Jump to content

Recommended Posts

Hi there, I have an old XP pro machine from a friend that got an infection.

When I first got the machine it wouldn't eve start to boot into windows, just went through the BIOS startup then hung with a flashing cursor on the top right of the screen.

I managed to get the machine to boot and then found it had some infection on it, I have run Malwarebytes several time's, in normal mode and safe mode, SuperAntiSpyware also, and it has AVG Free 2011 installed.

I just can't seem to get rid of the problem.

It did seem to be sorted at one point and did a load of updates, about 50ish and then Service pack 3, all seemed ok, then when I switched it off it had the install updates thing over the power down button. it installed those 2 updates and that seems to be when the real problems began. When it was rebooted I had windows Security Center telling me that the automatic updates were turned off, but on hitting the fix button it said it couldn't sort it and I'd have to do it manually, so I opened the auto updates screen and it was saying that it was fine. Microsoft updates do not work, and cannot open IE8. If you get IE8 open its very slow and will not goto or hangs if you try to goto microsoft's site. I also had the XP Anti_Virus 2011 popup and try to scan and tell me all kinds of things were wrong.

I ran Malwarebytes again and altho it did find some infections and cure them It didn't sort the root of the problem which I believe is a rootkit.

So I need some expert help and advice. I have attached the HijackThis log, MBAM log and DDS log, GMER would not run and produced a BSOD with the error: BAD_POOL_HEADER

I hope someone can help to point me in the right direction.

Thanks

Dre...

PS. Whilst writing this I did another MBAM scan and it might have sorted some stuff out. the logs are the latest logs, I also redid the Hijack this log.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 16:39:30, on 30/03/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\WINDOWS\system32\dgdersvc.exe

C:\WINDOWS\system32\dlcqcoms.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Samsung\Kies\KiesTrayAgent.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\WINDOWS\system32\wuauclt.exe

F:\HijackThis.exe

C:\WINDOWS\SoftwareDistribution\Download\2a3aaa33da1603f4063f416a9eae7912\update\update.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=3061204

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=3061204

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25543

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll

O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [KiesTrayAgent] C:\Program Files\Samsung\Kies\KiesTrayAgent.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1006\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'kevin')

O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'kevin')

O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'kevin')

O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1008\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Annual Accounts')

O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1009\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Catalogues & prices')

O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1010\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Rarely used files')

O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-500\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Administrator')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Exif Launcher.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &Search - ?p=ZUxdm486PDGB

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll

O20 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe

O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe

O23 - Service: Device Error Recovery Service (dgdersvc) - Devguru Co., Ltd. - C:\WINDOWS\system32\dgdersvc.exe

O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe

O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe

O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--

End of file - 14410 bytes

MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6211

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

30/03/2011 16:18:28

mbam-log-2011-03-30 (16-18-27).txt

Scan type: Full scan (C:\|)

Objects scanned: 293183

Time elapsed: 1 hour(s), 1 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\kb2cenen.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\OUU6KC5WPX (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oqacut (Trojan.Hiloti) -> Value: Oqacut -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\kb2cenen.dll (Trojan.Hiloti) -> Delete on reboot.

c:\documents and settings\dave\local settings\Temp\4C.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\documents and settings\dave\local settings\Temp\52.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\dave\local settings\Temp\54.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\dave\local settings\Temp\59.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\dave\local settings\Temp\cnxrseomwa.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

DDS Log:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by dave at 16:48:16.43 on 30/03/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.990.119 [GMT 1:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Smart Engine *Enabled/Updated* {8DAD4B57-73ED-4EDE-82A8-009F6A8BBDC5}

FW: Smart Engine *Enabled*

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\WINDOWS\system32\dgdersvc.exe

C:\WINDOWS\system32\dlcqcoms.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Samsung\Kies\KiesTrayAgent.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\WINDOWS\system32\wuauclt.exe

F:\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://uk.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=3061204

uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm486PDGB&fl=0&ptb=DDOzzRBO1MZ..2WN6jGUSg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Settings,ProxyServer = http=127.0.0.1:25543

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll

BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll

TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe

mRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe

mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART

mRun: [dlcqmon.exe] "c:\program files\dell photo aio printer 966\dlcqmon.exe"

mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"

mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

IE: &Search - ?p=ZUxdm486PDGB

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

IFEO: image file execution options - svchost.exe

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\j0gntftb.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - search

FF - plugin: c:\program files\common files\motive\npMotive.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2006-12-5 3456]

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528]

R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\23945\RapportCerberus_23945.sys [2011-3-1 55224]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2009-10-26 95568]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-11 217088]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2009-10-26 18136]

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-11 36640]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-22 517448]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-12-5 30192]

S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2011-1-13 90112]

S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2011-1-13 14976]

S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2011-1-13 121856]

S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [2011-1-13 98560]

.

