Dre9872 Posted March 30, 2011 ID:407638 Share Posted March 30, 2011 Hi there, I have an old XP pro machine from a friend that got an infection.When I first got the machine it wouldn't eve start to boot into windows, just went through the BIOS startup then hung with a flashing cursor on the top right of the screen.I managed to get the machine to boot and then found it had some infection on it, I have run Malwarebytes several time's, in normal mode and safe mode, SuperAntiSpyware also, and it has AVG Free 2011 installed.I just can't seem to get rid of the problem.It did seem to be sorted at one point and did a load of updates, about 50ish and then Service pack 3, all seemed ok, then when I switched it off it had the install updates thing over the power down button. it installed those 2 updates and that seems to be when the real problems began. When it was rebooted I had windows Security Center telling me that the automatic updates were turned off, but on hitting the fix button it said it couldn't sort it and I'd have to do it manually, so I opened the auto updates screen and it was saying that it was fine. Microsoft updates do not work, and cannot open IE8. If you get IE8 open its very slow and will not goto or hangs if you try to goto microsoft's site. I also had the XP Anti_Virus 2011 popup and try to scan and tell me all kinds of things were wrong.I ran Malwarebytes again and altho it did find some infections and cure them It didn't sort the root of the problem which I believe is a rootkit.So I need some expert help and advice. I have attached the HijackThis log, MBAM log and DDS log, GMER would not run and produced a BSOD with the error: BAD_POOL_HEADERI hope someone can help to point me in the right direction.ThanksDre...PS. Whilst writing this I did another MBAM scan and it might have sorted some stuff out. the logs are the latest logs, I also redid the Hijack this log.HijackThis Log:Logfile of Trend Micro HijackThis v2.0.4Scan saved at 16:39:30, on 30/03/2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\PROGRA~1\AVG\AVG10\avgchsvx.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\AVG\AVG10\avgwdsvc.exeC:\WINDOWS\system32\dgdersvc.exeC:\WINDOWS\system32\dlcqcoms.exeC:\WINDOWS\system32\FsUsbExService.ExeC:\PROGRA~1\Iomega\System32\AppServices.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\AVG\AVG10\avgnsx.exeC:\Program Files\Iomega\AutoDisk\ADService.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Iomega\AutoDisk\ADUserMon.exeC:\Program Files\Iomega\DriveIcons\ImgIcon.exeC:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exeC:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exeC:\PROGRA~1\Yahoo!\browser\ybrwicon.exeC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\Program Files\AVG\AVG10\avgtray.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Samsung\Kies\KiesTrayAgent.exeC:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\FinePixViewer\QuickDCF.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeC:\Program Files\Trusteer\Rapport\bin\RapportService.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\PROGRA~1\AVG\AVG10\avgrsx.exeC:\Program Files\AVG\AVG10\avgcsrvx.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\WINDOWS\system32\wuauclt.exeF:\HijackThis.exeC:\WINDOWS\SoftwareDistribution\Download\2a3aaa33da1603f4063f416a9eae7912\update\update.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=3061204R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=3061204R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%sR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25543R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dllO2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dllO2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dllO3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dllO3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dllO3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dllO3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -DelayO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exeO4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exeO4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTARTO4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /sO4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exeO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [KiesTrayAgent] C:\Program Files\Samsung\Kies\KiesTrayAgent.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1006\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'kevin')O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'kevin')O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1006\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'kevin')O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1008\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Annual Accounts')O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1009\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Catalogues & prices')O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-1010\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Rarely used files')O4 - HKUS\S-1-5-21-3468840492-2233499569-2717989688-500\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Administrator')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Exif Launcher.lnk = ?O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeO8 - Extra context menu item: &Search - ?p=ZUxdm486PDGBO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.htmlO9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dllO20 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exeO23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exeO23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exeO23 - Service: Device Error Recovery Service (dgdersvc) - Devguru Co., Ltd. - C:\WINDOWS\system32\dgdersvc.exeO23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exeO23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.ExeO23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exeO23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe--End of file - 14410 bytesMBAM Log:Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6211Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870230/03/2011 16:18:28mbam-log-2011-03-30 (16-18-27).txtScan type: Full scan (C:\|)Objects scanned: 293183Time elapsed: 1 hour(s), 1 minute(s), 19 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 3Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 8Memory Processes Infected:(No malicious items detected)Memory Modules Infected:c:\WINDOWS\kb2cenen.dll (Trojan.Hiloti) -> Delete on reboot.Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\OUU6KC5WPX (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oqacut (Trojan.Hiloti) -> Value: Oqacut -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\kb2cenen.dll (Trojan.Hiloti) -> Delete on reboot.c:\documents and settings\dave\local settings\Temp\4C.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.c:\documents and settings\dave\local settings\Temp\52.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.c:\documents and settings\dave\local settings\Temp\54.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.c:\documents and settings\dave\local settings\Temp\59.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.c:\documents and settings\dave\local settings\Temp\cnxrseomwa.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.DDS Log:.DDS (Ver_11-03-05.01) - NTFSx86 Run by dave at 16:48:16.43 on 30/03/2011Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.990.119 [GMT 1:00].AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: Smart Engine *Enabled/Updated* {8DAD4B57-73ED-4EDE-82A8-009F6A8BBDC5}FW: Smart Engine *Enabled* .============== Running Processes ===============.C:\PROGRA~1\AVG\AVG10\avgchsvx.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\AVG\AVG10\avgwdsvc.exeC:\WINDOWS\system32\dgdersvc.exeC:\WINDOWS\system32\dlcqcoms.exeC:\WINDOWS\system32\FsUsbExService.ExeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\AVG\AVG10\avgnsx.exeC:\Program Files\Iomega\AutoDisk\ADService.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Iomega\AutoDisk\ADUserMon.exeC:\Program Files\Iomega\DriveIcons\ImgIcon.exeC:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exeC:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exeC:\PROGRA~1\Yahoo!\browser\ybrwicon.exeC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\Program Files\AVG\AVG10\avgtray.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Samsung\Kies\KiesTrayAgent.exeC:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\FinePixViewer\QuickDCF.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeC:\Program Files\Trusteer\Rapport\bin\RapportService.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\PROGRA~1\AVG\AVG10\avgrsx.exeC:\Program Files\AVG\AVG10\avgcsrvx.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\WINDOWS\system32\wuauclt.exeF:\dds.scr.============== Pseudo HJT Report ===============.uStart Page = hxxp://uk.yahoo.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=3061204uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm486PDGB&fl=0&ptb=DDOzzRBO1MZ..2WN6jGUSg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.htmluInternet Settings,ProxyServer = http=127.0.0.1:25543uSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%smSearchAssistant = hxxp://www.google.com/ieuURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dllmURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dllBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dllBHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dllBHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dllBHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No FileBHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dllTB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dllTB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dllTB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dllTB: {A057A204-BACC-4D26-9990-79A187E2698E} - No FileTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dlluRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startupuRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exeuRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exeuRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exeuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exemRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exemRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -DelaymRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startupmRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exemRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exemRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTARTmRun: [dlcqmon.exe] "c:\program files\dell photo aio printer 966\dlcqmon.exe"mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /smRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUNmRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exemRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hidemRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exedRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exeuPolicies-explorer: DisallowRun = 1 (0x1)IE: &Search - ?p=ZUxdm486PDGBIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dllHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dllNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLLAppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\GOEC62~1.DLLSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLLIFEO: image file execution options - svchost.exeHosts: 127.0.0.1 www.spywareinfo.com.================= FIREFOX ===================.FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\j0gntftb.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.search.selectedEngine - searchFF - plugin: c:\program files\common files\motive\npMotive.dllFF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll.============= SERVICES / DRIVERS ===============.R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2006-12-5 3456]R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528]R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\23945\RapportCerberus_23945.sys [2011-3-1 55224]R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2009-10-26 95568]R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-11 217088]R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2009-10-26 18136]R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-11 36640]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-22 517448]S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-12-5 30192]S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2011-1-13 90112]S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2011-1-13 14976]S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2011-1-13 121856]S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [2011-1-13 98560].