Jump to content

Google Redirect and possible Defogger problem


Recommended Posts

Hello MBAM forum. My computer has been infected with a number of viruses, some of which were cleared by MBAM, others with Avira. I still have at least one piece of malware remaining, undetected by MBAM or Avira: a form of the Google Redirect Virus. There are no other problems with my system that I can detect just through normal use.

I began to follow the detailed instructions for virus removal, and ran Defogger. After selecting ‘Disable’, then ‘Yes’, the ‘Finished’ message appeared. I clicked ‘OK’, but was not then asked to reboot the system. I was returned to the “Disable” or “Re-enable” window instead. A “defogger_disable” log file was created on my desktop. The file’s contents are:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 23:48 on 30/07/2011 (Monetary)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Is it safe for me to continue with the DDS and GMER scans? Is the ‘defogger_disable’ file only generated when the Defogger program fails for some reason? Should I just restart the computer manually and then proceed with the other scanning tools?

If it may be of assistance, my most recent MBAM quick scan log file is:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7332

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

7/30/2011 9:36:30 PM

mbam-log-2011-07-30 (21-36-30).txt

Scan type: Quick scan

Objects scanned: 168496

Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

The most recent MBAM log file which detected malware is:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7183

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

7/17/2011 10:53:10 PM

mbam-log-2011-07-17 (22-53-10).txt

Scan type: Quick scan

Objects scanned: 167108

Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\Users\Monetary\AppData\Local\agehovojamazekud.dll (Trojan.Agent) -> Delete on reboot.

c:\Users\Monetary\AppData\Local\colusas.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ghawavecazucul (Trojan.Agent) -> Value: Ghawavecazucul -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qheqezudanaw (Trojan.Hiloti) -> Value: Qheqezudanaw -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Monetary\AppData\Local\agehovojamazekud.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Monetary\AppData\Local\colusas.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Users\Monetary\AppData\Local\Temp\ms0cfg32.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Users\Monetary\local settings\agehovojamazekud.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Monetary\local settings\colusas.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Users\Monetary\local settings\application data\agehovojamazekud.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Monetary\local settings\application data\colusas.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Users\Monetary\local settings\temporary internet files\Content.IE5\ZPN9A375\p6irutuy[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

Thank you, and please let me know how I should proceed regarding my possible/apparent failure of Defogger.

Link to post
Share on other sites

Hello again. I have been backing up the files from the infected computer to an external harddrive, and while doing so noticed the following two files in my Users/Monetary folder (‘Monetary’ is the name of the only ‘user’ of the computer):

defogger_reenable 0KB (created when I ran Defogger) and

g2mdlhlpx.exe 70KB (created/modified/accessed March 22, 2009).

I do not know anything about the origin of that .exe file, or know how long it has been present at that location.

As stated above, I am not sure if Defogger was successful in disabling CD Emulation drivers (and I am not computer savvy enough to be able to tell myself), but I restarted the computer and performed the DDS and GMER scans. At the end of the GMER scan, the software simply gave a message saying that no modifications to the system were found. If my CD Emulation drivers are disabled, I have not used Defogger to re-enable them.

When I saved the GMER log file, as ark.txt, the result is apparently a 0 byte file. I have included it in a zip file along with the Attach.txt file produced by DDS.

The other things I can think of which may be of help:

An example of a google redirect:

When I recently searched the term “Katatonia”, and clicked on the first hit, I was redirected to an advertisement page with one sentence apparently from the Katatonia Wikipedia article.

The address bar at that point read:

http://

63.209.69.107/search/web/Katatonia/a53/itcg-20932/v5

(I broke that URL into two lines to prevent the forum from turning it into a hyperlink)

The google redirects seem to be the only symptom that I am experiencing.

My most recent MBAM quick scan log is as follows:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7341

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

7/31/2011 5:27:44 PM

mbam-log-2011-07-31 (17-27-44).txt

Scan type: Quick scan

Objects scanned: 168590

Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And my DDS.txt file reads as follows:

.

DDS (Ver_2011-06-23.01) - NTFSAMD64

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21

Run by Monetary at 19:18:12 on 2011-07-31

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4093.2776 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Kodak\KODAK Share Button App\Listener.exe

C:\Windows\system32\taskeng.exe

C:\Windows\RAVCpl64.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\AIM\aim.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Windows\system32\AERTSr64.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\ShrewSoft\VPN Client\dtpd.exe

C:\Program Files\ShrewSoft\VPN Client\iked.exe

C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uWindow Title = Internet Explorer provided by Dell

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3090121

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - C:\Program Files (x86)\Dell\BAE\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

uRun: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US

uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [<NO NAME>]

mRun: [Display] C:\Program Files (x86)\APC\APC PowerChute Personal Edition\DataCollectionLauncher.exe

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\APCUPS~1.LNK - C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{2991137F-7F4B-4209-83D8-D76E89B28E31} : DhcpNameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{E54A0072-7AEC-41BD-A37F-866EC48BC7ED} : NameServer = 141.106.32.6,141.106.32.7

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll

BHO-X64: Browser Address Error Redirector - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [(Default)]

mRun-x64: [Display] C:\Program Files (x86)\APC\APC PowerChute Personal Edition\DataCollectionLauncher.exe

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

IE-X64: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Monetary\AppData\Roaming\Mozilla\Firefox\Profiles\zhi8y5vq.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: C:\Users\Monetary\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\Monetary\AppData\Roaming\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: XULRunner: {B4CADE92-867F-4C2D-AD0E-B19858CD045B} - C:\Users\Monetary\AppData\Local\{B4CADE92-867F-4C2D-AD0E-B19858CD045B}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 vflt;Shrew Soft Lightweight Filter;C:\Windows\system32\DRIVERS\vfilter.sys --> C:\Windows\system32\DRIVERS\vfilter.sys [?]

R2 AERTFilters;Andrea RT Filters Service;C:\Windows\system32\AERTSr64.exe --> C:\Windows\system32\AERTSr64.exe [?]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-7-30 136360]

R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-7-30 269480]

R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]

R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-9-23 155648]

R2 dtpd;ShrewSoft DNS Proxy Daemon;C:\Program Files\ShrewSoft\VPN Client\dtpd.exe -service --> C:\Program Files\ShrewSoft\VPN Client\dtpd.exe -service [?]

R2 iked;ShrewSoft IKE Daemon;C:\Program Files\ShrewSoft\VPN Client\iked.exe -service --> C:\Program Files\ShrewSoft\VPN Client\iked.exe -service [?]

R2 ipsecd;ShrewSoft IPSEC Daemon;C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service --> C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]

S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]

S3 RivaTuner64;RivaTuner64;C:\Program Files (x86)\RivaTuner v2.24\RivaTuner64.sys [2009-2-25 19952]

S3 vnet;Shrew Soft Virtual Adapter;C:\Windows\system32\DRIVERS\virtualnet.sys --> C:\Windows\system32\DRIVERS\virtualnet.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]

S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-10-21 93184]

.

=============== Created Last 30 ================

.

2011-07-30 23:54:28 -------- d-----w- C:\Users\Monetary\AppData\Roaming\Avira

2011-07-30 23:48:47 83120 ----a-w- C:\Windows\System32\drivers\avgntflt.sys

2011-07-30 23:48:47 -------- d-----w- C:\ProgramData\Avira

2011-07-30 23:48:47 -------- d-----w- C:\Program Files (x86)\Avira

2011-07-30 18:43:03 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{08D3C858-4A02-40BE-88A2-E186591E2E3D}\mpengine.dll

2011-07-18 15:36:37 -------- d-----w- C:\Users\Monetary\AppData\Local\Cisco

2011-07-18 03:43:05 0 ----a-w- C:\Users\Monetary\AppData\Local\Jtenig.bin

2011-07-18 03:43:02 -------- d-----w- C:\Users\Monetary\AppData\Local\{B4CADE92-867F-4C2D-AD0E-B19858CD045B}

2011-07-16 17:15:06 -------- d-----w- C:\Program Files (x86)\PyMOL

2011-07-16 16:37:53 -------- d-----w- C:\Program Files (x86)\Cisco

2011-07-16 16:34:39 -------- d-----w- C:\ProgramData\Cisco

2011-07-13 01:47:14 2762240 ----a-w- C:\Windows\System32\win32k.sys

2011-07-13 01:47:07 85504 ----a-w- C:\Windows\System32\csrsrv.dll

2011-07-13 01:47:07 450048 ----a-w- C:\Windows\System32\winsrv.dll

.