=============== Created Last 30 ================

.

2011-03-30 12:18:48 81920 ----a-w- c:\windows\system32\Startup.cpl

2011-03-30 10:13:44 -------- d-----w- c:\docume~1\dave\applic~1\SUPERAntiSpyware.com

2011-03-30 10:13:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-03-30 10:13:26 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-03-29 21:37:05 -------- d-----w- c:\program files\CCleaner

2011-03-29 18:15:03 -------- d-----w- c:\program files\MSXML 6.0

2011-03-29 18:12:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-03-29 18:12:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-03-29 18:12:44 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-03-29 18:12:44 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-03-29 18:12:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-03-29 18:12:43 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-03-29 18:12:43 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-03-29 16:40:33 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll

2011-03-29 16:40:32 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll

2011-03-29 16:34:03 81920 ------w- c:\windows\system32\ieencode.dll

2011-03-29 16:33:03 19569 ----a-w- c:\windows\003450_.tmp

2011-03-29 16:32:13 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe

2011-03-29 16:32:13 294912 ------w- c:\program files\windows media player\dlimport.exe

2011-03-29 14:59:08 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2011-03-29 14:53:21 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2011-03-29 14:52:28 -------- d-----w- c:\windows\pss

2011-03-29 13:51:00 711632 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe

2011-03-29 13:51:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-03-26 16:49:49 339968 ----a-w- c:\windows\system32\cdintf.dll

2011-03-26 13:46:58 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll

2011-03-26 13:45:52 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys

2011-03-26 13:44:55 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll

2011-03-26 13:43:57 29184 -c--a-w- c:\windows\system32\dllcache\asptxn.dll

2011-03-26 13:43:57 10240 -c--a-w- c:\windows\system32\dllcache\aspperf.dll

2011-03-26 13:43:56 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll

2011-03-26 13:43:52 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll

2011-03-26 13:43:51 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll

2011-03-26 13:43:51 49664 -c--a-w- c:\windows\system32\dllcache\adrot.dll

2011-03-26 13:43:45 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll

2011-03-26 13:43:36 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe

2011-03-26 13:43:36 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll

2011-03-26 13:43:35 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll

2011-03-26 13:43:35 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll

2011-03-26 13:43:35 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe

2011-03-26 13:43:34 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll

2011-03-26 13:10:18 22339 ----a-r- c:\windows\SETB9.tmp

2011-03-26 13:10:18 10559 ----a-r- c:\windows\SETBA.tmp

2011-03-26 13:10:07 13753 ----a-r- c:\windows\SET7E.tmp

2011-03-26 13:10:03 1086058 ----a-r- c:\windows\SET72.tmp

2011-03-26 13:10:00 1042903 ----a-r- c:\windows\SET6F.tmp

2011-03-25 14:26:51 397056 ----a-w- c:\windows\system32\OLD5BE.tmp

2011-03-25 14:26:50 9728 ----a-w- c:\windows\system32\OLD5BB.tmp

2011-03-25 14:26:46 30592 ----a-w- c:\windows\system32\drivers\OLD5B3.tmp

2011-03-25 14:26:19 4274816 ----a-w- c:\windows\system32\OLD596.tmp

2011-03-25 14:26:07 12672 ----a-w- c:\windows\system32\drivers\OLD58F.tmp

2011-03-25 14:26:06 1737856 ----a-w- c:\windows\system32\OLD58B.tmp

2011-03-25 14:25:12 46592 ----a-w- c:\windows\system32\drivers\OLD54C.tmp

2011-03-25 14:24:30 32285 ----a-w- c:\windows\system32\OLD51D.tmp

2011-03-25 14:24:28 19200 ----a-w- c:\windows\system32\drivers\OLD519.tmp

2011-03-25 14:24:23 46464 ----a-w- c:\windows\system32\drivers\OLD513.tmp

2011-03-25 14:24:17 618605 ----a-w- c:\program files\common files\microsoft shared\web server extensions\40\bin\OLD506.tmp