=============== Created Last 30 ================.2011-03-30 12:18:48 81920 ----a-w- c:\windows\system32\Startup.cpl2011-03-30 10:13:44 -------- d-----w- c:\docume~1\dave\applic~1\SUPERAntiSpyware.com2011-03-30 10:13:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com2011-03-30 10:13:26 -------- d-----w- c:\program files\SUPERAntiSpyware2011-03-29 21:37:05 -------- d-----w- c:\program files\CCleaner2011-03-29 18:15:03 -------- d-----w- c:\program files\MSXML 6.02011-03-29 18:12:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll2011-03-29 18:12:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll2011-03-29 18:12:44 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll2011-03-29 18:12:44 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll2011-03-29 18:12:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll2011-03-29 18:12:43 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll2011-03-29 18:12:43 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll2011-03-29 16:40:33 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll2011-03-29 16:40:32 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll2011-03-29 16:34:03 81920 ------w- c:\windows\system32\ieencode.dll2011-03-29 16:33:03 19569 ----a-w- c:\windows\003450_.tmp2011-03-29 16:32:13 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe2011-03-29 16:32:13 294912 ------w- c:\program files\windows media player\dlimport.exe2011-03-29 14:59:08 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe2011-03-29 14:53:21 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe2011-03-29 14:52:28 -------- d-----w- c:\windows\pss2011-03-29 13:51:00 711632 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe2011-03-29 13:51:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll2011-03-26 16:49:49 339968 ----a-w- c:\windows\system32\cdintf.dll2011-03-26 13:46:58 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll2011-03-26 13:45:52 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys2011-03-26 13:44:55 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll2011-03-26 13:43:57 29184 -c--a-w- c:\windows\system32\dllcache\asptxn.dll2011-03-26 13:43:57 10240 -c--a-w- c:\windows\system32\dllcache\aspperf.dll2011-03-26 13:43:56 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll2011-03-26 13:43:52 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll2011-03-26 13:43:51 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll2011-03-26 13:43:51 49664 -c--a-w- c:\windows\system32\dllcache\adrot.dll2011-03-26 13:43:45 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll2011-03-26 13:43:36 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe2011-03-26 13:43:36 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll2011-03-26 13:43:35 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll2011-03-26 13:43:35 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll2011-03-26 13:43:35 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe2011-03-26 13:43:34 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll2011-03-26 13:10:18 22339 ----a-r- c:\windows\SETB9.tmp2011-03-26 13:10:18 10559 ----a-r- c:\windows\SETBA.tmp2011-03-26 13:10:07 13753 ----a-r- c:\windows\SET7E.tmp2011-03-26 13:10:03 1086058 ----a-r- c:\windows\SET72.tmp2011-03-26 13:10:00 1042903 ----a-r- c:\windows\SET6F.tmp2011-03-25 14:26:51 397056 ----a-w- c:\windows\system32\OLD5BE.tmp2011-03-25 14:26:50 9728 ----a-w- c:\windows\system32\OLD5BB.tmp2011-03-25 14:26:46 30592 ----a-w- c:\windows\system32\drivers\OLD5B3.tmp2011-03-25 14:26:19 4274816 ----a-w- c:\windows\system32\OLD596.tmp2011-03-25 14:26:07 12672 ----a-w- c:\windows\system32\drivers\OLD58F.tmp2011-03-25 14:26:06 1737856 ----a-w- c:\windows\system32\OLD58B.tmp2011-03-25 14:25:12 46592 ----a-w- c:\windows\system32\drivers\OLD54C.tmp2011-03-25 14:24:30 32285 ----a-w- c:\windows\system32\OLD51D.tmp2011-03-25 14:24:28 19200 ----a-w- c:\windows\system32\drivers\OLD519.tmp2011-03-25 14:24:23 46464 ----a-w- c:\windows\system32\drivers\OLD513.tmp2011-03-25 14:24:17 618605 ----a-w- c:\program files\common files\microsoft shared\web server extensions\40\bin\OLD506.tmp2011-03-25 14:22:59 3711 ----a-w- c:\windows\system32\drivers\OLD463.tmp2011-03-25 14:22:59 3135 ----a-w- c:\windows\system32\drivers\OLD460.tmp2011-03-25 14:22:58 3647 ----a-w- c:\windows\system32\drivers\OLD45D.tmp2011-03-25 14:22:57 3615 ----a-w- c:\windows\system32\drivers\OLD45A.tmp2011-03-25 14:22:56 4255 ----a-w- c:\windows\system32\drivers\OLD454.tmp2011-03-25 14:22:56 3967 ----a-w- c:\windows\system32\drivers\OLD457.tmp2011-03-25 14:19:26 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe2011-03-25 14:19:26 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe2011-03-25 14:16:36 23552 ----a-w- c:\windows\system32\SET1F5.tmp2011-03-25 14:16:36 23552 ----a-w- c:\windows\system32\COM1F6.tmp2011-03-25 14:16:35 55296 ----a-w- c:\windows\system32\SET1F2.tmp2011-03-25 14:16:35 55296 ----a-w- c:\windows\system32\COM1F3.tmp2011-03-25 14:10:33 21504 ----a-w- c:\windows\system32\hidserv.dll2011-03-25 14:02:02 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll2011-03-25 14:02:02 24661 ----a-w- c:\windows\system32\spxcoins.dll2011-03-25 14:02:02 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll2011-03-25 14:02:02 13312 ----a-w- c:\windows\system32\irclass.dll2011-03-25 14:01:44 10559 ----a-r- c:\windows\SET189.tmp2011-03-25 14:01:43 22339 ----a-r- c:\windows\SET188.tmp2011-03-25 14:01:35 13753 ----a-r- c:\windows\SET14D.tmp2011-03-25 14:01:31 1086058 ----a-r- c:\windows\SET141.tmp2011-03-25 14:01:28 1042903 ----a-r- c:\windows\SET13E.tmp2011-03-25 12:42:38 -------- d-----w- c:\windows\dell2011-03-25 10:59:03 -------- d-sh--w- C:\$RECYCLE.BIN2011-03-23 15:38:35 0 ----a-w- c:\windows\Dsutuqis.bin2011-03-23 15:38:32 -------- d-----w- c:\docume~1\dave\locals~1\applic~1\{B536E60A-99DE-44A1-8D38-7CA44DFB10DF}2011-03-12 11:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll2011-03-12 11:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll.==================== Find3M ====================..============= FINISH: 16:51:46.45 ===============Attach.zip Link to post Share on other sites More sharing options...