==================== Find3M ====================

.

2011-07-07 00:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-05-25 00:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe

.

============= FINISH: 19:18:46.60 ===============

Attached are the attach.txt and ark.txt files from DDS and GMER, together as one .zip file. Note again that the ark.txt file is apparently zero bytes.

Thank you very much in advance for your time in volunteering to help fix infected computers like mine. You MBAM forum members are doing the internet a tremendous service!

ark.zip

Link to post
Share on other sites

Hello NLTY and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Don't worry about Defogger for now ;)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:

  • C:\ComboFix.txt
  • TDSSKiller log
  • Security Check checkup.txt

How is your computer running now?

Link to post
Share on other sites

Hello D-FRED-BROWN and thank you!

In the time since my last post I have been reading similar threads, and performed the following actions:

-Ran ATF Cleaner

-Ran GooredFix

-Ran TDSSkiller

GooredFix appears to have cleared my infection. Here is the GooredFix log:

GooredFix by jpshortstuff (03.07.10.1)

Log created at 22:32 on 01/08/2011 (Monetary)

Firefox version 3.6.18 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{B4CADE92-867F-4C2D-AD0E-B19858CD045B} -> Success!

Deleting C:\Users\Monetary\AppData\Local\{B4CADE92-867F-4C2D-AD0E-B19858CD045B} -> Success!

========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [06:31 29/01/2009]

{AB2CE124-6272-4b12-94A9-7303C7397BD1} [03:41 05/03/2011]

{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [07:31 03/05/2010]

{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [17:28 28/08/2010]

C:\Users\Monetary\Application Data\Mozilla\Firefox\Profiles\zhi8y5vq.default\extensions\

{20a82645-c095-46ed-80e3-08825760534b} [02:55 01/07/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:00 22/10/2009]

-=E.O.F=-

TDSSkiller did not detect anything harmful.

This is the TDSSkiller log:

2011/08/01 22:37:32.0792 2924 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11

2011/08/01 22:37:33.0354 2924 ================================================================================

2011/08/01 22:37:33.0354 2924 SystemInfo:

2011/08/01 22:37:33.0354 2924

2011/08/01 22:37:33.0354 2924 OS Version: 6.0.6001 ServicePack: 1.0

2011/08/01 22:37:33.0354 2924 Product type: Workstation

2011/08/01 22:37:33.0354 2924 ComputerName: MONETARY-PC

2011/08/01 22:37:33.0354 2924 UserName: Monetary

2011/08/01 22:37:33.0354 2924 Windows directory: C:\Windows

2011/08/01 22:37:33.0354 2924 System windows directory: C:\Windows

2011/08/01 22:37:33.0354 2924 Running under WOW64

2011/08/01 22:37:33.0354 2924 Processor architecture: Intel x64

2011/08/01 22:37:33.0354 2924 Number of processors: 4

2011/08/01 22:37:33.0354 2924 Page size: 0x1000

2011/08/01 22:37:33.0354 2924 Boot type: Normal boot

2011/08/01 22:37:33.0354 2924 ================================================================================

2011/08/01 22:37:34.0227 2924 Initialize success

2011/08/01 22:37:57.0830 3888 ================================================================================

2011/08/01 22:37:57.0830 3888 Scan started

2011/08/01 22:37:57.0830 3888 Mode: Manual;

2011/08/01 22:37:57.0830 3888 ================================================================================

2011/08/01 22:37:58.0595 3888 ACPI (8c99ed256a889d647935a97c543b7b85) C:\Windows\system32\drivers\acpi.sys

2011/08/01 22:37:58.0641 3888 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys

2011/08/01 22:37:58.0673 3888 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys

2011/08/01 22:37:58.0704 3888 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys

2011/08/01 22:37:58.0735 3888 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys

2011/08/01 22:37:58.0844 3888 AFD (9bb97042fa331a0fb4bdd98b9280a50a) C:\Windows\system32\drivers\afd.sys

2011/08/01 22:37:58.0953 3888 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys

2011/08/01 22:37:59.0016 3888 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys

2011/08/01 22:37:59.0047 3888 aliide (9544c2c55541c0c6bfd7b489d0e7d430) C:\Windows\system32\drivers\aliide.sys

2011/08/01 22:37:59.0063 3888 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys

2011/08/01 22:37:59.0094 3888 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys

2011/08/01 22:37:59.0172 3888 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys

2011/08/01 22:37:59.0203 3888 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys

2011/08/01 22:37:59.0234 3888 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys

2011/08/01 22:37:59.0250 3888 atapi (f988bb0690cd660318037908e9b8dbf7) C:\Windows\system32\drivers\atapi.sys

2011/08/01 22:37:59.0406 3888 atikmdag (c7d2bfbea0099ce29baa32eb93dac434) C:\Windows\system32\DRIVERS\atikmdag.sys

2011/08/01 22:37:59.0546 3888 ATITool (a6fad7a5ada4675ba9c9feaf4e0542ba) C:\Windows\system32\DRIVERS\ATITool64.sys

2011/08/01 22:37:59.0609 3888 avgntflt (39c2e2870fc0c2ae0595b883cbe716b4) C:\Windows\system32\DRIVERS\avgntflt.sys

2011/08/01 22:37:59.0655 3888 avipbb (c98fa6e5ad0e857d22716bd2b8b1f399) C:\Windows\system32\DRIVERS\avipbb.sys

2011/08/01 22:37:59.0718 3888 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys

2011/08/01 22:37:59.0780 3888 bowser (f0f035fcec3554cc1b70c5611bd87951) C:\Windows\system32\DRIVERS\bowser.sys

2011/08/01 22:37:59.0796 3888 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys

2011/08/01 22:37:59.0811 3888 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys

2011/08/01 22:37:59.0858 3888 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys

2011/08/01 22:37:59.0921 3888 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys

2011/08/01 22:37:59.0952 3888 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys

2011/08/01 22:37:59.0967 3888 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys

2011/08/01 22:37:59.0999 3888 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys

2011/08/01 22:38:00.0014 3888 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys

2011/08/01 22:38:00.0045 3888 cdrom (3b2fb35363423ed60c8fbf15fc8680bd) C:\Windows\system32\DRIVERS\cdrom.sys

2011/08/01 22:38:00.0077 3888 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys

2011/08/01 22:38:00.0123 3888 CLFS (c12c4ee07843b595036da0baa6317936) C:\Windows\system32\CLFS.sys

2011/08/01 22:38:00.0186 3888 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys

2011/08/01 22:38:00.0217 3888 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\DRIVERS\compbatt.sys

2011/08/01 22:38:00.0233 3888 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys

2011/08/01 22:38:00.0311 3888 DfsC (3725c43c9e90731eca651d506cc599a3) C:\Windows\system32\Drivers\dfsc.sys

2011/08/01 22:38:00.0357 3888 disk (2dc415fc05fb8a079f896cbbacb19324) C:\Windows\system32\drivers\disk.sys

