Jump to content

Recommended Posts

Blow-By-Blow:

-This all started when I was getting random(?) redirects in Google Chrome from just about any link I would click on. For example clicking on a google search result link would take me to some scour.com site with lots of page content generated from my google search query.

-This led me to scan using AVG which found/fixed a couple of things, then just to be thorough I scanned with Malwarebytes. This also found some infections. After rebooting, I no longer had connectivity to the internet (I confirmed that the modem/router are fine with other computers, even a separate Windows install on the same PC, all connected fine).

-I was able to complete a system restore to the previous night and my connection was restored (Ideally I would have gone back further but no other restore points restored successfully, seems to me another red flag that there are issues).

-I was still getting the random link redirects in Chrome, so I ran AVG and Malwarebytes again, AVG found nothing, Malwarebytes found a few things and then my connection was lost again.

-Where I stand now: I haven't been able to get any restore points to work, so still no connection. I've seen some alerts about not being able to find "dwm.exe" I tried to uninstall MWB and got an error about a missing "unins000.msg" Got a similar error when I tried running MWB at this time also. Finally decided to go ahead and just follow exactly the steps lined out in the malware removal post in this forum and here I am. I've pasted the latest Malwarebytes log and DDS log below and attached a zip-file with Ark.txt (from GMER) and attach.txt (from DDS).

Many thanks in advance for any help you can offer, I'm pretty exasperated.

-Will

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4957

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/26/2010 6:47:01 PM

mbam-log-2010-10-26 (18-47-01).txt

Scan type: Quick scan

Objects scanned: 153857

Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\Will\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Will\Application Data\asdsada.bat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Application Data\444.bat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.

DDS (Ver_10-10-21.02) - NTFSx86

Run by Will at 19:06:13.51 on Tue 10/26/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1394 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\shicoxp.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\FileZilla Server\FileZilla Server.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\Program Files\Tunngle\TnglCtrl.exe

C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\WebUpdateSvc.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Documents and Settings\Will\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=127.0.0.1:50370

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

uRun: [Google Update] "c:\documents and settings\will\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Aim6]

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [AdobeBridge]

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [CTHelper] CTHELPER.EXE

mRun: [shicoxp] c:\windows\shicoxp.exe

mRun: [lauchsrv] c:\windows\lauchsrv.exe i

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\pdfill\DownloadPDF.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://192.168.1.30/cab/OCXChecker_8198.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://192.168.1.30/cab/DownloadCenter_8200.cab

TCP: {0992FC34-8125-4E26-A49F-C2F4C8D7F794} = 68.105.28.12,68.105.29.12

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: avgrsstarter - avgrsstx.dll

AppInit_DLLs: acaptuser32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\will\applic~1\mozilla\firefox\profiles\97ae3f0y.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\documents and settings\will\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [2010-5-18 19478]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-26 11608]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-24 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-24 29584]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-24 243024]

R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [2010-5-18 635017]

R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [2010-5-18 431236]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-26 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-26 267432]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-26 60936]

R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-6-25 2789672]

R2 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2009-6-26 664824]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-2 24652]

R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2010-3-5 33792]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]

R3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2010-3-5 16896]

R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2009-6-26 25600]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-6-25 15656]

S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [2010-5-18 64093]

S2 aardvarkpm;Aardvark Professional Audio Manager;c:\program files\aardvark\aardvark.exe [2009-6-24 147456]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-23 135664]

S3 AarkPhys;Aardvark Professional Audio Service;c:\windows\system32\drivers\AarkPhys.sys [2009-6-24 44911]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-6-24 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]

S3 SaiH0255;SaiH0255;c:\windows\system32\drivers\SaiH0255.sys [2007-5-1 132232]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2010\RpcAgentSrv.exe [2010-3-13 93336]

=============== Created Last 30 ================

2010-10-27 01:55:19 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-10-27 01:55:19 -------- d-----w- c:\program files\Avira

2010-10-27 01:55:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-10-26 23:47:31 -------- d-----w- c:\windows\system32\wbem\repository\FS