LDTate Posted March 30, 2011 ID:407749 Share Posted March 30, 2011 Please don't attach the scans / logs for these tools, use "copy/paste".DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.Vista and Windows 7 users:1. These tools MUST be run from the executable. (.exe) every time you run them 2. With Admin Rights (Right click, choose "Run as Administrator")Stay with this topic until I give you the all clean post.You might want to print these instructions out.I suggest you do this:Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.Please download ATF Cleaner by Atribune.Download - ATF Cleaner Link to post Share on other sites More sharing options...
Dre9872 Posted March 30, 2011 Author ID:407764 Share Posted March 30, 2011 On completion of the scan click save log, save it to your desktop and post in your next replyaswMBR Log:aswMBR version 0.9.4 Copyright© 2011 AVAST SoftwareRun date: 2011-03-30 20:13:35-----------------------------20:13:35.687 OS Version: Windows 5.1.2600 Service Pack 320:13:35.687 Number of processors: 2 586 0x40920:13:35.687 ComputerName: BSACOFFICE UserName: dave20:13:37.640 Initialize success20:13:41.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-320:13:41.140 Disk 0 Vendor: SAMSUNG_HD160JJ/P ZM100-34 Size: 152587MB BusType: 320:13:43.171 Disk 0 MBR read successfully20:13:43.171 Disk 0 MBR scan20:13:45.171 Disk 0 scanning sectors +31249638020:13:45.203 Disk 0 scanning C:\WINDOWS\system32\drivers20:13:57.500 Service scanning20:13:58.906 Disk 0 trace - called modules:20:13:58.921 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll atiide.sys PCIIDEX.SYS 20:13:58.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8696cab8]20:13:58.921 3 CLASSPNP.SYS[f7542fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x8697dd98]20:13:58.921 Scan finished successfully Link to post Share on other sites More sharing options...
LDTate Posted March 30, 2011 ID:407767 Share Posted March 30, 2011 No RootKit showing http://www.eset.eu/online-scannerGo here to run an online scannner from ESET.Click the green ESET Online Scanner button.Read the End User License Agreement and check the box: YES, I accept the Terms of Use.Click on the Start button next to it.You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.A new window will appear asking "Do you want to install this software?"".Answer Yes to download and install the ActiveX controls that allows the scan to run.Click Start.Check Remove found threats and Scan potentially unwanted applications.Click Scan to begin. If offered the option to get information or buy software. Just close the window. Wait for the scan to finishUse notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topic. Link to post Share on other sites More sharing options...
Dre9872 Posted March 30, 2011 Author ID:407774 Share Posted March 30, 2011 No RootKit showing Great news, thanks, I can't do the online scan atm as my internet is down, (I have this PC plugged into my Mobile Phone.)Hopefully it will be back on by tomorrow, all I know is its a 'fibre cut' sounds like some roadworkers dug up the cable Thanks for your time so far.Dre... Link to post Share on other sites More sharing options...
LDTate Posted March 30, 2011 ID:407808 Share Posted March 30, 2011 Great news, thanks, I can't do the online scan atm as my internet is down, (I have this PC plugged into my Mobile Phone.)Hopefully it will be back on by tomorrow, all I know is its a 'fibre cut' sounds like some roadworkers dug up the cable Thanks for your time so far.Dre...Hope they get it fixed Link to post Share on other sites More sharing options...
Dre9872 Posted March 30, 2011 Author ID:407895 Share Posted March 30, 2011 Hope they get it fixedNot gonna be fixed today I don't think.I have however run MBAM, SuperAnti Spyware, Spybot S&D, and AVG 2011 scan's and all are clear.One thing I am paranoid about is when I power it off it says it wants to install updates, I have not let it install them yet tho.The reason for this is I think the malware I got was installed via the update mechanism. If it were a genuine update then I would get the yellow shield telling me updates were ready for my computer and I would be able to install them/or not, in the windows environment. The fact I don't get the yellow shield, and option to install the updates in windows, is making me nervous about the updates and hence not installing them yet.is there any way to see what the updates are or to disable them etc?Dre... Link to post Share on other sites More sharing options...
