DaveUpNorth Posted April 3, 2011 ID:410370 Share Posted April 3, 2011 Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6256Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.134/3/2011 12:11:35 PMmbam-log-2011-04-03 (12-11-35).txtScan type: Quick scanObjects scanned: 180358Time elapsed: 16 minute(s), 28 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\system32\nvappsv.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully..DDS (Ver_11-03-05.01) - NTFSx86 Run by A at 12:38:58.31 on Sun 04/03/2011Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.1667 [GMT -4:00].AV: Smart Internet Protection 2011 *Enabled/Updated* {30D2F759-8D05-49B1-B3D8-093C8F7092F3}AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}FW: Smart Internet Protection 2011 *Enabled* .============== Running Processes ===============.C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rundll32.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\PROGRA~1\AVG\AVG9\avgtray.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Secunia\PSI\psi_tray.exeC:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEsvchost.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\AVG\AVG9\avgnsx.exeC:\WINDOWS\system32\NlsSrv32.exeC:\Program Files\Secunia\PSI\PSIA.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Secunia\PSI\sua.exeC:\Program Files\Lavasoft\Ad-Aware\AAWTray.exeC:\WINDOWS\Ikakya.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\A\Desktop\dds.pif.============== Pseudo HJT Report ===============.uSearch Page = uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHPuDefault_Page_URL = hxxp://www.msn.comuSearch Bar = uInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = <local>uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dllmURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllBHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dllBHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client for internet explorer\YontooIEClient.dllTB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dllTB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllTB: {9D425283-D487-4337-BAB6-AB8354A81457} - No FileTB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Jenkat Arcade] c:\documents and settings\a\application data\jenkat\jenkat games arcade\notifyapp.exemRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exemRun: [RTHDCPL] RTHDCPL.EXEmRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [EM_EXEC] c:\progra~1\mousew~1\system\EM_EXEC.EXEmRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installquietmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exemRun: [sciwepazucowopo] rundll32.exe "c:\windows\egubaqeyuhasaj.dll",StartupmRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -uStartupFolder: c:\docume~1\a\startm~1\programs\startup\imvu.lnk - c:\documents and settings\a\application data\imvuclient\IMVUQualityAgent.exeStartupFolder: c:\docume~1\a\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exeuPolicies-explorer: DisallowRun = 1 (0x1)IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlIE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\a\start menu\programs\imvu\Run IMVU.lnkIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLLLSP: %SYSTEMROOT%\system32\nvLsp.dllDPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cabDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234166809488DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234166799878DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cabDPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dllHandler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dllHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dllNotify: avgrsstarter - avgrsstx.dllNotify: itlnfw32 - itlnfw32.dllNotify: itlntfy - itlnfw32.dllNotify: ypml - itlnfw32.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllIFEO: image file execution options - svchost.exeHosts: 64.34.212.90 www.google.com Hosts: 64.34.212.90 google.com Hosts: 64.34.212.90 google.com.au Hosts: 64.34.212.90 www.google.com.auHosts: 64.34.212.90 google.be .Note: multiple HOSTS entries found. Please refer to Attach.txt.============= SERVICES / DRIVERS ===============.R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-3 64288]R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-9 216400]R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-9 29584]R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-7 243024]R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1405384]R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2010-11-21 61440]R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-17 24652]S2 gupdate1c994ae50cdb1e;Google Update Service (gupdate1c994ae50cdb1e);c:\program files\google\update\GoogleUpdate.exe [2009-2-22 133104]S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-14 14336]S2 MemChecker;Memory Checker;c:\windows\mc76487.exe [2011-3-25 339968]S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-6-5 1684736]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?].=============== Created Last 30 ================.2011-04-03 14:40:53 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys2011-04-03 12:20:23 -------- d-----w- c:\docume~1\a\applic~1\Toacpa2011-04-03 12:20:23 -------- d-----w- c:\docume~1\a\applic~1\Odupyg2011-04-03 12:20:03 163328 ----a-w- c:\windows\Ikakya.exe2011-04-03 12:09:59 -------- d-----w- c:\docume~1\a\locals~1\applic~1\Secunia PSI2011-04-03 12:09:52 -------- d-----w- c:\program files\Secunia2011-03-28 15:04:17 -------- d-----w- c:\windows\system32\wbem\repository\FS2011-03-28 15:04:17 -------- d-----w- c:\windows\system32\wbem\Repository2011-03-26 00:12:45 34816 ----a-w- c:\windows\system32\itlnfw32.dll2011-03-25 18:58:41 339968 ----a-w- c:\windows\mc76487.exe2011-03-25 18:54:44 0 ----a-w- c:\windows\Qforoqeso.bin2011-03-25 18:54:42 -------- d-----w- c:\docume~1\a\locals~1\applic~1\{F49866CF-2D30-4769-9AD5-413689DB18C3}2011-03-25 18:51:33 -------- d-----w- c:\docume~1\a\applic~1\DB03EF406BCBDAABF830264BA9FBEEFD2011-03-15 15:25:01 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files2011-03-12 16:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll2011-03-12 16:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll2011-03-05 01:24:00 -------- d-----w- c:\docume~1\a\applic~1\Armagetron2011-03-05 01:21:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Armagetron.==================== Find3M ====================.2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll2011-02-08 12:55:21 16432 ----a-w- c:\windows\system32\lsdelete.exe2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe2011-01-21 14:42:25 439808 ----a-w- c:\windows\system32\shimgvw.dll2011-01-07 14:09:31 290048 ----a-w- c:\windows\system32\atmfd.dll.=================== ROOTKIT ====================.Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.netWindows 5.1.2600 Disk: WDC_WD3200AAJS-00L7A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e.device: opened successfullyuser: MBR read successfully.Disk trace:called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A221439]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a2277d0]; MOV EAX, [0x8a22784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A234AB8]3 CLASSPNP[0xB80F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000069[0x8A2629E8]5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A304D98]\Driver\atapi[0x8A26BA08] -> IRP_MJ_CREATE -> 0x8A221439kernel: MBR read successfully_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }detected disk devices:\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD3200AAJS-00L7A0___________________01.03E01#5&29ddb8c4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not founddetected hooks:\Driver\atapi DriverStartIo -> 0x8A22127Fuser & kernel MBR OK Warning: possible TDL3 rootkit infection !.============= FINISH: 12:41:40.79 ===============attach.zip Link to post Share on other sites More sharing options...
