w- c:\documents and settings\janet\Application Data\Malwarebytes

2010-10-21 21:06 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-21 21:06 . 2010-10-21 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-10-21 21:06 . 2010-10-22 13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-21 21:06 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-20 20:28 . 2010-10-20 20:28 -------- d-----w- C:\virus info

2010-10-20 20:27 . 2010-10-20 21:38 -------- d-----w- c:\program files\FastStone Capture

2010-10-14 00:24 . 2010-10-14 00:34 -------- d-----w- C:\1Marie

2010-10-10 02:41 . 2010-10-10 02:41 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-20 16:51 . 2009-05-19 19:24 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-10-20 16:51 . 2009-05-19 19:24 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-10-20 16:51 . 2009-05-19 19:24 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-10-20 16:50 . 2009-05-19 19:24 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PtiuPbmd"="ptipbm.dll" [2005-05-05 24576]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]

"SoundMan"="SOUNDMAN.EXE" [2004-12-29 77824]

"AlcWzrd"="ALCWZRD.EXE" [2004-12-29 2748928]

"CHotkey"="mHotkey.exe" [2001-12-26 472576]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-06 102490]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-06 708698]

"MCECardBusTV"="c:\windows\system32\MCECardBusTV.exe" [2008-03-15 126976]

"The Assistant"="c:\program files\a la mode\Sched\eSched.exe" [2007-04-16 99840]

"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-18 7561216]

"nwiz"="nwiz.exe" [2008-03-18 1519616]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2009-03-05 585728]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-20 2067808]

c:\documents and settings\janet\Start Menu\Programs\Startup\

CurseClientStartup.ccip [2010-3-19 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-16 17:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-10-20 16:51 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-03-24 03:00 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft SQL Server\\MSSQL$ALAMODE\\Binn\\sqlservr.exe"=

"c:\\Program Files\\a la mode\\Sched\\eSched.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=

"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\ABC\\abc.exe"=

"c:\\Program Files\\ESTsoft\\ALFTP\\ALFTP.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

"c:\\Documents and Settings\\janet\\Local Settings\\Apps\\2.0\\X45QY1LA.QYM\\94G05HGO.EDH\\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/19/2009 3:24 PM 216400]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/19/2009 3:24 PM 243024]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 2:50 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 74480]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/7/2010 5:41 PM 308136]

R2 MSSQL$ALAMODE;MSSQL$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe [5/4/2005 1:04 AM 9150464]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/2/2008 9:49 PM 24652]

R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [3/14/2008 11:50 PM 230448]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/24/2003 1:10 PM 17149]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]

S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE [5/3/2005 10:42 PM 323584]

S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WN111v2.sys --> c:\windows\system32\DRIVERS\WN111v2.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

FF - ProfilePath - c:\documents and settings\janet\Application Data\Mozilla\Firefox\Profiles\y1p4by8p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\janet\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\janet\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-22 14:32

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

MCECardBusTV = c:\windows\system32\MCECardBusTV.exe?sTV.exe?exe???w??????f???f?????????????????????????????????????2???????????x??????w???w???????wC??w????Ta?]>???????P?????????f?????????????????>??????????????w??f???f?P?????????????????????????A?????x???(AA???????@???A???@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1409082233-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:43,5c,6e,6d,e6,5d,9d,38,5c,66,99,a7,c0,01,66,b0,c1,d6,38,f8,05,72,4c,

bd,87,c8,5c,7b,38,d5,94,f8,50,c8,27,c3,84,bc,a2,9f,5e,c7,5b,ad,b4,b5,f0,a3,\

"??"=hex:26,d4,ed,a3,2b,88,c6,7d,b8,d6,3f,2d,94,b6,7c,18

[HKEY_USERS\S-1-5-21-343818398-1409082233-725345543-1004\Software\SecuROM\License information*]

"datasecu"=hex:ed,d9,82,58,16,cc,55,31,2e,3c,d9,f8,b4,2a,de,1b,3e,fa,00,c6,c0,

7e,e8,c4,68,33,0e,13,9a,22,26,89,95,e6,63,08,cf,4c,f1,85,fb,ba,b5,dc,3a,0b,\

"rkeysecu"=hex:7d,99,0c,89,01,7b,57,1b,3a,45,d9,31,5f,e2,24,2b

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2940)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\windows\system32\brss01a.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\slserv.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\SOUNDMAN.EXE

c:\windows\mHotkey.exe

c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe

.

**************************************************************************

.

Completion time: 2010-10-22 14:37:43 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-22 18:37

Pre-Run: 7,557,881,856 bytes free

Post-Run: 12,427,870,208 bytes free

- - End Of File - - 2CE44298B7C9F4AAF5FA3263B9FDD49A

Link to post
Share on other sites

Nope that avg message just tells of files already deleted.

We will clean them in a bit once we are done.

It was actually the file Combofix cured.

You will get more alerts because the scans will scan some files already qurantined so do not be alarmed it will all stop when we are done with all of the steps.