2010-10-26 23:47:31 -------- d-----w- c:\windows\system32\wbem\Repository

2010-10-23 21:47:35 -------- d-----w- C:\BDS

2010-10-23 21:47:28 -------- d-----w- c:\program files\2K Games

2010-10-23 21:47:27 -------- d-----w- c:\program files\Safer Networking

2010-10-23 21:47:26 -------- d-----w- c:\program files\Hamachi

2010-10-23 21:47:26 -------- d-----w- c:\program files\FileZilla Server

2010-10-11 23:19:52 143360 ----a-w- c:\windows\system32\nvcolor.exe

2010-10-07 01:21:13 -------- d-----w- c:\program files\CamStudio

==================== Find3M ====================

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:43:28 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2009-11-20 04:08:02 3749224 ----a-w- c:\program files\common files\adlmint_libFNP.dll

2009-11-20 04:08:02 2941288 ----a-w- c:\program files\common files\adlmint.dll

============= FINISH: 19:07:15.00 ===============

Attach.zip

Link to post
Share on other sites

Hi RPMcMurphy,

Thanks so much for the quick response and clear instructions. I uninstalled/removed AVG successfully and ComboFix worked fine as well (it was even able to establish a connection to download the recovery console, which was interesting to me). The ComboFix log is below. Regarding p2p, do you think it would effectively mitigate the risk to restrict it to a dedicated hdd-partition/OS-install?

thanks again,

-Will

ComboFix 10-10-26.03 - Will 10/27/2010 1:54.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1458 [GMT -7:00]

Running from: c:\documents and settings\Will\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Will\Application Data\Microsoft\stor.cfg

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

.

((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))

.

2010-10-27 01:55 . 2010-10-27 01:55 -------- d-----w- c:\program files\Avira

2010-10-27 01:55 . 2010-10-27 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-10-27 01:55 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-10-27 01:55 . 2010-02-16 21:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-10-27 01:55 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-10-27 01:55 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-10-26 23:47 . 2010-10-26 23:47 -------- d-----w- c:\windows\system32\wbem\Repository

2010-10-23 21:47 . 2010-10-23 21:47 -------- d-----w- C:\BDS

2010-10-23 21:47 . 2010-10-23 21:47 -------- d-----w- c:\program files\2K Games

2010-10-23 21:47 . 2010-10-23 21:47 -------- d-----w- c:\program files\Safer Networking

2010-10-23 21:47 . 2010-10-26 21:15 -------- d-----w- c:\program files\Hamachi

2010-10-23 21:47 . 2010-10-23 21:51 -------- d-----w- c:\program files\FileZilla Server

2010-10-11 23:19 . 2010-10-11 23:19 143360 ----a-w- c:\windows\system32\nvcolor.exe

2010-10-07 01:21 . 2010-10-07 01:23 -------- d-----w- c:\program files\CamStudio

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 19:23 . 2008-04-14 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-04-14 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-04-14 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-04-14 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2009-06-04 12:35 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2009-06-04 12:33 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2009-06-04 12:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:48 . 2009-06-04 12:33 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:38 . 2009-06-04 12:36 1861888 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2008-04-14 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 06:05 . 2008-04-14 11:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:37 . 2009-06-04 12:36 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-06-04 12:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2008-04-14 11:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2008-04-14 11:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:43 . 2009-06-04 12:34 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2009-11-20 04:08 . 2009-11-20 04:08 3749224 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll

2009-11-20 04:08 . 2009-11-20 04:08 2941288 ----a-w- c:\program files\Common Files\adlmint.dll

.

------- Sigcheck -------

[-] 2009-06-04 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-06-04 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Will\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-25 133104]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nwiz"="nwiz.exe" [2009-06-10 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

"CTHelper"="CTHELPER.EXE" [2009-03-04 19456]

"shicoxp"="c:\windows\shicoxp.exe" [2003-05-15 45056]

"lauchsrv"="c:\windows\lauchsrv.exe" [2003-02-25 24576]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]

"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"wave1"=aarklink.dll

"midi1"=aarklink.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Tunngle\\TnglCtrl.exe"=

"c:\\Program Files\\Tunngle\\Tunngle.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\Program Files\\Ubisoft\\Tom Clancy's H.A.W.X\\HAWX.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Autodesk\\Maya2009\\bin\\maya.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=