2011/08/01 22:38:00.0420 3888 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys

2011/08/01 22:38:00.0467 3888 DXGKrnl (412964040ce920ff83aff6b5b551bf99) C:\Windows\System32\drivers\dxgkrnl.sys

2011/08/01 22:38:00.0513 3888 e1express (a458e7d986f51c827640f5d1f1e886e4) C:\Windows\system32\DRIVERS\e1e6032e.sys

2011/08/01 22:38:00.0545 3888 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys

2011/08/01 22:38:00.0576 3888 Ecache (7343d950a34a95dcb7441642e3e6beef) C:\Windows\system32\drivers\ecache.sys

2011/08/01 22:38:00.0623 3888 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys

2011/08/01 22:38:00.0669 3888 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys

2011/08/01 22:38:00.0701 3888 exfat (2a546b9a84658b0554b1ec35cd9adaf5) C:\Windows\system32\drivers\exfat.sys

2011/08/01 22:38:00.0732 3888 fastfat (fe731d345ed9eeabbc72a59b35941834) C:\Windows\system32\drivers\fastfat.sys

2011/08/01 22:38:00.0747 3888 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys

2011/08/01 22:38:00.0779 3888 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys

2011/08/01 22:38:00.0841 3888 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys

2011/08/01 22:38:00.0872 3888 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys

2011/08/01 22:38:00.0950 3888 FltMgr (7dacf1a3a4219575070c6dc7c957428a) C:\Windows\system32\drivers\fltmgr.sys

2011/08/01 22:38:01.0028 3888 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys

2011/08/01 22:38:01.0059 3888 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys

2011/08/01 22:38:01.0137 3888 HdAudAddService (df45f8142dc6df9d18c39b3effbd0409) C:\Windows\system32\drivers\HdAudio.sys

2011/08/01 22:38:01.0169 3888 HDAudBus (0c0d0f8a3ff09ecc81963d09ec6a0a84) C:\Windows\system32\DRIVERS\HDAudBus.sys

2011/08/01 22:38:01.0200 3888 HidBatt (68214c82fa6222591873677a72df2a66) C:\Windows\system32\DRIVERS\HidBatt.sys

2011/08/01 22:38:01.0231 3888 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys

2011/08/01 22:38:01.0278 3888 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys

2011/08/01 22:38:01.0293 3888 HidUsb (128e2da8483fdd4dd0c7b3f9abd6f323) C:\Windows\system32\DRIVERS\hidusb.sys

2011/08/01 22:38:01.0325 3888 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys

2011/08/01 22:38:01.0403 3888 HTTP (e690736da6c543f5d99c8fa27bea31db) C:\Windows\system32\drivers\HTTP.sys

2011/08/01 22:38:01.0434 3888 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys

2011/08/01 22:38:01.0465 3888 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys

2011/08/01 22:38:01.0496 3888 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys

2011/08/01 22:38:01.0699 3888 igfx (50f15f9aee2e7692dfe58917e2d40498) C:\Windows\system32\DRIVERS\igdkmd64.sys

2011/08/01 22:38:01.0886 3888 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys

2011/08/01 22:38:01.0995 3888 IntcAzAudAddService (b3fb479a7c0626499eb5989bc087cf8d) C:\Windows\system32\drivers\RTKVHD64.sys

2011/08/01 22:38:02.0105 3888 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys

2011/08/01 22:38:02.0151 3888 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys

2011/08/01 22:38:02.0229 3888 IpFilterDriver (99b821f5bebd6a3cc3fe564f802ae0fd) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2011/08/01 22:38:02.0276 3888 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys

2011/08/01 22:38:02.0307 3888 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys

2011/08/01 22:38:02.0354 3888 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys

2011/08/01 22:38:02.0370 3888 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys

2011/08/01 22:38:02.0417 3888 iScsiPrt (49e4ccbf74783fce5d2cc1ff6480e1f4) C:\Windows\system32\DRIVERS\msiscsi.sys

2011/08/01 22:38:02.0432 3888 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys

2011/08/01 22:38:02.0463 3888 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys

2011/08/01 22:38:02.0495 3888 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys

2011/08/01 22:38:02.0510 3888 kbdhid (bf8783a5066cfecf45095459e8010fa7) C:\Windows\system32\DRIVERS\kbdhid.sys

2011/08/01 22:38:02.0588 3888 KSecDD (ccdcce6224e1e207e953af826b98a9d9) C:\Windows\system32\Drivers\ksecdd.sys

2011/08/01 22:38:02.0619 3888 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys

2011/08/01 22:38:02.0666 3888 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys

2011/08/01 22:38:02.0697 3888 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys

2011/08/01 22:38:02.0729 3888 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys

2011/08/01 22:38:02.0760 3888 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys

2011/08/01 22:38:02.0791 3888 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys

2011/08/01 22:38:02.0822 3888 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys

2011/08/01 22:38:02.0869 3888 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys

2011/08/01 22:38:02.0916 3888 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys

2011/08/01 22:38:02.0978 3888 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys

2011/08/01 22:38:03.0009 3888 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys

2011/08/01 22:38:03.0025 3888 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys

2011/08/01 22:38:03.0056 3888 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys

2011/08/01 22:38:03.0103 3888 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys

2011/08/01 22:38:03.0119 3888 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys

2011/08/01 22:38:03.0165 3888 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys

2011/08/01 22:38:03.0181 3888 MRxDAV (fe2706c15f8345c342820e4e4583fea0) C:\Windows\system32\drivers\mrxdav.sys

2011/08/01 22:38:03.0243 3888 mrxsmb (b698eb9acc7ecd4927d99d268918f912) C:\Windows\system32\DRIVERS\mrxsmb.sys

2011/08/01 22:38:03.0306 3888 mrxsmb10 (c3c8ad9591db473690a743b69de829f4) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2011/08/01 22:38:03.0337 3888 mrxsmb20 (f9425d610712533107a264e2d5b2154b) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2011/08/01 22:38:03.0368 3888 msahci (730b784962d22d2c6481eae2370e7c8c) C:\Windows\system32\drivers\msahci.sys

2011/08/01 22:38:03.0399 3888 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys

2011/08/01 22:38:03.0446 3888 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys

2011/08/01 22:38:03.0477 3888 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys

2011/08/01 22:38:03.0509 3888 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys

2011/08/01 22:38:03.0524 3888 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys

2011/08/01 22:38:03.0540 3888 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys

2011/08/01 22:38:03.0571 3888 MsRPC (b8e32e6103fbba9fbb1d0c11ff0d13b5) C:\Windows\system32\drivers\MsRPC.sys

2011/08/01 22:38:03.0618 3888 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys

2011/08/01 22:38:03.0633 3888 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys

2011/08/01 22:38:03.0649 3888 Mup (ddf133501f68d6988a0f55dfa88637b4) C:\Windows\system32\Drivers\mup.sys

2011/08/01 22:38:03.0711 3888 NativeWifiP (73b99c98fa3a2ed1566e02d6fe1913a5) C:\Windows\system32\DRIVERS\nwifi.sys

2011/08/01 22:38:03.0758 3888 NDIS (f9a3ae5c9f047d71a36a99f9abca7d02) C:\Windows\system32\drivers\ndis.sys

2011/08/01 22:38:03.0789 3888 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys

2011/08/01 22:38:03.0821 3888 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys

2011/08/01 22:38:03.0852 3888 NdisWan (52e3e8e35101399be9b2938c992aa087) C:\Windows\system32\DRIVERS\ndiswan.sys

2011/08/01 22:38:03.0867 3888 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys

2011/08/01 22:38:03.0883 3888 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys

2011/08/01 22:38:03.0914 3888 netbt (7a29ca243a629230799754162d80120f) C:\Windows\system32\DRIVERS\netbt.sys

2011/08/01 22:38:03.0977 3888 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys

2011/08/01 22:38:04.0039 3888 Npfs (b06154e2a2c91e9be5599fca53bc4cd0) C:\Windows\system32\drivers\Npfs.sys

2011/08/01 22:38:04.0101 3888 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys

2011/08/01 22:38:04.0148 3888 Ntfs (fe86ba5ac3b50e2ca911e9c60c07b638) C:\Windows\system32\drivers\Ntfs.sys

2011/08/01 22:38:04.0211 3888 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys

2011/08/01 22:38:04.0226 3888 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys

2011/08/01 22:38:04.0257 3888 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys

2011/08/01 22:38:04.0289 3888 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys

2011/08/01 22:38:04.0351 3888 ohci1394 (7b58953e2f263421fdbb09a192712a85) C:\Windows\system32\drivers\ohci1394.sys

2011/08/01 22:38:04.0398 3888 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys

2011/08/01 22:38:04.0413 3888 partmgr (5ab40c36894f4c06bdab0c9a2fba282d) C:\Windows\system32\drivers\partmgr.sys

2011/08/01 22:38:04.0460 3888 pci (2a5b2a51559066ea84742909b5b2cd69) C:\Windows\system32\drivers\pci.sys

2011/08/01 22:38:04.0476 3888 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys

2011/08/01 22:38:04.0491 3888 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys

2011/08/01 22:38:04.0523 3888 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys

2011/08/01 22:38:04.0632 3888 PptpMiniport (f5739f2c6db2534c384ad5150808e8f5) C:\Windows\system32\DRIVERS\raspptp.sys

2011/08/01 22:38:04.0663 3888 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys

2011/08/01 22:38:04.0725 3888 PSched (0e0e205a296095fe4c631e6a4775ad6c) C:\Windows\system32\DRIVERS\pacer.sys

2011/08/01 22:38:04.0741 3888 PxHlpa64 (46851bc18322da70f3f2299a1007c479) C:\Windows\system32\Drivers\PxHlpa64.sys

2011/08/01 22:38:04.0788 3888 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys

2011/08/01 22:38:04.0850 3888 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys

2011/08/01 22:38:04.0881 3888 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys

2011/08/01 22:38:05.0084 3888 R300 (c7d2bfbea0099ce29baa32eb93dac434) C:\Windows\system32\DRIVERS\atikmdag.sys

2011/08/01 22:38:05.0162 3888 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys

2011/08/01 22:38:05.0225 3888 Rasl2tp (3b9085f91ef00abd15a6f36570e90e12) C:\Windows\system32\DRIVERS\rasl2tp.sys

2011/08/01 22:38:05.0256 3888 RasPppoe (2ce1703c27196094fb6e4c6e439f2c21) C:\Windows\system32\DRIVERS\raspppoe.sys

2011/08/01 22:38:05.0271 3888 RasSstp (fcd04fa67e8b40fa0ad361dd38593942) C:\Windows\system32\DRIVERS\rassstp.sys

2011/08/01 22:38:05.0303 3888 rdbss (33fa5b6136d92ee0f53f021c79091300) C:\Windows\system32\DRIVERS\rdbss.sys

2011/08/01 22:38:05.0318 3888 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys

2011/08/01 22:38:05.0365 3888 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys

2011/08/01 22:38:05.0396 3888 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys

2011/08/01 22:38:05.0427 3888 RDPWD (7747082f672aa2846235c9cea42e2e72) C:\Windows\system32\drivers\RDPWD.sys

2011/08/01 22:38:05.0552 3888 RivaTuner64 (a10b40cf9eb57d24e44717a2d38a00f4) C:\Program Files (x86)\RivaTuner v2.24\RivaTuner64.sys

2011/08/01 22:38:05.0583 3888 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys

2011/08/01 22:38:05.0615 3888 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys

2011/08/01 22:38:05.0661 3888 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys

2011/08/01 22:38:05.0693 3888 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys

2011/08/01 22:38:05.0724 3888 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys

2011/08/01 22:38:05.0755 3888 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys

2011/08/01 22:38:05.0802 3888 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys

2011/08/01 22:38:05.0817 3888 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys

2011/08/01 22:38:05.0849 3888 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys

2011/08/01 22:38:05.0864 3888 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys

2011/08/01 22:38:05.0895 3888 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys

2011/08/01 22:38:05.0927 3888 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys

2011/08/01 22:38:05.0958 3888 Smb (41eb2e8e005feedcafce301983eff932) C:\Windows\system32\DRIVERS\smb.sys

2011/08/01 22:38:06.0020 3888 spldr (f9cb0672162f7f04248e2b82c1ff4617) C:\Windows\system32\drivers\spldr.sys

2011/08/01 22:38:06.0098 3888 srv (a8abd7d0d907b45cf3831f4dd8644349) C:\Windows\system32\DRIVERS\srv.sys

2011/08/01 22:38:06.0161 3888 srv2 (6c72eea39e1c37b436a6d1532999f9ec) C:\Windows\system32\DRIVERS\srv2.sys

2011/08/01 22:38:06.0239 3888 srvnet (7f69bcf9e6fa3d93c82ee6b87812666d) C:\Windows\system32\DRIVERS\srvnet.sys

2011/08/01 22:38:06.0301 3888 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys

2011/08/01 22:38:06.0332 3888 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys

2011/08/01 22:38:06.0363 3888 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys

2011/08/01 22:38:06.0379 3888 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys

2011/08/01 22:38:06.0457 3888 Tcpip (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\drivers\tcpip.sys

2011/08/01 22:38:06.0535 3888 Tcpip6 (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\DRIVERS\tcpip.sys

2011/08/01 22:38:06.0566 3888 tcpipreg (c29d4b3b08ad0b7e8564814e4ff6a57b) C:\Windows\system32\drivers\tcpipreg.sys

2011/08/01 22:38:06.0597 3888 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys

2011/08/01 22:38:06.0613 3888 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys

2011/08/01 22:38:06.0644 3888 tdx (8c39c72e0e853de04748c0337d9b9216) C:\Windows\system32\DRIVERS\tdx.sys

2011/08/01 22:38:06.0660 3888 TermDD (3f0ebf6ee609f2a276c0d5faf244ec90) C:\Windows\system32\DRIVERS\termdd.sys

2011/08/01 22:38:06.0707 3888 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys

2011/08/01 22:38:06.0738 3888 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys

2011/08/01 22:38:06.0769 3888 tunnel (2dc2c423572946e9a3131425bda73cb6) C:\Windows\system32\DRIVERS\tunnel.sys

2011/08/01 22:38:06.0800 3888 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys

2011/08/01 22:38:06.0831 3888 udfs (eca6629e33f122afff18a2ab7c3eb033) C:\Windows\system32\DRIVERS\udfs.sys

2011/08/01 22:38:06.0878 3888 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys

2011/08/01 22:38:06.0925 3888 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys

2011/08/01 22:38:06.0987 3888 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys

2011/08/01 22:38:07.0050 3888 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys

2011/08/01 22:38:07.0081 3888 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys

2011/08/01 22:38:07.0128 3888 usbccgp (89842ce16285b73405284224cc386dcf) C:\Windows\system32\DRIVERS\usbccgp.sys

2011/08/01 22:38:07.0159 3888 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys

2011/08/01 22:38:07.0190 3888 usbehci (07b738a1f57e4ec870406e74da5754af) C:\Windows\system32\DRIVERS\usbehci.sys