No need to rerun combofix.

================

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Link to post
Share on other sites

Sure.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.

Link to post
Share on other sites

Thanks!! Nice. I will take care of that next and then run the Kaspersky.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4920

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

10/22/2010 7:17:09 PM

mbam-log-2010-10-22 (19-17-09).txt

Scan type: Quick scan

Objects scanned: 144585

Time elapsed: 9 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

The Kaspersky scan completed overnight and found only one infection; said infection was a quarantined virus from a previous scan.

So it's looking good at this point. :>

Kaspersky Log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, October 23, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, October 22, 2010 15:10:58

Records in database: 4184543

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

E:\

F:\

G:\

H:\

I:\

Scan statistics:

Objects scanned: 148900

Threats found: 1

Infected objects found: 1

Suspicious objects found: 0

Scan duration: 02:50:53

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir Infected: Virus.Win32.TDSS.b 1

Selected area has been scanned.

Link to post
Share on other sites

Great! Here are the new DDS and Attach files...

DDS (Ver_10-10-10.03) - NTFSx86

Run by janet at 10:52:44.29 on Sat 10/23/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1490 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\MCECardBusTV.exe

C:\Program Files\a la mode\Sched\eSched.exe

C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Documents and Settings\janet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

mRun: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [CHotkey] mHotkey.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [MCECardBusTV] c:\windows\system32\MCECardBusTV.exe

mRun: [The Assistant] c:\program files\a la mode\sched\eSched.exe

mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\CurseClientStartup.ccip

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: avgrsstarter - avgrsstx.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janet~1\applic~1\mozilla\firefox\profiles\y1p4by8p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\janet\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\janet\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-19 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-19 29584]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-19 243024]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 74480]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-7 308136]

R2 MSSQL$ALAMODE;MSSQL$ALAMODE;c:\program files\microsoft sql server\mssql$alamode\binn\sqlservr.exe [2005-5-4 9150464]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-2 24652]

R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\sldrv\slazldrv.sys [2008-3-14 230448]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]

S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;c:\program files\microsoft sql server\mssql$alamode\binn\sqlagent.EXE [2005-5-3 323584]

S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\wn111v2.sys --> c:\windows\system32\drivers\WN111v2.sys [?]

=============== Created Last 30 ================

2010-10-23 13:46:56 -------- d-----w- c:\windows\LastGood.Tmp

2010-10-23 13:42:49 -------- d-----w- c:\windows\system32\scripting

2010-10-23 13:42:49 -------- d-----w- c:\windows\l2schemas

2010-10-23 13:42:48 -------- d-----w- c:\windows\system32\en

2010-10-23 13:42:48 -------- d-----w- c:\windows\system32\bits

2010-10-23 13:37:21 -------- d-----w- c:\windows\network diagnostic

2010-10-23 13:34:03 -------- d-----w- c:\windows\EHome

2010-10-23 13:15:34 -------- d-sh--w- c:\documents and settings\janet\IETldCache

2010-10-23 13:03:37 -------- d-----w- c:\windows\ie8updates

2010-10-23 13:03:21 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-10-23 13:03:20 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-10-23 13:03:20 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-10-23 13:03:19 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-10-23 13:03:19 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-10-23 13:03:19 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-10-23 13:03:19 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-10-23 13:02:36 -------- dc-h--w- c:\windows\ie8

2010-10-23 11:33:57 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-10-23 11:26:39 -------- d-----w- c:\windows\ServicePackFiles

2010-10-23 01:24:35 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-10-23 01:24:35 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2010-10-23 01:24:34 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-10-23 01:07:32 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-10-23 01:07:31 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2010-10-23 01:06:10 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-10-22 18:02:38 98816 ----a-w- c:\windows\sed.exe

2010-10-22 18:02:38 77312 ----a-w- c:\windows\MBR.exe

2010-10-22 18:02:38 256512 ----a-w- c:\windows\PEV.exe

2010-10-22 18:02:38 161792 ----a-w- c:\windows\SWREG.exe

2010-10-22 18:01:07 -------- d-----w- c:\docume~1\janet~1\applic~1\AVG9

2010-10-22 13:53:57 -------- d-----w- c:\docume~1\janet~1\applic~1\Malwarebytes

2010-10-21 21:06:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-21 21:06:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-10-21 21:06:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-21 21:06:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-20 20:28:39 -------- d-----w- C:\virus info

2010-10-20 20:27:46 -------- d-----w- c:\program files\FastStone Capture

2010-10-14 00:24:00 -------- d-----w- C:\1Janet

2010-10-10 02:41:49 -------- d-----w- C:\spoolerlogs

==================== Find3M ====================

2010-10-20 16:51:31 12536 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 10:54:29.12 ===============

Attach2.txt

Link to post
Share on other sites

Great logs are clean :)

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

"How did I get infected in the first place?" Also this one by Tony Klein.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware

superantispyware

===Free antivirus links===

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free 9.0

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.