LDTate Posted March 30, 2011 ID:407898 Share Posted March 30, 2011 The fact I don't get the yellow shield, and option to install the updates in windows, is making me nervous about the updates and hence not installing them yet.I think that happens if you have automatic updates active. When you go to shutdown it will popup to install updates and shutdown. Link to post Share on other sites More sharing options...
Dre9872 Posted March 30, 2011 Author ID:407903 Share Posted March 30, 2011 Hmm, ok I switched off and let it install the updates, there was another 80 for it to do, so I don't think it can be the malware I'll let you know what happens when its back on Link to post Share on other sites More sharing options...
LDTate Posted March 30, 2011 ID:407904 Share Posted March 30, 2011 Options for setting up Automatic Updates on your computerhttp://technet.microsoft.com/en-us/library/cc740211(WS.10).aspx Link to post Share on other sites More sharing options...
Dre9872 Posted March 30, 2011 Author ID:407930 Share Posted March 30, 2011 That link doesn't work, but the PC is up and running after the updates, it doesn't look like any nasty's have reappeared.All I need now is for my internet to get fixed and I can make sure everything is completely updated and that should be that.Thanks for your help, if anything crops up tomorrow, I'll post some logs.Dre... Link to post Share on other sites More sharing options...
LDTate Posted March 30, 2011 ID:407933 Share Posted March 30, 2011 Just Google:Options for setting up Automatic Updates on your computer Link to post Share on other sites More sharing options...
LDTate Posted March 30, 2011 ID:407934 Share Posted March 30, 2011 Yes, please let me know when you get internet again. Link to post Share on other sites More sharing options...
Dre9872 Posted March 31, 2011 Author ID:407938 Share Posted March 31, 2011 BT are continuing to work on the problem and have advised that their next update will be circulated by 1.30am.There is still no estimated fix time.its 1am here and I'm gonna hit the sack.Will see if its back up in the morning. Link to post Share on other sites More sharing options...
LDTate Posted March 31, 2011 ID:407940 Share Posted March 31, 2011 Link to post Share on other sites More sharing options...
Dre9872 Posted March 31, 2011 Author ID:408338 Share Posted March 31, 2011 Ok got internet back. Decided to upgrade AVG to the full AVG internet security 2011, had problems so uninstalled AVG Completely and didn't get Security Center complaining about no Anti-Virus.So I had a look and Security Center said that smart engine reports it is up to date and virus scanning is on. Did a Google on Smart Engine and found it was malware (didn't really need google to tell me that but hey)Did a hijack this and removed:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25437but didn't find any of the other things Bleeping Computer said might be in a HJT log.Ran Rkill then MBAM but it found nothing.So I went to the ESET online scanner and ran the scan.Eset found 6 problems and fixed them, I save the log, then did a new DDS log and tried to run GMER for a log but got the same BSODSo... here are the logsEset Log:ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OK# version=7# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)# OnlineScanner.ocx=1.0.0.6425# api_version=3.0.2# EOSSerial=a77b439a65bde3429b4caa8d78b4a90e# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2011-03-31 01:37:35# local_time=2011-03-31 02:37:35 (+0000, GMT Daylight Time)# country="United Kingdom"# lang=9# osver=5.1.2600 NT Service Pack 3# compatibility_mode=512 16777215 100 0 0 0 0 0# compatibility_mode=1024 16777215 100 0 13833862 13833862 0 0# compatibility_mode=6143 16777215 0 0 0 0 0 0# compatibility_mode=8192 67108863 100 0 137 137 0 0# scanned=96976# found=6# cleaned=6# scan_time=2726C:\Documents and Settings\All Users\Application Data\cf14eb\77.mof Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch4.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Documents and Settings\dave\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C7843A66-9DED-4D87-AA09-402DE8933F46} Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Program Files\alot\alotUninst.exe probably a variant of Win32/Adware.RogueApp.ETEMUAN application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\WINDOWS\system32\drivers\etc\hosts.20110329-172532.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CDDS Log:.DDS (Ver_11-03-05.01) - NTFSx86 Run by dave at 14:41:19.73 on 31/03/2011Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.990.439 [GMT 1:00].AV: Smart Engine *Enabled/Updated* {8DAD4B57-73ED-4EDE-82A8-009F6A8BBDC5}FW: Smart Engine *Enabled* .============== Running Processes ===============.C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\WINDOWS\system32\dgdersvc.exeC:\WINDOWS\system32\dlcqcoms.exeC:\WINDOWS\system32\FsUsbExService.ExeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Iomega\AutoDisk\ADService.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Trusteer\Rapport\bin\RapportService.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Iomega\AutoDisk\ADUserMon.exeC:\Program Files\Iomega\DriveIcons\ImgIcon.exeC:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exeC:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exeC:\PROGRA~1\Yahoo!\browser\ybrwicon.exeC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Samsung\Kies\KiesTrayAgent.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\FinePixViewer\QuickDCF.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\WINDOWS\system32\wuauclt.exeF:\dds.scr.============== Pseudo HJT Report ===============.uStart Page = hxxp://uk.yahoo.