"c:\\Program Files\\WinSCP\\WinSCP.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\WNt500x86\\sandra.mui"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Program Files\\Steam\\steamapps\\dilliondollars\\source sdk base 2007\\hl2.exe"=

"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=

"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=

"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Autodesk\\Maya2011\\bin\\maya.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [5/18/2010 7:21 PM 19478]

R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [5/18/2010 7:21 PM 635017]

R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [5/18/2010 7:21 PM 431236]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/26/2010 6:55 PM 135336]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [6/25/2009 8:47 PM 2789672]

R2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [6/26/2009 2:45 PM 664824]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/2/2009 11:07 PM 24652]

R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [3/5/2010 10:48 PM 33792]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]

R3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [3/5/2010 10:48 PM 16896]

R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [6/26/2009 2:45 PM 25600]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/25/2009 8:47 PM 15656]

S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [5/18/2010 7:21 PM 64093]

S2 aardvarkpm;Aardvark Professional Audio Manager;c:\program files\Aardvark\aardvark.exe [6/24/2009 5:32 PM 147456]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 3:58 PM 135664]

S3 AarkPhys;Aardvark Professional Audio Service;c:\windows\system32\drivers\AarkPhys.sys [6/24/2009 5:31 PM 44911]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/24/2009 5:21 PM 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]

S3 SaiH0255;SaiH0255;c:\windows\system32\drivers\SaiH0255.sys [5/1/2007 4:11 PM 132232]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe [3/13/2010 12:36 AM 93336]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/24/2009 8:44 PM 721904]

.

Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 22:58]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 22:58]

2010-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-484061587-1177238915-1004Core.job

- c:\documents and settings\Will\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-25 00:28]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-484061587-1177238915-1004UA.job

- c:\documents and settings\Will\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-25 00:28]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=127.0.0.1:50370

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: {0992FC34-8125-4E26-A49F-C2F4C8D7F794} = 68.105.28.12,68.105.29.12

DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://192.168.1.30/cab/OCXChecker_8198.cab

DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://192.168.1.30/cab/DownloadCenter_8200.cab

FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\97ae3f0y.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\documents and settings\Will\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKCU-Run-AdobeBridge - (no file)

Notify-WgaLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-27 02:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-10-27 02:03:12

ComboFix-quarantined-files.txt 2010-10-27 09:03

Pre-Run: 103,836,561,408 bytes free

Post-Run: 110,481,072,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(1)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - FCF898E09A9D6787D89A10DEE51FA7B5

Link to post
Share on other sites

Will A:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
Firefox::
FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\97ae3f0y.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    sfcfiles.*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please include the following in your next post:

  • ComboFix log
  • SystemLook log

Link to post
Share on other sites

Thanks. New ComboFix log pasted below, and SystemLook log pasted below that. Let me know if you'd prefer these to be attached rather than copy/pasted.

ComboFix 10-10-26.03 - Will 10/27/2010 11:55:44.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1597 [GMT -7:00]

Running from: c:\documents and settings\Will\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Will\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))

.

2010-10-27 01:55 . 2010-10-27 01:55 -------- d-----w- c:\program files\Avira

2010-10-27 01:55 . 2010-10-27 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-10-27 01:55 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-10-27 01:55 . 2010-02-16 21:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-10-27 01:55 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-10-27 01:55 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-10-26 23:47 . 2010-10-26 23:47 -------- d-----w- c:\windows\system32\wbem\Repository

2010-10-23 21:47 . 2010-10-23 21:47 -------- d-----w- C:\BDS

2010-10-23 21:47 . 2010-10-23 21:47 -------- d-----w- c:\program files\2K Games

2010-10-23 21:47 . 2010-10-23 21:47 -------- d-----w- c:\program files\Safer Networking

2010-10-23 21:47 . 2010-10-26 21:15 -------- d-----w- c:\program files\Hamachi

2010-10-23 21:47 . 2010-10-23 21:51 -------- d-----w- c:\program files\FileZilla Server

2010-10-11 23:19 . 2010-10-11 23:19 143360 ----a-w- c:\windows\system32\nvcolor.exe