2011/08/01 22:38:07.0221 3888 usbhub (b668e8e0ef2910f28baf550b04de57f2) C:\Windows\system32\DRIVERS\usbhub.sys

2011/08/01 22:38:07.0253 3888 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys

2011/08/01 22:38:07.0284 3888 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys

2011/08/01 22:38:07.0331 3888 USBSTOR (586d9876a4945779c8eea926c0d16889) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2011/08/01 22:38:07.0346 3888 usbuhci (e76f2b26a5917f555844c128954bb52b) C:\Windows\system32\DRIVERS\usbuhci.sys

2011/08/01 22:38:07.0440 3888 vflt (8308cfbb52eaeaacec74b52e5def5594) C:\Windows\system32\DRIVERS\vfilter.sys

2011/08/01 22:38:07.0471 3888 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys

2011/08/01 22:38:07.0487 3888 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys

2011/08/01 22:38:07.0502 3888 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys

2011/08/01 22:38:07.0565 3888 vnet (86346fca6a587d0243c7121f179a125d) C:\Windows\system32\DRIVERS\virtualnet.sys

2011/08/01 22:38:07.0580 3888 volmgr (793d9b32a1c462c91f6f70358283ac97) C:\Windows\system32\drivers\volmgr.sys

2011/08/01 22:38:07.0611 3888 volmgrx (5aa217da5dc4ff5b9ac9ab86563b3223) C:\Windows\system32\drivers\volmgrx.sys

2011/08/01 22:38:07.0658 3888 volsnap (de4307412d98050239026e56a7dff3c0) C:\Windows\system32\drivers\volsnap.sys

2011/08/01 22:38:07.0736 3888 vpnva (0e4df91e83da5739ffb18535d4db10aa) C:\Windows\system32\DRIVERS\vpnva64.sys

2011/08/01 22:38:07.0767 3888 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys

2011/08/01 22:38:07.0814 3888 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys

2011/08/01 22:38:07.0845 3888 Wanarp (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys

2011/08/01 22:38:07.0861 3888 Wanarpv6 (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys

2011/08/01 22:38:07.0892 3888 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys

2011/08/01 22:38:07.0939 3888 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys

2011/08/01 22:38:08.0064 3888 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\drivers\wmiacpi.sys

2011/08/01 22:38:08.0142 3888 WpdUsb (6329d1990db931073b86ab5946d8e317) C:\Windows\system32\DRIVERS\wpdusb.sys

2011/08/01 22:38:08.0173 3888 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys

2011/08/01 22:38:08.0220 3888 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys

2011/08/01 22:38:08.0282 3888 MBR (0x1B8) (cdb4de4bbd714f152979da2dcbef57eb) \Device\Harddisk0\DR0

2011/08/01 22:38:08.0298 3888 Boot (0x1200) (3dfba14af92e5ffb4121740b84c67e09) \Device\Harddisk0\DR0\Partition0

2011/08/01 22:38:08.0313 3888 Boot (0x1200) (408f2120bb737ed1c985c1c2430cc02d) \Device\Harddisk0\DR0\Partition1

2011/08/01 22:38:08.0313 3888 ================================================================================

2011/08/01 22:38:08.0313 3888 Scan finished

2011/08/01 22:38:08.0313 3888 ================================================================================

2011/08/01 22:38:08.0329 3856 Detected object count: 0

2011/08/01 22:38:08.0329 3856 Actual detected object count: 0

When I first noticed my computer was infected, I replaced my normal antivirus program with Avira, and the first Avira scan found:

[DETECTION] Is the TR/Kazy.19685.2 Trojan

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan

[DETECTION] Contains recognition pattern of the JAVA/Agent.AA.1 Java virus

[DETECTION] Contains recognition pattern of the JAVA/Agent.AA.2 Java virus

[DETECTION] Contains recognition pattern of the JAVA/Agent.AA Java virus

[DETECTION] Contains recognition pattern of the JAVA/Agent.D Java virus

[DETECTION] Contains recognition pattern of the EXP/Java.CVE-2009-3867.C.2 exploit

I was a little hesitant to run ComboFix ‘on my own’, and so have not done that yet. GooredFix appears to have solved my problem- the Google redirects are gone. Now the remaining concerns I have are (1) are there any other infections possibly remaining and (2) did any of my infections compromise the long-term security of my computer (backdoor)? The ‘Spy Banker’ program found by Avira concerns me a bit. My financial passwords have already been changed from a known clean computer so I am OK in that respect.

I have to leave for work now, but will run ComboFix and Security Check (as well as post fresh MBAM and DDS logs) later tonight unless you step in to give me the all clear beforehand.

Thank you again!

Link to post
Share on other sites

I have to leave for work now, but will run ComboFix and Security Check (as well as post fresh MBAM and DDS logs) later tonight unless you step in to give me the all clear beforehand.

Sounds good :)

Thank you again!

No problem! ;)

Link to post
Share on other sites

Hey D-FRED-BROWN,

I have, since the last post:

-Disconnected from internet and disabled all antivirus/firewall software

-Run Combofix

-Run Security Check

-Run DDS

-Reactivated antivirus/firewall and reconnected to internet

-Updated MBAM and ran a quick scan

Among whatever else it may have done, Combofix deleted the suspicious g2mdlhlpx.exe file within C:Users/Monetary/

I do not know enough about these logs to be able to tell if that file has done any re-spawning of any of the previously identified and removed threats. But, hopefully this adventure is coming to a close.

My computer is behaving properly, as far as I can tell. The only symptom I had, the google redirects, have been gone since I ran GooredFix. These are the logs from the most recent scans. Note that my TDSSkiller log and GooredFix log are in my most recent post before this one.

Combofix:

ComboFix 11-08-02.03 - Monetary 08/02/2011 22:35:51.1.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4093.2967 [GMT -5:00]

Running from: c:\users\Monetary\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Monetary\g2mdlhlpx.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))

.

.

2011-08-03 03:40 . 2011-08-03 03:41 -------- d-----w- c:\users\Monetary\AppData\Local\temp

2011-08-03 03:40 . 2011-08-03 03:40 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-08-03 00:52 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{29DDDDE0-9978-4F68-9419-06361208D5B3}\mpengine.dll

2011-08-02 04:21 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll

2011-08-02 04:21 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2011-08-02 03:52 . 2011-08-02 03:52 -------- d-----w- c:\users\Monetary\AppData\Local\AOL

2011-08-02 03:52 . 2011-08-02 03:52 -------- d-----w- c:\users\Monetary\AppData\Local\AIM

2011-07-30 23:54 . 2011-07-30 23:54 -------- d-----w- c:\users\Monetary\AppData\Roaming\Avira

2011-07-30 23:48 . 2011-08-02 03:43 88288 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-07-30 23:48 . 2011-08-02 03:43 123784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-07-30 23:48 . 2011-07-30 23:48 -------- d-----w- c:\programdata\Avira

2011-07-30 23:48 . 2011-07-30 23:48 -------- d-----w- c:\program files (x86)\Avira

2011-07-18 15:36 . 2011-07-18 15:36 -------- d-----w- c:\users\Monetary\AppData\Local\Cisco

2011-07-18 03:43 . 2011-07-18 03:43 0 ----a-w- c:\users\Monetary\AppData\Local\Jtenig.bin

2011-07-16 17:15 . 2011-07-16 17:15 -------- d-----w- c:\program files (x86)\PyMOL

2011-07-16 16:37 . 2011-07-16 16:37 -------- d-----w- c:\program files (x86)\Cisco

2011-07-16 16:34 . 2011-07-16 16:34 -------- d-----w- c:\programdata\Cisco

2011-07-13 01:47 . 2011-06-02 13:22 2762240 ----a-w- c:\windows\system32\win32k.sys