Maniac Posted April 3, 2011 ID:410377 Share Posted April 3, 2011 Hello DaveUpNorth! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.Post all of your log files, don't attach them.Step 1First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping AVG 9.0, so please uninstall Ad-Aware.Step 2Please, uninstall the following applications:Search ToolbarYou can read, how to do this here:Windows XPWindows VistaWindows 7Step 3I also see you have Viewpoint installed...Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: -http://www.clickz.com/news/article.php/3561546I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.ViewpointViewpoint ManagerViewpoint Media PlayerStep 4Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop.Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, choose it.It may ask you to reboot the computer to complete the process. Click on Reboot Now.Click the Report button and copy/paste the contents of it into your next reply.Note:It will also create a log in the C:\ directory.In your next reply, please post the following logs:TDSSKiller loga new fresh DDS log only Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 3, 2011 Author ID:410385 Share Posted April 3, 2011 Thanks, Borislav.I completed Step 1. When attempting to complete Step 2, I encountered an Uninstaller Error, which said, "An error occurred when trying to remove Search Toolbar. I may have already been uninstalled. Would you like to remove Search Toolbar from the Add or Remove programs list?" (The publisher is Zugo Ltd. The version is 1.2)Shall I remove it from the list or attempt to remove the toolbar some other way? If so, what would that be?Also, I don't know if this is of interest, but when rebooting, I receive the following error message: " Error Loading c:\windows\egubaqeyuhasaj.dll" That's recent; it occurred before and after I followed the steps that led me first post.Thanks. Link to post Share on other sites More sharing options...
Maniac Posted April 3, 2011 ID:410387 Share Posted April 3, 2011 Step 2, I encountered an Uninstaller Error, which said, "An error occurred when trying to remove Search Toolbar. I may have already been uninstalled. Would you like to remove Search Toolbar from the Add or Remove programs list?" (The publisher is Zugo Ltd. The version is 1.2)Please choose "Yes" or similiar.Also, I don't know if this is of interest, but when rebooting, I receive the following error message: " Error Loading c:\windows\egubaqeyuhasaj.dll" That's recent; it occurred before and after I followed the steps that led me first post.It's due to malware, don't worry.Go Ahead. Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 3, 2011 Author ID:410403 Share Posted April 3, 2011 I completed steps 1, 3 and 4 and removed the Search Toolbar from listed programs in Add/Remove. Thanks.2011/04/03 14:11:45.0921 11716 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:282011/04/03 14:11:46.0156 11716 ================================================================================2011/04/03 14:11:46.0156 11716 SystemInfo:2011/04/03 14:11:46.0156 11716 2011/04/03 14:11:46.0156 11716 OS Version: 5.1.2600 ServicePack: 3.02011/04/03 14:11:46.0156 11716 Product type: Workstation2011/04/03 14:11:46.0156 11716 ComputerName: A-96D32C871F1042011/04/03 14:11:46.0156 11716 UserName: A2011/04/03 14:11:46.0156 11716 Windows directory: C:\WINDOWS2011/04/03 14:11:46.0156 11716 System windows directory: C:\WINDOWS2011/04/03 14:11:46.0156 11716 Processor architecture: Intel x862011/04/03 14:11:46.0156 11716 Number of processors: 22011/04/03 14:11:46.0156 11716 Page size: 0x10002011/04/03 14:11:46.0156 11716 Boot type: Normal boot2011/04/03 14:11:46.0156 11716 ================================================================================2011/04/03 14:11:46.0515 11716 Initialize success2011/04/03 14:12:13.0640 11880 ================================================================================2011/04/03 14:12:13.0656 11880 Scan started2011/04/03 14:12:13.0656 11880 Mode: Manual; 2011/04/03 14:12:13.0656 11880 ================================================================================2011/04/03 14:12:15.0265 11880 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys2011/04/03 14:12:15.0312 11880 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys2011/04/03 14:12:15.0390 11880 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys2011/04/03 14:12:15.0453 11880 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys2011/04/03 14:12:15.0515 11880 AFD (4d43e74f2a1239d53929b82600f1971c) C:\WINDOWS\System32\drivers\afd.sys2011/04/03 14:12:15.0687 11880 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys2011/04/03 14:12:15.0781 11880 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys2011/04/03 14:12:15.0953 11880 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys2011/04/03 14:12:16.0000 11880 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys2011/04/03 14:12:16.0046 11880 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys2011/04/03 14:12:16.0171 11880 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys2011/04/03 14:12:16.0250 11880 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys2011/04/03 14:12:16.0296 11880 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys2011/04/03 14:12:16.0343 11880 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys2011/04/03 14:12:16.0406 11880 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys2011/04/03 14:12:16.0453 11880 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys2011/04/03 14:12:16.0515 11880 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys2011/04/03 14:12:16.0578 11880 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys2011/04/03 14:12:16.0640 11880 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys2011/04/03 14:12:16.0828 11880 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys2011/04/03 14:12:16.0890 11880 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys2011/04/03 14:12:16.0937 11880 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys2011/04/03 14:12:16.0968 11880 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys2011/04/03 14:12:17.0031 11880 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys2011/04/03 14:12:17.0109 11880 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys2011/04/03 14:12:17.0140 11880 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys2011/04/03 14:12:17.0171 11880 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys2011/04/03 14:12:17.0203 11880 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys2011/04/03 14:12:17.0312 11880 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys2011/04/03 14:12:17.0375 11880 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys2011/04/03 14:12:17.0421 11880 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys2011/04/03 14:12:17.0468 11880 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys2011/04/03 14:12:17.0515 11880 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys2011/04/03 14:12:17.0578 11880 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys2011/04/03 14:12:17.0625 11880 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys2011/04/03 14:12:17.0671 11880 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys2011/04/03 14:12:17.0734 11880 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys2011/04/03 14:12:17.0812 11880 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys2011/04/03 14:12:17.0859 11880 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys2011/04/03 14:12:18.0046 11880 IntcAzAudAddService (e8656858d8b2da7c9cf59fb4e5ce32ed) C:\WINDOWS\system32\drivers\RtkHDAud.sys2011/04/03 14:12:18.0234 11880 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys2011/04/03 14:12:18.0281 11880 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys2011/04/03 14:12:18.0328 11880 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys2011/04/03 14:12:18.0453 11880 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys2011/04/03 14:12:18.0515 11880 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys2011/04/03 14:12:18.0578 11880 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys2011/04/03 14:12:18.0640 11880 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys2011/04/03 14:12:18.0687 11880 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys2011/04/03 14:12:18.0718 11880 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys2011/04/03 14:12:18.0765 11880 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys2011/04/03 14:12:18.0828 11880 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys2011/04/03 14:12:18.0890 11880 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys2011/04/03 14:12:18.0968 11880 