2011-03-25 14:22:59 3711 ----a-w- c:\windows\system32\drivers\OLD463.tmp

2011-03-25 14:22:59 3135 ----a-w- c:\windows\system32\drivers\OLD460.tmp

2011-03-25 14:22:58 3647 ----a-w- c:\windows\system32\drivers\OLD45D.tmp

2011-03-25 14:22:57 3615 ----a-w- c:\windows\system32\drivers\OLD45A.tmp

2011-03-25 14:22:56 4255 ----a-w- c:\windows\system32\drivers\OLD454.tmp

2011-03-25 14:22:56 3967 ----a-w- c:\windows\system32\drivers\OLD457.tmp

2011-03-25 14:19:26 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2011-03-25 14:19:26 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe

2011-03-25 14:16:36 23552 ----a-w- c:\windows\system32\SET1F5.tmp

2011-03-25 14:16:36 23552 ----a-w- c:\windows\system32\COM1F6.tmp

2011-03-25 14:16:35 55296 ----a-w- c:\windows\system32\SET1F2.tmp

2011-03-25 14:16:35 55296 ----a-w- c:\windows\system32\COM1F3.tmp

2011-03-25 14:10:33 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-03-25 14:02:02 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2011-03-25 14:02:02 24661 ----a-w- c:\windows\system32\spxcoins.dll

2011-03-25 14:02:02 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2011-03-25 14:02:02 13312 ----a-w- c:\windows\system32\irclass.dll

2011-03-25 14:01:44 10559 ----a-r- c:\windows\SET189.tmp

2011-03-25 14:01:43 22339 ----a-r- c:\windows\SET188.tmp

2011-03-25 14:01:35 13753 ----a-r- c:\windows\SET14D.tmp

2011-03-25 14:01:31 1086058 ----a-r- c:\windows\SET141.tmp

2011-03-25 14:01:28 1042903 ----a-r- c:\windows\SET13E.tmp

2011-03-25 12:42:38 -------- d-----w- c:\windows\dell

2011-03-25 10:59:03 -------- d-sh--w- C:\$RECYCLE.BIN

2011-03-23 15:38:35 0 ----a-w- c:\windows\Dsutuqis.bin

2011-03-23 15:38:32 -------- d-----w- c:\docume~1\dave\locals~1\applic~1\{B536E60A-99DE-44A1-8D38-7CA44DFB10DF}

2011-03-12 11:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2011-03-12 11:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

.

==================== Find3M ====================

.

.

============= FINISH: 16:51:46.45 ===============

Attach.zip

Link to post
Share on other sites

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

post-32477-1261866970.gif

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR Log:

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-30 20:13:35

-----------------------------

20:13:35.687 OS Version: Windows 5.1.2600 Service Pack 3

20:13:35.687 Number of processors: 2 586 0x409

20:13:35.687 ComputerName: BSACOFFICE UserName: dave

20:13:37.640 Initialize success

20:13:41.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3

20:13:41.140 Disk 0 Vendor: SAMSUNG_HD160JJ/P ZM100-34 Size: 152587MB BusType: 3

20:13:43.171 Disk 0 MBR read successfully

20:13:43.171 Disk 0 MBR scan

20:13:45.171 Disk 0 scanning sectors +312496380

20:13:45.203 Disk 0 scanning C:\WINDOWS\system32\drivers

20:13:57.500 Service scanning

20:13:58.906 Disk 0 trace - called modules:

20:13:58.921 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll atiide.sys PCIIDEX.SYS

20:13:58.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8696cab8]

20:13:58.921 3 CLASSPNP.SYS[f7542fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x8697dd98]

20:13:58.921 Scan finished successfully

Link to post
Share on other sites

No RootKit showing :)

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Link to post
Share on other sites

No RootKit showing :)

Great news, thanks, I can't do the online scan atm as my internet is down, (I have this PC plugged into my Mobile Phone.)

Hopefully it will be back on by tomorrow, all I know is its a 'fibre cut' sounds like some roadworkers dug up the cable :(

Thanks for your time so far.

Dre...

Link to post
Share on other sites

Great news, thanks, I can't do the online scan atm as my internet is down, (I have this PC plugged into my Mobile Phone.)

Hopefully it will be back on by tomorrow, all I know is its a 'fibre cut' sounds like some roadworkers dug up the cable :(

Thanks for your time so far.

Dre...

pullhair.gif

Hope they get it fixed

Link to post
Share on other sites

pullhair.gif

Hope they get it fixed

Not gonna be fixed today I don't think.