2011-07-13 01:47 . 2011-04-20 15:16 450048 ----a-w- c:\windows\system32\winsrv.dll

2011-07-13 01:47 . 2011-04-20 15:11 85504 ----a-w- c:\windows\system32\csrsrv.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-07 00:52 . 2009-05-28 01:30 25912 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-07 00:52 . 2009-01-29 05:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-05-25 00:14 . 2009-10-21 02:28 270720 ------w- c:\windows\system32\MpSigStub.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

"Aim"="c:\program files (x86)\AIM\aim.exe" [2009-10-05 3634024]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-09-05 417792]

"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 RivaTuner64;RivaTuner64;c:\program files (x86)\RivaTuner v2.24\RivaTuner64.sys [2009-03-17 19952]

R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys [x]

S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]

S2 dtpd;ShrewSoft DNS Proxy Daemon;c:\program files\ShrewSoft\VPN Client\dtpd.exe [2008-11-11 50688]

S2 iked;ShrewSoft IKE Daemon;c:\program files\ShrewSoft\VPN Client\iked.exe [2008-11-11 944640]

S2 ipsecd;ShrewSoft IPSEC Daemon;c:\program files\ShrewSoft\VPN Client\ipsecd.exe [2008-11-11 690688]

S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

.

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2008-07-18 6453760]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-05 137240]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-05 202264]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-05 165400]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

TCP: DhcpNameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{E54A0072-7AEC-41BD-A37F-866EC48BC7ED}: NameServer = 141.106.32.6,141.106.32.7

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\Monetary\AppData\Roaming\Mozilla\Firefox\Profiles\zhi8y5vq.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Monetary\AppData\Roaming\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe

HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe

HKLM-Run-Skytel - Skytel.exe

AddRemove-Final Fantasy VII - c:\program files (x86)\Square Soft

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]

@Denied: (A 2) (Everyone)

@="IFlashBroker2"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe

.

**************************************************************************

.

Completion time: 2011-08-02 22:46:30 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-03 03:46

.

Pre-Run: 270,810,308,608 bytes free

Post-Run: 270,666,555,392 bytes free

.

- - End Of File - - B71D3D86BF36BB71DDC9F1ACC0F1D4AE

Security Check (Note that this was done while all of my security software was temporarily disabled)

Results of screen317's Security Check version 0.99.18

Windows Vista (UAC is disabled!)

Out of date service pack!!

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Avira AntiVir Personal - Free Antivirus