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys2011/04/03 14:12:19.0031 11880 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys2011/04/03 14:12:19.0109 11880 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys2011/04/03 14:12:19.0171 11880 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys2011/04/03 14:12:19.0218 11880 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys2011/04/03 14:12:19.0250 11880 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys2011/04/03 14:12:19.0296 11880 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys2011/04/03 14:12:19.0359 11880 MRxSmb (d09b9f0b9960dd41e73127b7814c115f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys2011/04/03 14:12:19.0390 11880 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys2011/04/03 14:12:19.0453 11880 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys2011/04/03 14:12:19.0578 11880 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys2011/04/03 14:12:19.0609 11880 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys2011/04/03 14:12:19.0640 11880 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys2011/04/03 14:12:19.0687 11880 Mup (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys2011/04/03 14:12:19.0765 11880 NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys2011/04/03 14:12:19.0781 11880 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys2011/04/03 14:12:19.0843 11880 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys2011/04/03 14:12:19.0859 11880 NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys2011/04/03 14:12:19.0921 11880 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys2011/04/03 14:12:19.0937 11880 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys2011/04/03 14:12:19.0968 11880 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys2011/04/03 14:12:20.0015 11880 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys2011/04/03 14:12:20.0093 11880 Ntfs (a0857c97770034fd2af17dc4014b5abd) C:\WINDOWS\system32\drivers\Ntfs.sys2011/04/03 14:12:20.0171 11880 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys2011/04/03 14:12:20.0359 11880 nv (da8c5723ad3a73f57ffd4dd64aba2c77) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys2011/04/03 14:12:20.0593 11880 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys2011/04/03 14:12:20.0718 11880 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys2011/04/03 14:12:20.0781 11880 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys2011/04/03 14:12:20.0796 11880 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys2011/04/03 14:12:20.0859 11880 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys2011/04/03 14:12:20.0890 11880 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys2011/04/03 14:12:20.0937 11880 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys2011/04/03 14:12:20.0968 11880 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys2011/04/03 14:12:21.0015 11880 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys2011/04/03 14:12:21.0046 11880 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys2011/04/03 14:12:21.0234 11880 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys2011/04/03 14:12:21.0250 11880 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys2011/04/03 14:12:21.0312 11880 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys2011/04/03 14:12:21.0343 11880 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys2011/04/03 14:12:21.0375 11880 PxHelp20 (5491e4e7d93804f43abe8ce3c39f5a86) C:\WINDOWS\system32\Drivers\PxHelp20.sys2011/04/03 14:12:21.0484 11880 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys2011/04/03 14:12:21.0515 11880 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys2011/04/03 14:12:21.0546 11880 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys2011/04/03 14:12:21.0562 11880 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys2011/04/03 14:12:21.0593 11880 Rdbss (9629383f70db691cb6aa5bbd828cd9a9) C:\WINDOWS\system32\DRIVERS\rdbss.sys2011/04/03 14:12:21.0609 11880 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys2011/04/03 14:12:21.0656 11880 rdpdr (3a99642ed25a2fad5b0ba55f09ba2f93) C:\WINDOWS\system32\DRIVERS\rdpdr.sys2011/04/03 14:12:21.0703 11880 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys2011/04/03 14:12:21.0828 11880 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys2011/04/03 14:12:21.0921 11880 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys2011/04/03 14:12:22.0000 11880 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys2011/04/03 14:12:22.0078 11880 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys2011/04/03 14:12:22.0093 11880 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys2011/04/03 14:12:22.0171 11880 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys2011/04/03 14:12:22.0312 11880 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys2011/04/03 14:12:22.0406 11880 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys2011/04/03 14:12:22.0453 11880 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys2011/04/03 14:12:22.0515 11880 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys2011/04/03 14:12:22.0562 11880 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys2011/04/03 14:12:22.0718 11880 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys2011/04/03 14:12:22.0796 11880 Tcpip (ad978a1b783b5719720cff204b666c8e) C:\WINDOWS\system32\DRIVERS\tcpip.sys2011/04/03 14:12:22.0921 11880 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys2011/04/03 14:12:22.0953 11880 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys2011/04/03 14:12:23.0000 11880 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys2011/04/03 14:12:23.0078 11880 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys2011/04/03 14:12:23.0125 11880 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys2011/04/03 14:12:23.0171 11880 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys2011/04/03 14:12:23.0187 11880 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys2011/04/03 14:12:23.0234 11880 usbehci (152ee0baa614388273a0b9ae9c9fd5a0) C:\WINDOWS\system32\DRIVERS\usbehci.sys2011/04/03 14:12:23.0281 11880 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys2011/04/03 14:12:23.0328 11880 usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys2011/04/03 14:12:23.0390 11880 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys2011/04/03 14:12:23.0453 11880 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys2011/04/03 14:12:23.0484 11880 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS2011/04/03 14:12:23.0546 11880 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys2011/04/03 14:12:23.0578 11880 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys2011/04/03 14:12:23.0625 11880 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys2011/04/03 14:12:23.0703 11880 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys2011/04/03 14:12:23.0796 11880 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys2011/04/03 14:12:23.0843 11880 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys2011/04/03 14:12:23.0921 11880 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)2011/04/03 14:12:23.0921 11880 ================================================================================2011/04/03 14:12:23.0921 11880 Scan finished2011/04/03 14:12:23.0921 11880 ================================================================================2011/04/03 14:12:23.0937 11872 Detected object count: 12011/04/03 14:12:34.0890 11872 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot2011/04/03 14:12:34.0890 11872 \HardDisk0 - ok2011/04/03 14:12:34.0890 11872 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure 2011/04/03 14:12:42.0890 11708 Deinitialize success.DDS (Ver_11-03-05.01) - NTFSx86 Run by A at 14:17:57.98 on Sun 04/03/2011Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2215 [GMT -4:00].AV: Smart Internet Protection 2011 *Enabled/Updated* {30D2F759-8D05-49B1-B3D8-093C8F7092F3}AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: Smart Internet Protection 2011 *Enabled* .============== Running Processes ===============.C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rundll32.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\PROGRA~1\AVG\AVG9\avgtray.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Secunia\PSI\psi_tray.exeC:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEsvchost.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\AVG\AVG9\avgnsx.exeC:\WINDOWS\system32\NlsSrv32.exeC:\Program Files\Secunia\PSI\PSIA.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Secunia\PSI\sua.exeC:\Documents and Settings\A\Desktop\dds.pif.