2010-10-07 01:21 . 2010-10-07 01:23 -------- d-----w- c:\program files\CamStudio

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 19:23 . 2008-04-14 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-04-14 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-04-14 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-04-14 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2009-06-04 12:35 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2009-06-04 12:33 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2009-06-04 12:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:48 . 2009-06-04 12:33 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:38 . 2009-06-04 12:36 1861888 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2008-04-14 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 06:05 . 2008-04-14 11:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:37 . 2009-06-04 12:36 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-06-04 12:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2008-04-14 11:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2008-04-14 11:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:43 . 2009-06-04 12:34 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2009-11-20 04:08 . 2009-11-20 04:08 3749224 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll

2009-11-20 04:08 . 2009-11-20 04:08 2941288 ----a-w- c:\program files\Common Files\adlmint.dll

.

------- Sigcheck -------

[-] 2009-06-04 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-06-04 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-10-27_09.00.51 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-10-27 18:34 . 2010-10-27 18:34 16384 c:\windows\Temp\Perflib_Perfdata_5a4.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Will\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-25 133104]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nwiz"="nwiz.exe" [2009-06-10 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

"CTHelper"="CTHELPER.EXE" [2009-03-04 19456]

"shicoxp"="c:\windows\shicoxp.exe" [2003-05-15 45056]

"lauchsrv"="c:\windows\lauchsrv.exe" [2003-02-25 24576]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]

"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"wave1"=aarklink.dll

"midi1"=aarklink.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Tunngle\\TnglCtrl.exe"=

"c:\\Program Files\\Tunngle\\Tunngle.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\Program Files\\Ubisoft\\Tom Clancy's H.A.W.X\\HAWX.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Autodesk\\Maya2009\\bin\\maya.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=

"c:\\Program Files\\WinSCP\\WinSCP.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\RpcAgentSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\WNt500x86\\sandra.mui"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\WNt500x86\\RpcSandraSrv.exe"=

"c:\\Program Files\\Steam\\steamapps\\dilliondollars\\source sdk base 2007\\hl2.exe"=

"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=

"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=

"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Autodesk\\Maya2011\\bin\\maya.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [5/18/2010 7:21 PM 19478]

R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [5/18/2010 7:21 PM 635017]

R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [5/18/2010 7:21 PM 431236]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/26/2010 6:55 PM 135336]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [6/25/2009 8:47 PM 2789672]

R2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [6/26/2009 2:45 PM 664824]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/2/2009 11:07 PM 24652]

R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [3/5/2010 10:48 PM 33792]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]

R3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [3/5/2010 10:48 PM 16896]

R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [6/26/2009 2:45 PM 25600]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/25/2009 8:47 PM 15656]

S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [5/18/2010 7:21 PM 64093]

S2 aardvarkpm;Aardvark Professional Audio Manager;c:\program files\Aardvark\aardvark.exe [6/24/2009 5:32 PM 147456]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 3:58 PM 135664]

S3 AarkPhys;Aardvark Professional Audio Service;c:\windows\system32\drivers\AarkPhys.sys [6/24/2009 5:31 PM 44911]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/4/2009 2:42 PM 99352]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [6/24/2009 5:21 PM 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/4/2009 2:42 PM 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/4/2009 2:42 PM 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/4/2009 2:42 PM 566296]

S3 SaiH0255;SaiH0255;c:\windows\system32\drivers\SaiH0255.sys [5/1/2007 4:11 PM 132232]

S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe [3/13/2010 12:36 AM 93336]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/24/2009 8:44 PM 721904]

.

Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 22:58]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 22:58]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-484061587-1177238915-1004Core.job

- c:\documents and settings\Will\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-25 00:28]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-484061587-1177238915-1004UA.job

- c:\documents and settings\Will\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-25 00:28]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: {0992FC34-8125-4E26-A49F-C2F4C8D7F794} = 68.105.28.12,68.105.29.12

DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://192.168.1.30/cab/OCXChecker_8198.cab

DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://192.168.1.30/cab/DownloadCenter_8200.cab

FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\97ae3f0y.default\

FF - prefs.js: network.proxy.type - 1

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3068)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-10-27 12:11:56