I have however run MBAM, SuperAnti Spyware, Spybot S&D, and AVG 2011 scan's and all are clear.

One thing I am paranoid about is when I power it off it says it wants to install updates, I have not let it install them yet tho.

The reason for this is I think the malware I got was installed via the update mechanism. If it were a genuine update then I would get the yellow shield telling me updates were ready for my computer and I would be able to install them/or not, in the windows environment. The fact I don't get the yellow shield, and option to install the updates in windows, is making me nervous about the updates and hence not installing them yet.

is there any way to see what the updates are or to disable them etc?

Dre...

Link to post
Share on other sites

The fact I don't get the yellow shield, and option to install the updates in windows, is making me nervous about the updates and hence not installing them yet.
I think that happens if you have automatic updates active. When you go to shutdown it will popup to install updates and shutdown.
Link to post
Share on other sites

That link doesn't work, but the PC is up and running after the updates, it doesn't look like any nasty's have reappeared.

All I need now is for my internet to get fixed and I can make sure everything is completely updated and that should be that.

Thanks for your help, if anything crops up tomorrow, I'll post some logs.

Dre...

Link to post
Share on other sites

Ok got internet back. Decided to upgrade AVG to the full AVG internet security 2011, had problems so uninstalled AVG Completely and didn't get Security Center complaining about no Anti-Virus.

So I had a look and Security Center said that smart engine reports it is up to date and virus scanning is on. Did a Google on Smart Engine and found it was malware (didn't really need google to tell me that but hey)

Did a hijack this and removed:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25437

but didn't find any of the other things Bleeping Computer said might be in a HJT log.

Ran Rkill then MBAM but it found nothing.

So I went to the ESET online scanner and ran the scan.

Eset found 6 problems and fixed them, I save the log, then did a new DDS log and tried to run GMER for a log but got the same BSOD

So... here are the logs

Eset Log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=a77b439a65bde3429b4caa8d78b4a90e

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-03-31 01:37:35

# local_time=2011-03-31 02:37:35 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1024 16777215 100 0 13833862 13833862 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 137 137 0 0

# scanned=96976

# found=6

# cleaned=6

# scan_time=2726

C:\Documents and Settings\All Users\Application Data\cf14eb\77.mof Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\dave\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C7843A66-9DED-4D87-AA09-402DE8933F46} Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\alot\alotUninst.exe probably a variant of Win32/Adware.RogueApp.ETEMUAN application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\drivers\etc\hosts.20110329-172532.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

DDS Log:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by dave at 14:41:19.73 on 31/03/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.990.439 [GMT 1:00]

.

AV: Smart Engine *Enabled/Updated* {8DAD4B57-73ED-4EDE-82A8-009F6A8BBDC5}

FW: Smart Engine *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\dgdersvc.exe

C:\WINDOWS\system32\dlcqcoms.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Samsung\Kies\KiesTrayAgent.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\wuauclt.exe

F:\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://uk.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=3061204

uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm486PDGB&fl=0&ptb=DDOzzRBO1MZ..2WN6jGUSg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll

BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll

TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe

mRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe

mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART

mRun: [dlcqmon.exe] "c:\program files\dell photo aio printer 966\dlcqmon.exe"

mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"

mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT"&"inst=NzctNTc3MzM1MDAzLVQ0LUtWMys3LUJBKzEtWEwrMS1GUDkyKzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBDKzE"&"prod=55"&"ver=10.0.1204

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: &Search - ?p=ZUxdm486PDGB

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

IFEO: image file execution options - svchost.exe

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\j0gntftb.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - plugin: c:\program files\common files\motive\npMotive.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2006-12-5 3456]

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528]

R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\23945\RapportCerberus_23945.sys [2011-3-1 55224]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2009-10-26 95568]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-11 217088]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]

R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2009-10-26 18136]

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-11 36640]

R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\23645\RapportIaso.sys [2011-2-21 18872]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-12-5 30192]

S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2011-1-13 90112]

S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2011-1-13 14976]

S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2011-1-13 121856]

S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [2011-1-13 98560]

.

=============== Created Last 30 ================

.