============== Pseudo HJT Report ===============.uSearch Page = uStart Page = hxxp://www.bing.com/uDefault_Page_URL = hxxp://www.msn.comuSearch Bar = uInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = <local>uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dllmURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllBHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dllBHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client for internet explorer\YontooIEClient.dllTB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dllTB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllTB: {9D425283-D487-4337-BAB6-AB8354A81457} - No FileTB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Jenkat Arcade] c:\documents and settings\a\application data\jenkat\jenkat games arcade\notifyapp.exemRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exemRun: [RTHDCPL] RTHDCPL.EXEmRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [EM_EXEC] c:\progra~1\mousew~1\system\EM_EXEC.EXEmRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installquietmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exemRun: [sciwepazucowopo] rundll32.exe "c:\windows\egubaqeyuhasaj.dll",StartupmRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -uStartupFolder: c:\docume~1\a\startm~1\programs\startup\imvu.lnk - c:\documents and settings\a\application data\imvuclient\IMVUQualityAgent.exeStartupFolder: c:\docume~1\a\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exeuPolicies-explorer: DisallowRun = 1 (0x1)IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlIE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\a\start menu\programs\imvu\Run IMVU.lnkIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLLLSP: %SYSTEMROOT%\system32\nvLsp.dllDPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cabDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234166809488DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234166799878DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cabDPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dllHandler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dllHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dllNotify: avgrsstarter - avgrsstx.dllNotify: itlnfw32 - itlnfw32.dllNotify: itlntfy - itlnfw32.dllNotify: ypml - itlnfw32.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllIFEO: image file execution options - svchost.exeHosts: 64.34.212.90 www.google.com Hosts: 64.34.212.90 google.com Hosts: 64.34.212.90 google.com.au Hosts: 64.34.212.90 www.google.com.auHosts: 64.34.212.90 google.be .Note: multiple HOSTS entries found. Please refer to Attach.txt.============= SERVICES / DRIVERS ===============.R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-3 64288]R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-9 216400]R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-9 29584]R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-7 243024]R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2010-11-21 61440]R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]S2 gupdate1c994ae50cdb1e;Google Update Service (gupdate1c994ae50cdb1e);c:\program files\google\update\GoogleUpdate.exe [2009-2-22 133104]S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-14 14336]S2 MemChecker;Memory Checker;c:\windows\mc76487.exe [2011-3-25 339968]S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-6-5 1684736]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?].=============== Created Last 30 ================.2011-04-03 14:40:53 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys2011-04-03 12:20:23 -------- d-----w- c:\docume~1\a\applic~1\Toacpa2011-04-03 12:20:23 -------- d-----w- c:\docume~1\a\applic~1\Odupyg2011-04-03 12:20:03 163328 ----a-w- c:\windows\Ikakya.exe2011-04-03 12:09:59 -------- d-----w- c:\docume~1\a\locals~1\applic~1\Secunia PSI2011-04-03 12:09:52 -------- d-----w- c:\program files\Secunia2011-03-28 15:04:17 -------- d-----w- c:\windows\system32\wbem\repository\FS2011-03-28 15:04:17 -------- d-----w- c:\windows\system32\wbem\Repository2011-03-26 00:12:45 34816 ----a-w- c:\windows\system32\itlnfw32.dll2011-03-25 18:58:41 339968 ----a-w- c:\windows\mc76487.exe2011-03-25 18:54:44 0 ----a-w- c:\windows\Qforoqeso.bin2011-03-25 18:54:42 -------- d-----w- c:\docume~1\a\locals~1\applic~1\{F49866CF-2D30-4769-9AD5-413689DB18C3}2011-03-25 18:51:33 -------- d-----w- c:\docume~1\a\applic~1\DB03EF406BCBDAABF830264BA9FBEEFD2011-03-15 15:25:01 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files2011-03-12 16:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll2011-03-12 16:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll2011-03-05 01:24:00 -------- d-----w- c:\docume~1\a\applic~1\Armagetron2011-03-05 01:21:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Armagetron.==================== Find3M ====================.2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe2011-01-21 14:42:25 439808 ----a-w- c:\windows\system32\shimgvw.dll2011-01-07 14:09:31 290048 ----a-w- c:\windows\system32\atmfd.dll.============= FINISH: 14:18:12.17 =============== Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 5, 2011 Author ID:411371 Share Posted April 5, 2011 Was what I sent sufficient? Is there anything else I should be doing now? Thanks. Link to post Share on other sites More sharing options...
Maniac Posted April 5, 2011 ID:411375 Share Posted April 5, 2011 Nope, but wait... one by one.**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: - [gBd-It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ---------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 5, 2011 Author ID:411397 Share Posted April 5, 2011 Thanks. After my last post on Sunday, I turned the computer off and did not turn it on again until after receiving these instructions. I am unable to get a browser to open on the infected computer. Shall I download the combofix to a flash drive using my good computer and somehow run it on the bad one? Link to post Share on other sites More sharing options...
Maniac Posted April 5, 2011 ID:411412 Share Posted April 5, 2011 Yes, please. It's okay. Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 5, 2011 Author ID:411428 Share Posted April 5, 2011 I'm unable to get that to work either now. It seemed to start from a command prompt, but encountered an AVG barrier. No icons are visible on my tray, and clicking the AVG user interface produces no result. All I'm getting is the XP 2011 malware. I've tried in normal mode and safe mode with networking, to no avail. And again, I went to safe mode with command prompt. Next steps (that do not involve a sledgehammer?) Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 5, 2011 Author ID:411429 Share Posted April 5, 2011 Oh wait, I did not rename combofix. Let me go back and do that. And read all instructions before doing anything else. I need a whack upside my head. Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 5, 2011 Author ID:411431 Share Posted April 5, 2011 I am unable to disable AVG; no tray icon exists and attempts to open the user interface fail. Instead, the Home XP 2011 antivirus "scan" begins automatically, something that did not happen before today. Suggestions? (I do have combo-fix on a flash drive.) Thanks. Link to post Share on other sites More sharing options...
Maniac Posted April 5, 2011 ID:411448 Share Posted April 5, 2011 Please temporarily uninstall AVG and try again. Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 5, 2011 Author ID:411454 Share Posted April 5, 2011 I am now unable to open "add and remove programs." The AVG user interface does not work. "Start," "All Programs," "AVG," "Uninstall AVG" does not work. There is no icon tray. Are there any other ways you might suggest I uninstall it? Link to post Share on other sites More sharing options...
Maniac Posted April 5, 2011 ID:411460 Share Posted April 5, 2011 Open Notepad and copy and paste the text in the code box below into it:SecCenter::AV: Smart Internet Protection 2011 *Enabled/Updated* {30D2F759-8D05-49B1-B3D8-093C8F7092F3}AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: Smart Internet Protection 2011 *Enabled* KillAll::Save the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system. Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 5, 2011 Author ID:411467 Share Posted April 5, 2011 I did that, an hourglass appears briefly, the malware launches, the hourglass disappears and nothing happens except the malware running its fake scan of the computer. Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 5, 2011 Author ID:411487 Share Posted April 5, 2011 Is there something I can/should do that will allow executable files to actually execute? Link to post Share on other sites More sharing options...