ComboFix-quarantined-files.txt 2010-10-27 19:11

ComboFix2.txt 2010-10-27 09:03

Pre-Run: 110,489,870,336 bytes free

Post-Run: 110,476,390,400 bytes free

- - End Of File - - 3061E69CA561833FC74E5C3977D462A5

SystemLook 04.09.10 by jpshortstuff

Log created at 12:15 on 27/10/2010 by Will

Administrator - Elevation successful

========== filefind ==========

Searching for "sfcfiles.*"

C:\WINDOWS\system32\sfcfiles.dll --a---- 1614848 bytes [12:55 04/06/2009] [12:55 04/06/2009] C951DB3D9B6EF3CF4B82454D30A8BF59

-= EOF =-

Link to post
Share on other sites

Will A:

Excellent! Here are your instructions:

icon11.gif Insert the Windows XP installation disk.

1. Click Start > Run or press the Windows Key + R

Type cmd in the run box that opens and press "OK" to open the command prompt window

2. Enter the following commands, one at a time, at the prompt and press "Enter" after each one. Refer to the quote box under the commands for the location of the spaces which are very important. After pressing "Enter" you should see a message that says, "one file(s) expanded successfully"

Note: x = the drive letter designation for your CD/DVD drive - replace x with the appropriate letter for your PC.

expand x:\i386\sfcfiles.dl_ -r c:\windows\system32

expand<space>x:\i386\sfcfiles.dl_<space>-r<space>c:\windows\system32

Please include the following in your next post:

  • Let me know how this went

Link to post
Share on other sites

Will A:

Yes, that worked. Please do this next:

icon11.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java 6 Update 17 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • MBAM log
  • Kaspersky log

Link to post
Share on other sites

Ok, I was able to update Java, though it was update 22 not 17, this is fine right? I ran MBAM and pasted the log below, looks like it didn't find anything and my connection is still up, definitely a good sign. I'm currently at 24% in the Kaspersky scan, it's taking a really long time (going on almost a day now), I'll post the log as soon as it completes. Thanks.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4980

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/28/2010 4:27:26 PM

mbam-log-2010-10-28 (16-27-26).txt

Scan type: Quick scan

Objects scanned: 151952

Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Update 22 is correct (Update 17 was what you had installed). Those Kaspersky scans can be lengthy, but if it doesn't complete soon you may try this instead:

icon11.gif Please run ESET Online Scanner

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Link to post
Share on other sites

Ok, the ESET scan just finished, pasted the log below.

C:\System Volume Information\_restore{854928B7-E060-4F9B-BD8D-D2C51B9B376D}\RP479\A0070245.bat Win32/Adware.FakeAntiSpy.G application

C:\System Volume Information\_restore{854928B7-E060-4F9B-BD8D-D2C51B9B376D}\RP496\A0071630.bat Win32/Adware.FakeAntiSpy.G application

G:\Art\Photoshop\OO\ouroboros3.jpg probably a variant of Win32/TrojanDownloader.Agent.KEMPYJA trojan

Link to post
Share on other sites

Will A:

All but one of those detections are in your System Restore cache and will be removed when we unistall ComboFix. Let's check the other to make sure it isn't a false positive:

icon11.gif Please go to one of the below sites to scan the following files:

virscan.org

Virus Total

Click on Browse, and upload the following file for analysis:

G:\Art\Photoshop\OO\ouroboros3.jpg

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

Please include the following in your next post:

  • File analysis results

Link to post
Share on other sites

The VirSCAN results are pasted below. This leads me to wonder whether or not image files are a common source for malware, I tend to accumulate lots of images for reference for my art work and have never really been concerned. Should I be as suspicious of images as any other file-type?

VirSCAN.org Scanned Report :

Scanned time : 2010/10/30 12:43:42 (PDT)

Scanner results: 53% Scanner(s) (19/36) found malware!