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=3061204uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm486PDGB&fl=0&ptb=DDOzzRBO1MZ..2WN6jGUSg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.htmluSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%smSearchAssistant = hxxp://www.google.com/ieuURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dllBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dllBHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dllBHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No FileBHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dllTB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dllTB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dllTB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No FileTB: {A057A204-BACC-4D26-9990-79A187E2698E} - No FileTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dlluRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startupuRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exeuRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exeuRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exeuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exemRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exemRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -DelaymRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startupmRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exemRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exemRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTARTmRun: [dlcqmon.exe] "c:\program files\dell photo aio printer 966\dlcqmon.exe"mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /smRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUNmRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exemRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hidemRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT"&"inst=NzctNTc3MzM1MDAzLVQ0LUtWMys3LUJBKzEtWEwrMS1GUDkyKzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBDKzE"&"prod=55"&"ver=10.0.1204dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exeIE: &Search - ?p=ZUxdm486PDGBIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLLAppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\GOEC62~1.DLLSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLLIFEO: image file execution options - svchost.exeHosts: 127.0.0.1 www.spywareinfo.com.================= FIREFOX ===================.FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\j0gntftb.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.search.selectedEngine - searchFF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/FF - plugin: c:\program files\common files\motive\npMotive.dllFF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll.============= SERVICES / DRIVERS ===============.R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2006-12-5 3456]R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528]R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\23945\RapportCerberus_23945.sys [2011-3-1 55224]R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2009-10-26 95568]R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-11 217088]R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2009-10-26 18136]R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-11 36640]R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\23645\RapportIaso.sys [2011-2-21 18872]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-12-5 30192]S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2011-1-13 90112]S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2011-1-13 14976]S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2011-1-13 121856]S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [2011-1-13 98560].=============== Created Last 30 ================.2011-03-31 12:49:52 -------- d-----w- c:\program files\ESET2011-03-30 23:47:10 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll2011-03-30 15:45:17 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll2011-03-30 15:45:16 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll2011-03-30 15:43:02 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll2011-03-30 15:41:31 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys2011-03-30 15:32:30 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll2011-03-30 15:32:24 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe2011-03-30 15:32:23 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe2011-03-30 15:32:21 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe2011-03-30 15:32:21 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe2011-03-30 15:31:25 45568 -c----w- c:\windows\system32\dllcache\wab.exe2011-03-30 15:31:16 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll2011-03-30 12:18:48 81920 ----a-w- c:\windows\system32\Startup.cpl2011-03-30 12:13:46 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys2011-03-30 12:10:44 272128 -c----w- c:\windows\system32\dllcache\bthport.sys2011-03-30 10:13:44 -------- d-----w- c:\docume~1\dave\applic~1\SUPERAntiSpyware.com2011-03-30 10:13:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com2011-03-30 10:13:26 -------- d-----w- c:\program files\SUPERAntiSpyware2011-03-29 21:37:05 -------- d-----w- c:\program files\CCleaner2011-03-29 18:15:03 -------- d-----w- c:\program files\MSXML 6.02011-03-29 18:12:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll2011-03-29 18:12:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll2011-03-29 18:12:44 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll2011-03-29 18:12:44 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll2011-03-29 18:12:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll2011-03-29 18:12:43 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll2011-03-29 18:12:43 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll2011-03-29 16:40:33 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll2011-03-29 16:40:32 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll2011-03-29 16:34:03 81920 ------w- c:\windows\system32\ieencode.dll2011-03-29 16:33:03 19569 ----a-w- c:\windows\003450_.tmp2011-03-29 16:32:13 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe2011-03-29 16:32:13 294912 ------w- c:\program files\windows media player\dlimport.exe2011-03-29 15:16:01 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys2011-03-29 15:02:09 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll2011-03-29 15:01:08 284160 -c----w- c:\windows\system32\dllcache\pdh.dll2011-03-29 15:01:06 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll2011-03-29 15:01:05 110592 -c----w- c:\windows\system32\dllcache\services.exe2011-03-29 15:01:04 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll2011-03-29 15:01:03 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe2011-03-29 15:01:02 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll2011-03-29 15:01:01 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll2011-03-29 14:59:08 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe2011-03-29 14:53:21 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe2011-03-29 14:52:28 -------- d-----w- c:\windows\pss2011-03-29 14:47:56 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll2011-03-29 14:47:55 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll2011-03-29 14:46:29 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll2011-03-29 13:51:00 711632 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe2011-03-29 13:51:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll2011-03-26 16:49:49 339968 ----a-w- c:\windows\system32\cdintf.dll2011-03-26 13:46:58 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll2011-03-26 13:45:52 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys2011-03-26 13:44:55 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll2011-03-26 13:43:57 29184 -c--a-w- c:\windows\system32\dllcache\asptxn.dll2011-03-26 13:43:57 10240 -c--a-w- c:\windows\system32\dllcache\aspperf.dll2011-03-26 13:43:56 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll2011-03-26 13:43:52 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll2011-03-26 13:43:51 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll2011-03-26 13:43:51 49664 -c--a-w- c:\windows\system32\dllcache\adrot.dll2011-03-26 13:43:45 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll2011-03-26 13:43:36 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe2011-03-26 13:43:36 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll2011-03-26 13:43:35 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll2011-03-26 13:43:35 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll2011-03-26 13:43:35 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe2011-03-26 13:43:34 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll2011-03-26 13:10:18 22339 ----a-r- c:\windows\SETB9.tmp2011-03-26 13:10:18 10559 ----a-r- c:\windows\SETBA.tmp2011-03-26 13:10:07 13753 ----a-r- c:\windows\SET7E.tmp2011-03-26 13:10:03 1086058 ----a-r- c:\windows\SET72.tmp2011-03-26 13:10:00 1042903 ----a-r- c:\windows\SET6F.tmp2011-03-25 14:26:51 397056 ----a-w- c:\windows\system32\OLD5BE.tmp2011-03-25 14:26:50 9728 ----a-w- c:\windows\system32\OLD5BB.tmp2011-03-25 14:26:46 30592 ----a-w- c:\windows\system32\drivers\OLD5B3.tmp2011-03-25 14:26:19 4274816 ----a-w- c:\windows\system32\OLD596.tmp2011-03-25 14:26:07 12672 ----a-w- c:\windows\system32\drivers\OLD58F.tmp2011-03-25 14:26:06 1737856 ----a-w- c:\windows\system32\OLD58B.tmp2011-03-25 14:25:12 46592 ----a-w- c:\windows\system32\drivers\OLD54C.tmp2011-03-25 14:24:30 32285 ----a-w- c:\windows\system32\OLD51D.tmp2011-03-25 14:24:28 19200 ----a-w- c:\windows\system32\drivers\OLD519.tmp2011-03-25 14:24:23 46464 ----a-w- c:\windows\system32\drivers\OLD513.tmp2011-03-25 14:24:17 618605 ----a-w- c:\program files\common files\microsoft shared\web server extensions\40\bin\OLD506.tmp2011-03-25 14:22:59 3711 ----a-w- c:\windows\system32\drivers\OLD463.tmp2011-03-25 14:22:59 3135 ----a-w- c:\windows\system32\drivers\OLD460.tmp2011-03-25 14:22:58 3647 ----a-w- c:\windows\system32\drivers\OLD45D.tmp2011-03-25 14:22:57 3615 ----a-w- c:\windows\system32\drivers\OLD45A.tmp2011-03-25 14:22:56 4255 ----a-w- c:\windows\system32\drivers\OLD454.tmp2011-03-25 14:22:56 3967 ----a-w- c:\windows\system32\drivers\OLD457.tmp2011-03-25 14:19:26 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe2011-03-25 14:19:26 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe2011-03-25 14:16:36 23552 ----a-w- c:\windows\system32\SET1F5.tmp2011-03-25 14:16:36 23552 ----a-w- c:\windows\system32\COM1F6.tmp2011-03-25 14:16:35 55296 ----a-w- c:\windows\system32\SET1F2.tmp2011-03-25 14:16:35 55296 ----a-w- c:\windows\system32\COM1F3.tmp2011-03-25 14:10:33 21504 ----a-w- c:\windows\system32\hidserv.dll2011-03-25 14:02:02 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll2011-03-25 14:02:02 24661 ----a-w- c:\windows\system32\spxcoins.dll2011-03-25 14:02:02 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll2011-03-25 14:02:02 13312 ----a-w- c:\windows\system32\irclass.dll2011-03-25 14:01:44 10559 ----a-r- c:\windows\SET189.tmp2011-03-25 14:01:43 22339 ----a-r- c:\windows\SET188.tmp2011-03-25 14:01:35 13753 ----a-r- c:\windows\SET14D.tmp2011-03-25 14:01:31 1086058 ----a-r- c:\windows\SET141.tmp2011-03-25 14:01:28 1042903 ----a-r- c:\windows\SET13E.tmp2011-03-25 12:42:38 -------- d-----w- c:\windows\dell2011-03-25 10:59:03 -------- d-sh--w- C:\$RECYCLE.BIN2011-03-23 15:38:35 0 ----a-w- c:\windows\Dsutuqis.bin2011-03-23 15:38:32 -------- d-----w- c:\docume~1\dave\locals~1\applic~1\{B536E60A-99DE-44A1-8D38-7CA44DFB10DF}2011-03-12 11:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll2011-03-12 11:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll.==================== Find3M ====================.2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll.============= FINISH: 14:42:40.50 ===============Attach.zip Link to post Share on other sites More sharing options...