Maniac Posted April 5, 2011 ID:411663 Share Posted April 5, 2011 Try in Safe Mode with Networking:http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 5, 2011 Author ID:411675 Share Posted April 5, 2011 Everything I've tried today has been in safe mode with networking. The malware still appears, and executable files don't work. Link to post Share on other sites More sharing options...
Maniac Posted April 5, 2011 ID:411710 Share Posted April 5, 2011 Make sure about that:http://www.fileinfo.com/help/windows-show-extensions.htmlThen rename ComboFix.exe to svchost.com and run it again. Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 5, 2011 Author ID:411712 Share Posted April 5, 2011 Thanks. Do I still need to pull in CFScript.txt before running it? Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 6, 2011 Author ID:411778 Share Posted April 6, 2011 I attempted to open the AVG User Interface by renaming it with a .com extension. The interface did not open; instead, it launched the scanner. I forgot to copy the log from that run, and can't find it now. It did heal a three-letter file, which I'm pretty sure is the malware. I launched ComboFix. Below is the log:ComboFix 11-04-05.02 - A 04/05/2011 22:28:56.1.2 - x86 NETWORKMicrosoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2250 [GMT -4:00]Running from: E:\ComboFix.exeAV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}. ADS - WINDOWS: deleted 128 bytes in 1 streams. .((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\A\Application Data\Adobe\plugsc:\documents and settings\A\Application Data\Adobe\shedc:\documents and settings\A\Application Data\DB03EF406BCBDAABF830264BA9FBEEFDc:\documents and settings\A\Application Data\DB03EF406BCBDAABF830264BA9FBEEFD\enemies-names.txtc:\documents and settings\A\Application Data\DB03EF406BCBDAABF830264BA9FBEEFD\local.inic:\documents and settings\A\Application Data\Odupygc:\documents and settings\A\Application Data\Odupyg\emhee.exec:\documents and settings\A\Application Data\Toacpac:\documents and settings\A\Application Data\Toacpa\ubli.ihsc:\documents and settings\A\Application Data\Toacpa\ubli.tmpc:\documents and settings\A\Local Settings\Application Data\{F49866CF-2D30-4769-9AD5-413689DB18C3}c:\documents and settings\A\Local Settings\Application Data\{F49866CF-2D30-4769-9AD5-413689DB18C3}\chrome.manifestc:\documents and settings\A\Local Settings\Application Data\{F49866CF-2D30-4769-9AD5-413689DB18C3}\chrome\content\_cfg.jsc:\documents and settings\A\Local Settings\Application Data\{F49866CF-2D30-4769-9AD5-413689DB18C3}\chrome\content\overlay.xulc:\documents and settings\A\Local Settings\Application Data\{F49866CF-2D30-4769-9AD5-413689DB18C3}\install.rdfc:\documents and settings\A\Local Settings\Application Data\ctp.exec:\documents and settings\A\Local Settings\Application Data\mcn.exec:\documents and settings\A\Recent\cid.exec:\documents and settings\A\Recent\CLSV.drvc:\documents and settings\A\Recent\DBOLE.dllc:\documents and settings\A\Recent\DBOLE.exec:\documents and settings\A\Recent\DBOLE.tmpc:\documents and settings\A\Recent\delfile.sysc:\documents and settings\A\Recent\energy.exec:\documents and settings\A\Recent\fix.drvc:\documents and settings\A\Recent\fix.sysc:\documents and settings\A\Recent\hymt.exec:\documents and settings\A\Recent\PE.exec:\documents and settings\A\Recent\PE.sysc:\documents and settings\A\Recent\PE.tmpc:\documents and settings\A\Recent\ppal.dllc:\documents and settings\A\Recent\ppal.drvc:\documents and settings\A\Recent\runddlkey.exec:\documents and settings\A\Recent\runddlkey.tmpc:\documents and settings\A\Recent\SICKBOY.exec:\documents and settings\A\Recent\sld.exec:\documents and settings\A\Recent\SM.exec:\documents and settings\A\Recent\tjd.dllc:\documents and settings\A\Recent\tjd.exec:\documents and settings\A\Recent\tjd.tmpc:\documents and settings\All Users\Application Data\5ed4b4c:\documents and settings\All Users\Application Data\5ed4b4\5ed4b4a0d7d7495ef463256e2bb4a502.ocxc:\documents and settings\All Users\Application Data\5ed4b4\77.mofc:\documents and settings\All Users\Application Data\5ed4b4\BackUp\IMVU.lnkc:\documents and settings\All Users\Application Data\5ed4b4\BackUp\OneNote 2007 Screen Clipper and Launcher.lnkc:\documents and settings\All Users\Application Data\5ed4b4\mozcrt19.dllc:\documents and settings\All Users\Application Data\5ed4b4\SIP.icoc:\documents and settings\All Users\Application Data\5ed4b4\sqlite3.dllc:\documents and settings\All Users\Application Data\5ed4b4\y2p45e7txfm9q01u8z6gignu8zokfghgw.dllc:\documents and settings\All Users\Application Data\Toolbar4c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\basis.xmlc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\bg.bmpc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\bing_logo.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\celebrity.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_images.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_maps.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_news.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_videos.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_web.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\facebook.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\favicon.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\games.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\hotmail.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\icon.icoc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\images.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\include.xmlc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\info.txtc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\lifestyle.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\maps.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\messenger.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\msn.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\news.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\twitter.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\version.txtc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\video.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\videos.