2011-03-31 12:49:52 -------- d-----w- c:\program files\ESET

2011-03-30 23:47:10 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll

2011-03-30 15:45:17 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2011-03-30 15:45:16 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2011-03-30 15:43:02 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2011-03-30 15:41:31 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2011-03-30 15:32:30 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll

2011-03-30 15:32:24 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2011-03-30 15:32:23 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2011-03-30 15:32:21 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2011-03-30 15:32:21 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2011-03-30 15:31:25 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2011-03-30 15:31:16 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll

2011-03-30 12:18:48 81920 ----a-w- c:\windows\system32\Startup.cpl

2011-03-30 12:13:46 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2011-03-30 12:10:44 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2011-03-30 10:13:44 -------- d-----w- c:\docume~1\dave\applic~1\SUPERAntiSpyware.com

2011-03-30 10:13:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-03-30 10:13:26 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-03-29 21:37:05 -------- d-----w- c:\program files\CCleaner

2011-03-29 18:15:03 -------- d-----w- c:\program files\MSXML 6.0

2011-03-29 18:12:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-03-29 18:12:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-03-29 18:12:44 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-03-29 18:12:44 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-03-29 18:12:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-03-29 18:12:43 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-03-29 18:12:43 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-03-29 16:40:33 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll

2011-03-29 16:40:32 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll

2011-03-29 16:34:03 81920 ------w- c:\windows\system32\ieencode.dll

2011-03-29 16:33:03 19569 ----a-w- c:\windows\003450_.tmp

2011-03-29 16:32:13 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe

2011-03-29 16:32:13 294912 ------w- c:\program files\windows media player\dlimport.exe

2011-03-29 15:16:01 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2011-03-29 15:02:09 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2011-03-29 15:01:08 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2011-03-29 15:01:06 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2011-03-29 15:01:05 110592 -c----w- c:\windows\system32\dllcache\services.exe

2011-03-29 15:01:04 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2011-03-29 15:01:03 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2011-03-29 15:01:02 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2011-03-29 15:01:01 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2011-03-29 14:59:08 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2011-03-29 14:53:21 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe

2011-03-29 14:52:28 -------- d-----w- c:\windows\pss

2011-03-29 14:47:56 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2011-03-29 14:47:55 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2011-03-29 14:46:29 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2011-03-29 13:51:00 711632 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe

2011-03-29 13:51:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-03-26 16:49:49 339968 ----a-w- c:\windows\system32\cdintf.dll

2011-03-26 13:46:58 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll

2011-03-26 13:45:52 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys

2011-03-26 13:44:55 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll

2011-03-26 13:43:57 29184 -c--a-w- c:\windows\system32\dllcache\asptxn.dll

2011-03-26 13:43:57 10240 -c--a-w- c:\windows\system32\dllcache\aspperf.dll

2011-03-26 13:43:56 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll

2011-03-26 13:43:52 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll

2011-03-26 13:43:51 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll

2011-03-26 13:43:51 49664 -c--a-w- c:\windows\system32\dllcache\adrot.dll

2011-03-26 13:43:45 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll

2011-03-26 13:43:36 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe

2011-03-26 13:43:36 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll

2011-03-26 13:43:35 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll

2011-03-26 13:43:35 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll

2011-03-26 13:43:35 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe

2011-03-26 13:43:34 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll

2011-03-26 13:10:18 22339 ----a-r- c:\windows\SETB9.tmp

2011-03-26 13:10:18 10559 ----a-r- c:\windows\SETBA.tmp

2011-03-26 13:10:07 13753 ----a-r- c:\windows\SET7E.tmp

2011-03-26 13:10:03 1086058 ----a-r- c:\windows\SET72.tmp

2011-03-26 13:10:00 1042903 ----a-r- c:\windows\SET6F.tmp

2011-03-25 14:26:51 397056 ----a-w- c:\windows\system32\OLD5BE.tmp

2011-03-25 14:26:50 9728 ----a-w- c:\windows\system32\OLD5BB.tmp

2011-03-25 14:26:46 30592 ----a-w- c:\windows\system32\drivers\OLD5B3.tmp

2011-03-25 14:26:19 4274816 ----a-w- c:\windows\system32\OLD596.tmp

2011-03-25 14:26:07 12672 ----a-w- c:\windows\system32\drivers\OLD58F.tmp

2011-03-25 14:26:06 1737856 ----a-w- c:\windows\system32\OLD58B.tmp

2011-03-25 14:25:12 46592 ----a-w- c:\windows\system32\drivers\OLD54C.tmp

2011-03-25 14:24:30 32285 ----a-w- c:\windows\system32\OLD51D.tmp

2011-03-25 14:24:28 19200 ----a-w- c:\windows\system32\drivers\OLD519.tmp

2011-03-25 14:24:23 46464 ----a-w- c:\windows\system32\drivers\OLD513.tmp

2011-03-25 14:24:17 618605 ----a-w- c:\program files\common files\microsoft shared\web server extensions\40\bin\OLD506.tmp