LDTate Posted March 31, 2011 ID:408340 Share Posted March 31, 2011 check some settings on your system:Enter your Control Panel and double-click on Network ConnectionsThen right click on your Default ConnectionUsually Local Area Connection for Cable and DSL, or AOL Connection.[*]Left click on Properties[*]Double-Click on the Internet Protocol (TCP/IP) item[*]Select the radio dial that says Obtain DNS Servers Automatically[*]Press OK twice to get out of the properties screenNext:Download aswMBR.exe ( 511KB ) to your desktop.Double click the aswMBR.exe to run itClick the "Scan" button to start scanOn completion of the scan click save log, save it to your desktop and post in your next reply Link to post Share on other sites More sharing options...
Dre9872 Posted March 31, 2011 Author ID:408347 Share Posted March 31, 2011 Ok here is the aswMBR log:aswMBR version 0.9.4 Copyright© 2011 AVAST SoftwareRun date: 2011-03-31 15:07:24-----------------------------15:07:24.578 OS Version: Windows 5.1.2600 Service Pack 315:07:24.578 Number of processors: 2 586 0x40915:07:24.578 ComputerName: BSACOFFICE UserName: dave15:07:25.109 Initialize success15:07:28.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-315:07:28.484 Disk 0 Vendor: SAMSUNG_HD160JJ/P ZM100-34 Size: 152587MB BusType: 315:07:30.484 Disk 0 MBR read successfully15:07:30.484 Disk 0 MBR scan15:07:32.484 Disk 0 scanning sectors +31249638015:07:32.500 Disk 0 scanning C:\WINDOWS\system32\drivers15:07:40.828 Service scanning15:07:42.296 Disk 0 trace - called modules:15:07:42.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll atiide.sys PCIIDEX.SYS 15:07:42.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86930ab8]15:07:42.312 3 CLASSPNP.SYS[f7542fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x86937d98]15:07:42.312 Scan finished successfully Link to post Share on other sites More sharing options...
LDTate Posted March 31, 2011 ID:408349 Share Posted March 31, 2011 Good. No RootKit present.After running this one let me know how it's running.Lets see if we can get rid of all those temp files.Next:Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.Please download ATF Cleaner by Atribune.Download - ATF Cleaner Link to post Share on other sites More sharing options...
Dre9872 Posted March 31, 2011 Author ID:408355 Share Posted March 31, 2011 OK ran ATF Cleaner and rebooted.Security Center still reports that Smart Engine is up to date and virus scanning is on. Link to post Share on other sites More sharing options...
Dre9872 Posted March 31, 2011 Author ID:408366 Share Posted March 31, 2011 Maybe I should mention that this PC has several admin accounts on it and I have been using only 1 of them. Link to post Share on other sites More sharing options...
LDTate Posted March 31, 2011 ID:408367 Share Posted March 31, 2011 Run a new MBAM scan and post the results Link to post Share on other sites More sharing options...
Dre9872 Posted March 31, 2011 Author ID:408409 Share Posted March 31, 2011 OK MBAM finished, nothing found.MBAM Log:Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6227Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870231/03/2011 17:05:28mbam-log-2011-03-31 (17-05-28).txtScan type: Full scan (C:\|)Objects scanned: 292290Time elapsed: 43 minute(s), 11 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
LDTate Posted March 31, 2011 ID:408420 Share Posted March 31, 2011 Try the other two accounts and let me know how that goes. Link to post Share on other sites More sharing options...
Dre9872 Posted March 31, 2011 Author ID:408490 Share Posted March 31, 2011 I have had no luck finding anything with MBAM, ESET-Online, or BitDefender-Online. SuperAntiSpyware did find one threat but it was in a Restore Volume so nothing.It doesn't seem to make any difference what account I'm in either. Link to post Share on other sites More sharing options...
Recommended Posts