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\weather.pngc:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\web.pngc:\program files\QUAD Utilitiesc:\program files\Search Toolbarc:\program files\Search Toolbar\basis.xmlc:\program files\Search Toolbar\bg.bmpc:\program files\Search Toolbar\bing_logo.pngc:\program files\Search Toolbar\celebrity.pngc:\program files\Search Toolbar\drop_images.pngc:\program files\Search Toolbar\drop_maps.pngc:\program files\Search Toolbar\drop_news.pngc:\program files\Search Toolbar\drop_videos.pngc:\program files\Search Toolbar\drop_web.pngc:\program files\Search Toolbar\facebook.pngc:\program files\Search Toolbar\favicon.pngc:\program files\Search Toolbar\games.pngc:\program files\Search Toolbar\hotmail.pngc:\program files\Search Toolbar\icon.icoc:\program files\Search Toolbar\images.pngc:\program files\Search Toolbar\include.xmlc:\program files\Search Toolbar\info.txtc:\program files\Search Toolbar\lifestyle.pngc:\program files\Search Toolbar\maps.pngc:\program files\Search Toolbar\messenger.pngc:\program files\Search Toolbar\msn.pngc:\program files\Search Toolbar\news.pngc:\program files\Search Toolbar\Thumbs.dbc:\program files\Search Toolbar\twitter.pngc:\program files\Search Toolbar\version.txtc:\program files\Search Toolbar\video.pngc:\program files\Search Toolbar\videos.pngc:\program files\Search Toolbar\weather.pngc:\program files\Search Toolbar\web.pngc:\windows\135885zr9s144.binc:\windows\13596not-a-virus257z.binc:\windows\13905spy2d5z.binc:\windows\15506hackto9l4za.binc:\windows\195z6not-9-5irus1e2.binc:\windows\1z4959ro5fa.binc:\windows\202295pambot43z.binc:\windows\2181z9ot-a-vir5s104.binc:\windows\21927hacztoo54f1.binc:\windows\229bthrezt70115.binc:\windows\23b9backd5or12z1.binc:\windows\25549acktool40z.binc:\windows\259fad5zare281.binc:\windows\2619259t-a-virus53dz.binc:\windows\265vi985z.binc:\windows\28139hazktool3945.binc:\windows\28184viz5977.binc:\windows\29925wo9mz4e.binc:\windows\31999hackto5l1z6.binc:\windows\31z195wnloader3061.binc:\windows\32288tr9z45c.binc:\windows\32z77ha5kt9ol281.binc:\windows\34f55iz17209.binc:\windows\3e3zs9ea51845.binc:\windows\3f62z9eal2596.binc:\windows\4039troj1fz5.binc:\windows\410est59lz724.binc:\windows\4345v9r3z05.binc:\windows\45dd9iz2015.binc:\windows\4655w9rzf5.binc:\windows\48b0thr5zt90108.binc:\windows\4903threat95z88.binc:\windows\4e59zhief161.binc:\windows\5295downlo5dez775.binc:\windows\5314zro956e.binc:\windows\56102s9zmbot39.binc:\windows\5853a5d9aze2379.binc:\windows\59045ackdo9rz555.binc:\windows\596zadd5are2720.binc:\windows\5975vi95z43.binc:\windows\59799virzs6df.binc:\windows\599dthiez27065.binc:\windows\59c5spzr9e1990.binc:\windows\5z6hacktool6965.binc:\windows\6754thief9z57.binc:\windows\695downlz5der1356.binc:\windows\6b93z5r9267.binc:\windows\6zef5parse3966.binc:\windows\7176t5izf1859.binc:\windows\7195tzre5t21932.binc:\windows\7831spa5sz2795.binc:\windows\7948s5azbo9517.binc:\windows\79eb5teal2978z.binc:\windows\7adbzi95809.binc:\windows\7d7dzpy9are1165.binc:\windows\8411hackto956z9.binc:\windows\8433h5cktzol329.binc:\windows\918395zy129.binc:\windows\92z0add5are2989.binc:\windows\93465zorm3d.binc:\windows\9525spz5d9.binc:\windows\97b25pyware13z4.binc:\windows\9z56tro91f.binc:\windows\Ikakya.exec:\windows\system32\10752spz589.binc:\windows\system32\10f6sp9zar53112.binc:\windows\system32\12108worm5z9.binc:\windows\system32\12946s5zmbot3d2.binc:\windows\system32\13505i98z3.binc:\windows\system32\13579tzal5745.binc:\windows\system32\145z9spambot5f9.binc:\windows\system32\18946zpa5bot668.binc:\windows\system32\19059not-a-5izus3f9.binc:\windows\system32\193z9spy4915.binc:\windows\system32\195005orz5f9.binc:\windows\system32\1az4s9yware5880.binc:\windows\system32\1z6729orm67d5.binc:\windows\system32\210f5hzef9.binc:\windows\system32\21667ha5ktoo97z9.binc:\windows\system32\23399wor55zb.binc:\windows\system32\2459znot9a-virus189.binc:\windows\system32\2493stealz58.binc:\windows\system32\25354szy95a.binc:\windows\system32\25909worm3dcz.binc:\windows\system32\28387not-a-5iru943z.binc:\windows\system32\289bspzrse3057.binc:\windows\system32\28cdspywzre25799.binc:\windows\system32\29316s59z80.binc:\windows\system32\29906notza-59rus41a.binc:\windows\system32\29926not-a-v9rus652z.binc:\windows\system32\299695ac9tool1e9z.binc:\windows\system32\299985zrus5c8.binc:\windows\system32\2a1e9hreat10529z.binc:\windows\system32\2f96downlo5dez990.binc:\windows\system32\30z51worm919.binc:\windows\system32\31z62spy5b95.binc:\windows\system32\3456adzware9380.binc:\windows\system32\3689hac5tool543z.binc:\windows\system32\39568hackt5zl7e6.binc:\windows\system32\3c9zdow5loader2895.binc:\windows\system32\3d0a5hiez1997.binc:\windows\system32\4262hzc59ool6fa.binc:\windows\system32\4435tz9ef2465.binc:\windows\system32\47c4do5nload9r6z8.binc:\windows\system32\4905v9zus554.binc:\windows\system32\495fspzwa9e3175.binc:\windows\system32\4ze79d5ware2155.binc:\windows\system32\50936wormz9.binc:\windows\system32\55325pyware248z9.binc:\windows\system32\5673w9rm66z.binc:\windows\system32\5721noz9a-viru53f0.binc:\windows\system32\577dt9reaz25654.binc:\windows\system32\58e9spywa5e1z94.binc:\windows\system32\5a885zie9531.binc:\windows\system32\5aat9zeat29394.binc:\windows\system32\5c5fst9al185z.binc:\windows\system32\5f36sp5r9z99.binc:\windows\system32\5za4down5o9der2271.binc:\windows\system32\606zsteal92065.binc:\windows\system32\693thr5at80z2.binc:\windows\system32\6995vir3924z.binc:\windows\system32\6ab0spyware9534z.binc:\windows\system32\6d4es9ea5z750.binc:\windows\system32\79f6thre5t23z05.binc:\windows\system32\7zc5bac59oor2887.binc:\windows\system32\90a3steal34z5.binc:\windows\system32\91141trz5564.binc:\windows\system32\92z89spambot10a5.binc:\windows\system32\9459hacktoz9329.binc:\windows\system32\9536not-a-virus957z.binc:\windows\system32\99488zorm255.binc:\windows\system32\9b3dspywzre2105.binc:\windows\system32\9d35zpyware253.binc:\windows\system32\9ec3sp5rse144z.binc:\windows\system32\a5thz9f2581.binc:\windows\system32\d75z9ief2446.binc:\windows\system32\d94thre5t16z89.binc:\windows\system32\edazo9nloader645.binc:\windows\system32\fdesp5rz9503.binc:\windows\system32\itlnfw32.dllc:\windows\system32\regobj.dllc:\windows\system32\z187spambo95f0.binc:\windows\system32\z2b5addwar9144.binc:\windows\system32\z4971tr955d9.binc:\windows\system32\z533spy55e9.binc:\windows\system32\z6519t9oj258.binc:\windows\system32\z799hac5tool231.binc:\windows\system32\z9895vir5s5fc.binc:\windows\system32\zf73spar5e1597.binc:\windows\system32\zfbft9reat30950.binc:\windows\z1370troj5509.binc:\windows\z556t9ief2101.binc:\windows\z5d2thre9t4037.binc:\windows\z683v592935.binc:\windows\z8519vi5us4f0.binc:\windows\z863addware9150.binc:\windows\z997spambot385.binc:\windows\zd57ba9kdoor2596.bin..((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))..-------\Legacy_ITLPERF-------\Service_itlperf..((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))..2011-04-03 14:40 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys2011-04-03 12:09 . 2011-04-03 12:09 -------- d-----w- c:\documents and settings\A\Local Settings\Application Data\Secunia PSI2011-04-03 12:09 . 2011-04-03 12:09 -------- d-----w- c:\program files\Secunia2011-04-01 12:58 . 2011-04-01 13:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe2011-03-28 15:04 . 2011-03-28 15:04 -------- d-----w- c:\windows\system32\wbem\Repository2011-03-27 21:35 . 2011-03-27 21:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2011-03-25 18:58 . 2011-03-25 18:57 339968 ----a-w- c:\windows\mc76487.exe2011-03-25 18:54 . 2011-03-25 18:54 0 ----a-w- c:\windows\Qforoqeso.bin2011-03-15 15:25 . 2011-03-15 15:25 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll2011-03-10 15:26 . 2011-03-28 15:04 -------- d-----w- c:\documents and settings\Administrator..(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll2011-02-02 07:58 . 2009-02-09 05:28 2067456 ----a-w- c:\windows\system32\mstscax.dll2011-01-27 11:57 . 2009-02-09 05:28 677888 ----a-w- c:\windows\system32\mstsc.exe2011-01-21 14:42 . 