2011-03-25 14:22:59 3711 ----a-w- c:\windows\system32\drivers\OLD463.tmp

2011-03-25 14:22:59 3135 ----a-w- c:\windows\system32\drivers\OLD460.tmp

2011-03-25 14:22:58 3647 ----a-w- c:\windows\system32\drivers\OLD45D.tmp

2011-03-25 14:22:57 3615 ----a-w- c:\windows\system32\drivers\OLD45A.tmp

2011-03-25 14:22:56 4255 ----a-w- c:\windows\system32\drivers\OLD454.tmp

2011-03-25 14:22:56 3967 ----a-w- c:\windows\system32\drivers\OLD457.tmp

2011-03-25 14:19:26 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2011-03-25 14:19:26 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe

2011-03-25 14:16:36 23552 ----a-w- c:\windows\system32\SET1F5.tmp

2011-03-25 14:16:36 23552 ----a-w- c:\windows\system32\COM1F6.tmp

2011-03-25 14:16:35 55296 ----a-w- c:\windows\system32\SET1F2.tmp

2011-03-25 14:16:35 55296 ----a-w- c:\windows\system32\COM1F3.tmp

2011-03-25 14:10:33 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-03-25 14:02:02 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2011-03-25 14:02:02 24661 ----a-w- c:\windows\system32\spxcoins.dll

2011-03-25 14:02:02 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2011-03-25 14:02:02 13312 ----a-w- c:\windows\system32\irclass.dll

2011-03-25 14:01:44 10559 ----a-r- c:\windows\SET189.tmp

2011-03-25 14:01:43 22339 ----a-r- c:\windows\SET188.tmp

2011-03-25 14:01:35 13753 ----a-r- c:\windows\SET14D.tmp

2011-03-25 14:01:31 1086058 ----a-r- c:\windows\SET141.tmp

2011-03-25 14:01:28 1042903 ----a-r- c:\windows\SET13E.tmp

2011-03-25 12:42:38 -------- d-----w- c:\windows\dell

2011-03-25 10:59:03 -------- d-sh--w- C:\$RECYCLE.BIN

2011-03-23 15:38:35 0 ----a-w- c:\windows\Dsutuqis.bin

2011-03-23 15:38:32 -------- d-----w- c:\docume~1\dave\locals~1\applic~1\{B536E60A-99DE-44A1-8D38-7CA44DFB10DF}

2011-03-12 11:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2011-03-12 11:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 14:42:40.50 ===============

Attach.zip

Link to post
Share on other sites

check some settings on your system:

  1. Enter your Control Panel and double-click on Network Connections
  2. Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL, or AOL Connection.

[*]Left click on Properties

[*]Double-Click on the Internet Protocol (TCP/IP) item

[*]Select the radio dial that says Obtain DNS Servers Automatically

[*]Press OK twice to get out of the properties screen

Next:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

aswmbrscan.gif

Click the "Scan" button to start scan

aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

Link to post
Share on other sites

Ok here is the aswMBR log:

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-31 15:07:24

-----------------------------

15:07:24.578 OS Version: Windows 5.1.2600 Service Pack 3

15:07:24.578 Number of processors: 2 586 0x409

15:07:24.578 ComputerName: BSACOFFICE UserName: dave

15:07:25.109 Initialize success

15:07:28.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3

15:07:28.484 Disk 0 Vendor: SAMSUNG_HD160JJ/P ZM100-34 Size: 152587MB BusType: 3

15:07:30.484 Disk 0 MBR read successfully

15:07:30.484 Disk 0 MBR scan

15:07:32.484 Disk 0 scanning sectors +312496380

15:07:32.500 Disk 0 scanning C:\WINDOWS\system32\drivers

15:07:40.828 Service scanning

15:07:42.296 Disk 0 trace - called modules:

15:07:42.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll atiide.sys PCIIDEX.SYS

15:07:42.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86930ab8]

15:07:42.312 3 CLASSPNP.SYS[f7542fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x86937d98]

15:07:42.312 Scan finished successfully

Link to post
Share on other sites

OK MBAM finished, nothing found.

MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6227

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

31/03/2011 17:05:28

mbam-log-2011-03-31 (17-05-28).txt

Scan type: Full scan (C:\|)

Objects scanned: 292290

Time elapsed: 43 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.