File Name : ouroboros3.jpg

File Size : 63455 byte

File Type : JPEG image data, JFIF standard 1.01

MD5 : 070a463ce5c41982129d2d0864a34563

SHA1 : d38cff9e741dbd1d4cf715c26b482b7765a1daa7

Online report : http://virscan.org/report/ef1617220912c3bb...77d164fb3c.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 5.0.0.20 20101031013412 2010-10-31 5.31 Trojan-Clicker.HTML.IFrame!IK

AhnLab V3 2010.10.30.00 2010.10.30 2010-10-30 1.32 -

AntiVir 8.2.4.86 7.10.13.74 2010-10-29 0.31 TR/Spy.Banker.vk.1

Antiy 2.0.18 20101031.5509708 2010-10-31 0.13 -

Arcavir 2010 201010310321 2010-10-31 0.04 -

Authentium 5.1.1 201010301916 2010-10-30 1.40 HTML/IFrame (Exact)

AVAST! 4.7.4 101030-0 2010-10-30 0.01 -

AVG 8.5.850 271.1.1/3227 2010-10-30 0.26 -

BitDefender 7.90123.6418700 7.34482 2010-10-31 5.54 Trojan.Clicker.IFrame.G

ClamAV 0.96.3 12189 2010-10-30 0.01 HTML.Spy.IMG

Comodo 4.0 6561 2010-10-30 0.87 -

CP Secure 1.3.0.5 2010.10.30 2010-10-30 0.01 Troj.Spy.HTML.Bankfraud.ra

Dr.Web 5.0.2.3300 2010.10.31 2010-10-31 10.04 -

F-Prot 4.4.4.56 20101030 2010-10-30 1.59 HTML/IFrame (exact, not disinfectable)

F-Secure 7.02.73807 2010.10.29.11 2010-10-29 0.10 Trojan-Clicker.HTML.IFrame.rp [AVP]

Fortinet 4.2.249 12.509 2010-10-30 0.52 -

GData 21.1032/21.439 20101030 2010-10-30 7.47 Trojan-Clicker.HTML.IFrame.rp [Engine:A]

ViRobot 20101029 2010.10.29 2010-10-29 0.39 -

Ikarus T3.1.32.15.0 2010.10.30.77048 2010-10-30 5.21 Trojan-Clicker.HTML.IFrame

JiangMin 13.0.900 2010.10.30 2010-10-30 1.30 -

Kaspersky 5.5.10 2010.10.30 2010-10-30 0.03 Trojan-Clicker.HTML.IFrame.rp

KingSoft 2009.2.5.15 2010.10.30.18 2010-10-30 0.66 -

McAfee 5400.1158 6152 2010-10-30 18.83 JPGiframer

Microsoft 1.6301 2010.10.30 2010-10-30 3.79 Trojan:JS/Redirector.E

Norman 6.06.10 6.06.00 2010-10-30 8.01 -

Panda 9.05.01 2010.10.28 2010-10-28 2.11 -

Trend Micro 9.120-1004 7.582.14 2010-10-30 0.02 HTML_CLICKER.BUC

Quick Heal 11.00 2010.10.29 2010-10-29 2.23 -

Rising 20.0 22.71.03.02 2010-10-28 0.34 Trojan.DL.PicFrame.c

Sophos 3.13.1 4.59 2010-10-31 2.66 Troj/JSRedir-BM

Sunbelt 3.9.2457.2 7173 2010-10-30 19.73 -

Symantec 1.3.0.24 20101030.003 2010-10-30 0.07 Trojan.Maliframe!html

nProtect 20101027.01 9231549 2010-10-27 12.94 Trojan.Clicker.IFrame.G

The Hacker 6.7.0.1 v00074 2010-10-30 0.39 -

VBA32 3.12.14.1 20101029.0829 2010-10-29 3.54 Trojan-Clicker.HTML.IFrame.rp

VirusBuster 4.5.11.10 10.130.5/1999521 2010-10-30 2.38 -

Link to post
Share on other sites

Will A:

Image files sure can be a source of malware - especially if they are from unknown souces. This will take care of that detection:

icon11.gif Go to Start > Run and copy/paste the contents of the codebox below into the Run box and click OK:

cmd /c del /a/f/q "G:\Art\Photoshop\OO\ouroboros3.jpg"

A DOS window will open and close again, this is normal.

All I have left for you to do is another update and some very important cleanup:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER
  • SystemLook

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please visit this General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Great, all clean and updated, going to run through a defrag now. I can't thank you enough for your help. It's really admirable to provide such quality assistance on a volunteer basis. You've inspired me to try to better educate myself about all of this so I'm not as clueless in the future.

Thanks again, Happy Halloween!

-Will

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.