2008-04-14 12:00 439808 ----a-w- c:\windows\system32\shimgvw.dll2011-01-07 14:09 . 2008-05-27 17:29 290048 ----a-w- c:\windows\system32\atmfd.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2010-05-26 19:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-03-15 2071904]"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]"EM_EXEC"="c:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-05-01 28672]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-08 13762560]"nwiz"="nwiz.exe" [2009-07-08 1657376]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-08 86016]"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360].c:\documents and settings\A\Start Menu\Programs\Startup\IMVU.lnk - c:\documents and settings\A\Application Data\IMVUClient\IMVUQualityAgent.exe [N/A]OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680].c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2010-07-15 13:41 12536 ----a-w- c:\windows\system32\avgrsstx.dll.[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)"DisableNotifications"= 1 (0x1).[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"="c:\\Program Files\\FrostWire\\FrostWire.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"="c:\\WINDOWS\\mc76487.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"1422:TCP"= 1422:TCP:Akamai NetSession Interface"5000:UDP"= 5000:UDP:Akamai NetSession Interface.R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/3/2010 3:00 PM 64288]R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/9/2009 4:34 AM 216400]R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/7/2010 4:35 PM 243024]R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [11/21/2010 5:57 PM 61440]R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 10:24 AM 993848]R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 10:24 AM 399416]S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]S2 gupdate1c994ae50cdb1e;Google Update Service (gupdate1c994ae50cdb1e);c:\program files\Google\Update\GoogleUpdate.exe [2/22/2009 1:25 AM 133104]S2 MemChecker;Memory Checker;c:\windows\mc76487.exe [3/25/2011 2:58 PM 339968]S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/5/2010 1:27 PM 1684736]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]itlsvc REG_MULTI_SZ itlperf.Contents of the 'Scheduled Tasks' folder.2011-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34].2011-04-06 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-22 16:50].2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-22 05:25].2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-22 05:25].2011-04-05 c:\windows\Tasks\User_Feed_Synchronization-{72D63DCE-BCBF-4F22-BEB4-2B0C18061408}.job- c:\windows\system32\msfeedssync.exe [2007-08-13 16:36]..------- Supplementary Scan -------.uStart Page = hxxp://www.bing.com/uInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = <local>IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlIE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\A\Start Menu\Programs\IMVU\Run IMVU.lnkLSP: %SYSTEMROOT%\system32\nvLsp.dllHandler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - .- - - - ORPHANS REMOVED - - - -.URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dllBHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dllBHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dllToolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dllToolbar-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dllWebBrowser-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)HKCU-Run-Jenkat Arcade - c:\documents and settings\A\Application Data\Jenkat\Jenkat Games Arcade\notifyapp.exeHKLM-Run-Sciwepazucowopo - c:\windows\egubaqeyuhasaj.dllNotify-itlntfy - itlnfw32.dllNotify-LC - (no file)Notify-ypml - itlnfw32.dllAddRemove-AVG9Uninstall - c:\program files\AVG\AVG9\setup.exeAddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-04-05 22:36Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'lsass.exe'(756)c:\windows\system32\nvLsp.dll.- - - - - - - > 'explorer.exe'(11972)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\msi.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\nvsvc32.exec:\windows\system32\rundll32.exec:\windows\RTHDCPL.EXEc:\windows\system32\RUNDLL32.EXEc:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exec:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Java\jre6\bin\jqs.exec:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exec:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exec:\program files\iPod\bin\iPodService.exec:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2011-04-05 22:38:50 - machine was rebootedComboFix-quarantined-files.txt 2011-04-06 02:38.Pre-Run: 245,907,677,184 bytes freePost-Run: 246,681,792,512 bytes free.WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect.- - End Of File - - 3274A9D1A1C8CEBEED125460365C77AC Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 6, 2011 Author ID:411781 Share Posted April 6, 2011 This is the log for the AVG that ran when I tried to simply open the interface:AVG 9.0 Anti-Virus command line scannerCopyright © 1992 - 2010 AVG TechnologiesProgram version 9.0.870, engine 10.0.1495Virus Database: Version 271.1.1/3547 2011-04-02HKCR\exefile\shell\open\command\\ Found registry key with reference to file C:\Documents and Settings\A\Local Settings\Application Data\ctp.exe Object was healed.C:\Documents and Settings\A\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. C:\Documents and Settings\A\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. C:\Documents and Settings\A\ntuser.dat Locked file. Not tested. C:\Documents and Settings\A\ntuser.dat.LOG Locked file. Not tested. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. C:\Documents and Settings\LocalService\NTUSER.DAT Locked file. Not tested. C:\Documents and Settings\LocalService\ntuser.dat.LOG Locked file. Not tested. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested. C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested. C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested. C:\pagefile.sys Locked file. Not tested. C:\System Volume Information\ Locked file. Not tested. C:\WINDOWS\system32\config\default Locked file. Not tested. C:\WINDOWS\system32\config\default.LOG Locked file. Not tested. C:\WINDOWS\system32\config\SAM Locked file. Not tested. C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested. C:\WINDOWS\system32\config\SECURITY Locked file. Not tested. C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested. C:\WINDOWS\system32\config\software Locked file. Not tested. C:\WINDOWS\system32\config\software.LOG Locked file. Not tested. C:\WINDOWS\system32\config\system Locked file. Not tested. C:\WINDOWS\system32\config\system.LOG Locked file. Not tested. C:\WINDOWS\Tasks\oaaltlb.job Locked file. Not tested. ------------------------------------------------------------Objects scanned : 572417Found infections : 0Found PUPs : 0Healed infections : 0Healed PUPs : 0Warnings : 1------------------------------------------------------------ Link to post Share on other sites More sharing options...
Maniac Posted April 6, 2011 ID:411886 Share Posted April 6, 2011 Please visit www.virustotal.com and upload the following file:c:\windows\mc76487.exePost the result in your next reply. Link to post Share on other sites More sharing options...
DaveUpNorth Posted April 6, 2011 Author ID:411900 Share Posted April 6, 2011 Here is the response I received, followed by the previous report. Shall I ask virustotal to reanalyze it?File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:MD5: 8ab0842b08b314bacddb47a1f5a74bedDate first seen: 2011-03-25 17:27:13 (UTC)Date last seen: 2011-04-06 06:57:14 (UTC)Detection ratio: 5/40What do you wish to do? I CHOSE SHOW REPORT0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.File name:8ab0842b08b314bacddb47a1f5a74bedSubmission date:2011-04-06 06:57:14 (UTC)Current status:finishedResult:5 /40 (12.5%)VT Communitynot reviewed Safety score: - CompactPrint resultsAntivirus Version Last Update ResultAhnLab-V3 2011.04.06.02 2011.04.06 -AntiVir 7.11.5.203 2011.04.06 -Antiy-AVL 2.0.3.7 2011.04.06 -Avast 4.8.1351.0 2011.04.05 -Avast5 5.0.677.0 2011.04.05 -AVG 10.0.0.1190 2011.04.05 -BitDefender 7.2 2011.04.06 -CAT-QuickHeal 11.00 2011.04.06 -ClamAV 0.97.0.0 2011.04.06 -Commtouch 5.2.11.5 2011.04.06 -Comodo 8239 2011.04.06 Heur.SuspiciousDrWeb 5.0.2.03300 2011.04.06 -eSafe 7.0.17.0 2011.04.05 -eTrust-Vet 36.1.8255 2011.04.05 -F-Prot 4.6.2.117 2011.04.05 -Fortinet 4.2.254.0 2011.04.06 W32/VB.WL!trGData 22 2011.04.06 -Ikarus T3.1.1.103.0 2011.04.06 -Jiangmin 13.0.900 2011.04.06 -K7AntiVirus 9.96.4303 2011.04.05 -Kaspersky 7.0.0.125 2011.04.06 -McAfee 5.400.0.1158 2011.04.06 -McAfee-GW-Edition 2010.1C 2011.04.05 -Microsoft 1.6702 2011.04.06 -NOD32 6017 2011.04.06 -Norman 6.07.07 2011.04.05 -Panda 10.0.3.5 2011.04.05 Suspicious filePCTools 7.0.3.5 2011.04.06 Trojan.GenericPrevx 3.0 2011.04.06 -Rising 23.51.05.05 2011.04.02 -Sophos 4.64.0 2011.04.06 -SUPERAntiSpyware 4.40.0.1006 2011.04.06 -Symantec 20101.3.2.89 2011.04.06 Trojan HorseTheHacker 6.7.0.1.168 2011.04.06 -TrendMicro 9.200.0.1012 2011.04.06 -TrendMicro-HouseCall 9.200.0.1012 2011.04.06 -VBA32 3.12.14.3 2011.04.05 -VIPRE 8933 2011.04.06 -ViRobot 2011.4.6.4395 2011.04.06 -VirusBuster 13.6.288.0 2011.04.05 -Additional informationShow allMD5 : 8ab0842b08b314bacddb47a1f5a74bedSHA1 : fd2bc52b9013f6519521c7b660881de6099bcaf2SHA256: 3eafdc8d6d9addc5bc9971750b3d355df4d08733ad553c3b802f310c8b3afb01ssdeep: 3072:3WmnC+qVGNBLsoUdcu6nNxdMy+P1F7fW3VSbRpvnqwCmi8/7GAsNxRKauU+Ll43D:3WgQMbgPWFSJHi8zKRKfdlO8n4csLFile size : 339968 bytesFirst seen: 2011-03-25 17:27:13Last seen : 2011-04-06 06:57:14Magic: MS-DOS executable, MZ for MS-DOSTrID:Win32 Executable Generic (68.0%)Generic Win/DOS Executable (15.9%)DOS Executable Generic (15.9%)Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)sigcheck:publisher....: MediaChancecopyright....: Copyright www.photobrush.com © 2001product......: PhotoBRUSH Applicationdescription..: Photo-Brush Applicationoriginal name: PhotoBrush.EXEinternal name: Photo-Brushfile version.: 3.02comments.....:signers......: -signing date.: -verified.....: UnsignedPEiD: -PEInfo: PE structure information[[ basic data ]]entrypointaddress: 0x1220timedatestamp....: 0x4D8AA744 (Thu Mar 24 02:07:00 2011)machinetype......: 0x14C (Intel I386)[[ 3 section(s) ]]name, viradd, virsiz, rawdsiz, ntropy, md5.text, 0x1000, 0x20488, 0x21000, 5.3, 259510f893bc9d545744464d29a9ab1c.data, 0x22000, 0x185C, 0x0, 0.0, d41d8cd98f00b204e9800998ecf8427e.rsrc, 0x24000, 0x30BB0, 0x31000, 5.6, 377c5fce3f20db8572f8f0fab2207334[[ 1 import(s) ]]msvbvm60.dll: -, -, -, MethCallEngine, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, -, -, DllFunctionCall, -, -, EVENT_SINK_Release, -, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -ExifTool:file metadataFileSize: 332 kBFileType: DOS EXEMIMEType: application/octet-streamSymantec reputation:Suspicious.InsightVT Community0 This file has never been reviewed by any VT Community member. Be the first one to comment on it! VirusTotal Team Link to post Share on other sites More sharing options...
Recommended Posts