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 21

Java 6 Update 7

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.1.82.76

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSASCui.exe

Avira Antivir avguard.exe

Windows Defender MSASCui.exe

``````````End of Log````````````

A fresh DDS log:

.

DDS (Ver_2011-06-23.01) - NTFSAMD64

Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_21

Run by Monetary at 22:55:30 on 2011-08-02

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4093.2825 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RAVCpl64.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\AIM\aim.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\AERTSr64.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\ShrewSoft\VPN Client\dtpd.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\ShrewSoft\VPN Client\iked.exe

C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - C:\Program Files (x86)\Dell\BAE\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

uRun: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{2991137F-7F4B-4209-83D8-D76E89B28E31} : DhcpNameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{E54A0072-7AEC-41BD-A37F-866EC48BC7ED} : NameServer = 141.106.32.6,141.106.32.7

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll

BHO-X64: Browser Address Error Redirector - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Monetary\AppData\Roaming\Mozilla\Firefox\Profiles\zhi8y5vq.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\Monetary\AppData\Roaming\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 vflt;Shrew Soft Lightweight Filter;C:\Windows\system32\DRIVERS\vfilter.sys --> C:\Windows\system32\DRIVERS\vfilter.sys [?]

R2 AERTFilters;Andrea RT Filters Service;C:\Windows\system32\AERTSr64.exe --> C:\Windows\system32\AERTSr64.exe [?]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-7-30 136360]

R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-7-30 269480]

R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]

R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-9-23 155648]

R2 dtpd;ShrewSoft DNS Proxy Daemon;C:\Program Files\ShrewSoft\VPN Client\dtpd.exe -service --> C:\Program Files\ShrewSoft\VPN Client\dtpd.exe -service [?]

R2 iked;ShrewSoft IKE Daemon;C:\Program Files\ShrewSoft\VPN Client\iked.exe -service --> C:\Program Files\ShrewSoft\VPN Client\iked.exe -service [?]

R2 ipsecd;ShrewSoft IPSEC Daemon;C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service --> C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service [?]

R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]

R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]

S3 RivaTuner64;RivaTuner64;C:\Program Files (x86)\RivaTuner v2.24\RivaTuner64.sys [2009-2-25 19952]

S3 vnet;Shrew Soft Virtual Adapter;C:\Windows\system32\DRIVERS\virtualnet.sys --> C:\Windows\system32\DRIVERS\virtualnet.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]

S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-10-21 93184]

.

=============== File Associations ===============

.

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-08-03 03:46:32 -------- d-----w- C:\Users\Monetary\AppData\Local\temp

2011-08-03 03:41:51 -------- d-----w- C:\$RECYCLE.BIN

2011-08-03 03:33:19 98816 ----a-w- C:\Windows\sed.exe

2011-08-03 03:33:19 518144 ----a-w- C:\Windows\SWREG.exe

2011-08-03 03:33:19 256000 ----a-w- C:\Windows\PEV.exe

2011-08-03 03:33:19 208896 ----a-w- C:\Windows\MBR.exe

2011-08-03 03:33:16 -------- d-----w- C:\ComboFix

2011-08-03 00:52:38 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{29DDDDE0-9978-4F68-9419-06361208D5B3}\mpengine.dll

2011-08-02 04:21:46 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll

2011-08-02 04:21:45 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll

2011-08-02 03:52:28 -------- d-----w- C:\Users\Monetary\AppData\Local\AOL

2011-08-02 03:52:28 -------- d-----w- C:\Users\Monetary\AppData\Local\AIM

2011-07-30 23:54:28 -------- d-----w- C:\Users\Monetary\AppData\Roaming\Avira

2011-07-30 23:48:47 88288 ----a-w- C:\Windows\System32\drivers\avgntflt.sys

2011-07-30 23:48:47 -------- d-----w- C:\ProgramData\Avira

2011-07-30 23:48:47 -------- d-----w- C:\Program Files (x86)\Avira

2011-07-18 15:36:37 -------- d-----w- C:\Users\Monetary\AppData\Local\Cisco

2011-07-18 03:43:05 0 ----a-w- C:\Users\Monetary\AppData\Local\Jtenig.bin

2011-07-16 17:15:06 -------- d-----w- C:\Program Files (x86)\PyMOL

2011-07-16 16:37:53 -------- d-----w- C:\Program Files (x86)\Cisco

2011-07-16 16:34:39 -------- d-----w- C:\ProgramData\Cisco

2011-07-13 01:47:14 2762240 ----a-w- C:\Windows\System32\win32k.sys

2011-07-13 01:47:07 85504 ----a-w- C:\Windows\System32\csrsrv.dll

2011-07-13 01:47:07 450048 ----a-w- C:\Windows\System32\winsrv.dll

.

==================== Find3M ====================

.

2011-07-07 00:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-05-25 00:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe

.

============= FINISH: 22:55:48.38 ===============

And a fresh MBAM quick scan log:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7362

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.19019

8/2/2011 11:13:12 PM

mbam-log-2011-08-02 (23-13-12).txt

Scan type: Quick scan

Objects scanned: 168291

Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thank you again, D-FRED-BROWN! Hopefully the last bit of this multi-infection was killed by Combofix. Please let me know if there's anything else I can do to help.

Link to post
Share on other sites

Thank you again, D-FRED-BROWN!

No problem ;)

Your logs appear to be clean ;) Before we move on, let's run the following online scans to make sure there's nothing hiding that we may have missed:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

--------

Please use the Internet Explorer and run a BitDefender Online scan from Here

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan

Please post the results in your next reply.

Link to post
Share on other sites

Here is my ESET scanner log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=68bf3e69f4ef9143ada89c25426e1a9d

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-08-04 06:32:34

# local_time=2011-08-04 01:32:34 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=6.0.6001 NT Service Pack 1

# compatibility_mode=1797 16775165 100 94 0 48013901 276208 0

# compatibility_mode=5892 16776573 100 100 0 149022858 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=171458

# found=0

# cleaned=0

# scan_time=15401

And my BitDefender log:

QuickScan Beta 32-bit v0.9.9.99

-------------------------------

Scan date: Thu Aug 04 04:53:04 2011

Machine ID: CE7269F

No infection found.

-------------------

Processes

---------

AntiVir Desktop 2092 C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

AntiVir Desktop 2992 C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

AntiVir Desktop 2580 C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

AOL Instant Messenger 2028 C:\Program Files (x86)\AIM\aim.exe

Cisco AnyConnect VPN Client 1284 C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

Dock Login Service 1148 C:\Program Files\Dell\DellDock\DockLogin.exe

Java Platform SE Auto Updater 2 0 1960 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Windows® Internet Explorer 3312 C:\Program Files (x86)\Internet Explorer\iexplore.exe

Windows® Internet Explorer 3420 C:\Program Files (x86)\Internet Explorer\iexplore.exe

Windows® Internet Explorer 3456 C:\Program Files (x86)\Internet Explorer\iexplore.exe

Windows® Internet Explorer 4060 C:\Program Files (x86)\Internet Explorer\iexplore.exe

Autoruns and critical files

---------------------------

AntiVir Desktop C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

AOL Instant Messenger C:\Program Files (x86)\AIM\aim.exe

Catalyst® Control Center C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

Java Platform SE Auto Updater 2 0 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Microsoft® Windows® Operating System C:\Windows\ehome\ehTray.exe

QuickTime C:\Program Files (x86)\QuickTime\QTTask.exe

(verified) Microsoft® Windows® Operating System c:\windows\system32\browseui.dll

(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe

(verified) Windows® Internet Explorer c:\windows\syswow64\webcheck.dll

Browser plugins

---------------

AOL Media Playback Control C:\Windows\Downloaded Program Files\ampAx3.0.84.2.dll

BitDefender QuickScan C:\Windows\Downloaded Program Files\qsax.dll

Browser Address Error Redirector C:\Program Files (x86)\Dell\BAE\BAE.dll

DivX Player Netscape Plugin C:\Program Files (x86)\DivX\DivX Player\npDivxPlayerPlugin.dll

DivX Player Netscape Plugin C:\Program Files (x86)\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll

DivX Web Player C:\Program Files (x86)\Mozilla Firefox\plugins\npdivx32.dll

downloadUpdater C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll

downloadUpdater2 C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll

InstallShield Update Service C:\Windows\Downloaded Program Files\dwusplay.exe

Java Deployment Toolkit 6.0.210.7 C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

Java Platform SE 6 U21 C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

Java Platform SE 6 U21 C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll

Microsoft® Windows Media Player Firefox C:\Program Files (x86)\Mozilla Firefox\plugins\np-mswmp.dll

Move Streaming Media Player C:\Users\Monetary\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll

Mozilla Default Plug-in C:\Program Files (x86)\Mozilla Firefox\plugins\npnul32.dll

NPSWF32.dll C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

Silverlight Plug-In C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll

Skype Toolbars C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Software Manager C:\Windows\Downloaded Program Files\isusweb.dll

unagiuninst.exe C:\Windows\Downloaded Program Files\unagiuninst.exe

Windows Presentation Foundation C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

Windows® Internet Explorer c:\windows\syswow64\ieframe.dll

(verified) AcroIEHelperShim Library c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

(verified) InstallShield Update Service C:\Windows\Downloaded Program Files\dwusplay.dll

(verified) Microsoft Office 2003 C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFFICE.DLL

(verified) Microsoft® Windows® Operating System C:\Windows\system32\mswsock.dll

(verified) Microsoft® Windows® Operating System C:\Windows\system32\napinsp.dll

(verified) Microsoft® Windows® Operating System C:\Windows\system32\NLAapi.dll

(verified) Microsoft® Windows® Operating System C:\Windows\system32\pnrpnsp.dll

(verified) Microsoft® Windows® Operating System C:\Windows\System32\winrnr.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin2.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin3.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin4.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin5.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin6.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin7.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll

(verified) QuickTime Plug-in 7.6.4 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll

Scan

----

MD5: 069b1be17eeda5400ea24e0df929c6c0 C:\Program Files (x86)\AIM\acccore.dll

MD5: 4c4ebf4cf12800c888dd48108e6aae1a C:\Program Files (x86)\AIM\aim.exe

MD5: 54def38d41092658064c83783c55a90e C:\Program Files (x86)\AIM\AOLSvcMgr.dll

MD5: b4f4856a8fd2ba1e408b347857f1baf4 C:\Program Files (x86)\AIM\coolcore58.dll

MD5: 537dba28451a112efeccbd850b8c961f C:\Program Files (x86)\AIM\nspr4.dll

MD5: f96e7e2f6e0fa294b4c117f53c8115d4 C:\Program Files (x86)\AIM\nss3.dll

MD5: 93deb816c6985dd75d5a84ad5d266cac C:\Program Files (x86)\AIM\nssckbi.dll

MD5: 60b8974fa964f568c25a55c19d59883a C:\Program Files (x86)\AIM\plc4.dll

MD5: 3bb617ef942280b0be09d844bde4af56 C:\Program Files (x86)\AIM\plds4.dll

MD5: b1ddf206a4b97c1ed89c3abe2ecbe3ef C:\Program Files (x86)\AIM\smime3.dll

MD5: 0efb3626c2899955bc22c050842c1db1 C:\Program Files (x86)\AIM\softokn3.dll

MD5: 31c79e69aab3f66f84853b6a78de8239 C:\Program Files (x86)\AIM\ssl3.dll

MD5: ef6330789972cf9198fb359594835fe0 C:\Program Files (x86)\AIM\xprt6.dll

MD5: bd23d06921416fb12005c04b83bbb81d C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

MD5: 6159c95aa16e8b2a01b7a001b8c134c3 C:\Program Files (x86)\Avira\AntiVir Desktop\aecore.dll

MD5: ee0477f95aaf614c5cb14f324ca48c3d C:\Program Files (x86)\Avira\AntiVir Desktop\aeemu.dll

MD5: 99fc44836c9faa66d3dd7f6264c2996b C:\Program Files (x86)\Avira\AntiVir Desktop\aegen.dll

MD5: ae5747a0d13699168f80d108a3936c2e C:\Program Files (x86)\Avira\AntiVir Desktop\aehelp.dll

MD5: 9162ec5cd1cbfbe42a5779fe6943ec3e C:\Program Files (x86)\Avira\AntiVir Desktop\aeheur.dll

MD5: 2d87a98767a1b77e58d2096029d2f570 C:\Program Files (x86)\Avira\AntiVir Desktop\aeoffice.dll

MD5: 1ca8605d69c9d53c837bd6ab57c9294b C:\Program Files (x86)\Avira\AntiVir Desktop\aepack.dll

MD5: 6510790b36f61d75948e9e001b6775ab C:\Program Files (x86)\Avira\AntiVir Desktop\aerdl.dll

MD5: ea8d2dcbadb11928df166a5683d7b524 C:\Program Files (x86)\Avira\AntiVir Desktop\aesbx.dll

MD5: 864e4cec9f60c25a8a93ad3784da2e64 C:\Program Files (x86)\Avira\AntiVir Desktop\aescn.dll

MD5: 3a0638167d746bcbe06494945943ad30 C:\Program Files (x86)\Avira\AntiVir Desktop\aescript.dll

MD5: 100caaf3542fb51feca9c09db1cb940d C:\Program Files (x86)\Avira\AntiVir Desktop\aevdf.dll

MD5: 4c3eed40c3f2a9fc9956b0511d431304 C:\Program Files (x86)\Avira\AntiVir Desktop\avevtlog.dll

MD5: 5ee5c132d47ba6f331099bff1d1db539 C:\Program Files (x86)\Avira\AntiVir Desktop\AVGIO.DLL

MD5: c983e62b6fb74457d173ba93f66f6068 C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

MD5: df5a3016052755c910a206058b4a1729 C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

MD5: 5252bb49a0b35e1127d3771e21c7af6d C:\Program Files (x86)\Avira\AntiVir Desktop\AVPREF.DLL

MD5: f7263b4e58e0346178cad70eac7f35e6 c:\program files (x86)\avira\antivir desktop\ccgen.dll

MD5: f05a5753c308425749b37acd39a5f760 c:\program files (x86)\avira\antivir desktop\ccgenrc.dll

MD5: 4b3a4639dd281b709162a2120b3daefc c:\program files (x86)\avira\antivir desktop\ccguard.dll

MD5: c0245ed1f48397d41632cab0afa842ce c:\program files (x86)\avira\antivir desktop\cclic.dll

MD5: 98d551a16398529f181570a001843231 c:\program files (x86)\avira\antivir desktop\ccmsg.dll

MD5: bd655a8ecaf694c48684b89c745f52fa c:\program files (x86)\avira\antivir desktop\ccupdate.dll

MD5: a93a23d1d8922fe1e625d9884c275ff5 c:\program files (x86)\avira\antivir desktop\ccupdrc.dll

MD5: a0ef10de0d455e33adffc39948660899 c:\program files (x86)\avira\antivir desktop\ccupdw.dll

MD5: 47766f6b79a25af04ed3f6f2b02aa4cb C:\Program Files (x86)\Avira\AntiVir Desktop\ccwkrlib.dll

MD5: 92d9eb35797530fedc07b1d75533f68e C:\Program Files (x86)\Avira\AntiVir Desktop\guardmsg.dll

MD5: a285373eab723d7f3fcfdb70accb60a1 C:\Program Files (x86)\Avira\AntiVir Desktop\rcimage.dll

MD5: b4837fe56d76b2e9ea90e5365cf6a2be C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

MD5: 13a86ff71b5e57da8c9a6e2316ce1eaa C:\Program Files (x86)\Avira\AntiVir Desktop\schedr.dll

MD5: a4fd954d625658bc00734fb6a287476e C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\LIBEAY32.dll

MD5: abd616f5756ccbb9e4f5a204587cf989 C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\SSLEAY32.dll

MD5: 5ea22cb6b100212837a97f281edb3c47 C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

MD5: cc81e094b26fe3819a511a7a302590b9 C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnapi.dll

MD5: dd353dda3ee1f51b83a8aad6eb20d6e3 C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpncommon.dll

MD5: 34777a94ad11fc926d0ec1fbbefdbd2f C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpncommoncrypt.dll

MD5: 648ab52693d42c015d6062583b48d786 c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

MD5: 628c28f3b0f227266573efd19faa9eb6 C:\Program Files (x86)\Common Files\AOL\AOLDiag\tbdiag.dll

MD5: 1d0063597c3666404fcf97698abeb019 C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe

MD5: 1a4f60ef6da38621f1091b0cb0fa2c09 C:\Program Files (x86)\Dell\BAE\BAE.dll

MD5: 8da8393e2da65ccf27f480316ae127f9 C:\Program Files (x86)\DivX\DivX Player\npDivxPlayerPlugin.dll

MD5: ee60cc0f6da08452ea145ef828a76b4f C:\Program Files (x86)\Internet Explorer\ieproxy.dll

MD5: 919f9fae1f962299cd117923beb67246 C:\Program Files (x86)\Internet Explorer\IEShims.dll

MD5: ed65737d70fdeac29f738e77d2496ee5 C:\Program Files (x86)\Internet Explorer\iexplore.exe

MD5: 2d5394ff0e31ffefb5049f0911e91d89 C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll

MD5: c3e42cbf8215171a524d123a54ae3233 C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll

MD5: 99f97c9fe748c37528c338a423577fcb C:\Program Files (x86)\Mozilla Firefox\plugins\np-mswmp.dll

MD5: d19163c4794227d953af0f136a59de85 C:\Program Files (x86)\Mozilla Firefox\plugins\npdivx32.dll

MD5: 8da8393e2da65ccf27f480316ae127f9 C:\Program Files (x86)\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll

MD5: 323fe218dac089eed70ca55e6c1c2f1d C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll

MD5: dbe8c34758da614f35ae7011284406bb C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll

MD5: 4e3216231cba873f1d88cc3a755cc4af C:\Program Files (x86)\Mozilla Firefox\plugins\npnul32.dll

MD5: 8cbd57d84729debee1e83cb5fa3e3d7a C:\Program Files (x86)\QuickTime\QTTask.exe

MD5: a10b40cf9eb57d24e44717a2d38a00f4 C:\Program Files (x86)\RivaTuner v2.24\RivaTuner64.sys

MD5: 9156b62dad2f597ceedcae038cfe151a C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

MD5: e988523f4756d6a96aafaedaff880d71 C:\Program Files (x86)\Skype\Toolbars\Shared\SkypePnr.dll

MD5: b7dc98f6f4e7611a9c0849945fb28fb9 C:\Program Files (x86)\Windows Defender\MpOav.dll

MD5: db29915209770d8b59654345ec2d943a C:\Program Files\Dell\DellDock\DockLogin.exe

MD5: e6b4c613fd9235882f67b36c76a05b8b C:\Program Files\ShrewSoft\VPN Client\dtpd.exe

MD5: a1dc0130defa4033603e3296b99d493a C:\Program Files\ShrewSoft\VPN Client\iked.exe

MD5: 1d011a9ba1da5f0d14af8dff094cb603 C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe

MD5: ab024203b28d695783abb365307d5d5a C:\Users\Monetary\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll

MD5: 006c83751b9f17934b58085d0b7bda2c C:\Windows\Downloaded Program Files\ampAx3.0.84.2.dll

MD5: 01e2eca759056f23c73a035fdabb2d6d C:\Windows\Downloaded Program Files\dwusplay.exe

MD5: 823451876778f382b23afe20ef2ddc20 C:\Windows\Downloaded Program Files\qsax.dll

MD5: 6f678556a6fce04fc94f3435f6313705 C:\Windows\Downloaded Program Files\unagiuninst.exe

MD5: 14ce384d2e27b64c256bda4dc39c312d C:\Windows\ehome\ehRecvr.exe

MD5: b93159c1313d66fdfbbe876f5189cd52 C:\Windows\ehome\ehsched.exe

MD5: f5ee2527d74449868e3c3227a59bcd28 C:\Windows\ehome\ehstart.dll

MD5: 65437dad4f238ea9549408a783002222 C:\Windows\ehome\ehTray.exe

MD5: bbd8e74f23d7605cb0cdb57a1b25d826 C:\Windows\Explorer.exe

MD5: fa58b51ed71c9133e141164eaa7c54eb C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5: 76ea63cdb2d88dae7209691d089bef1d C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe

MD5: b84613b469b98e09f50a748c1d02e132 C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe

MD5: 73d0f1d32edae3dcc4e84468bf910add C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

MD5: ab87eeffd18f2baafc274e7075ea6c67 C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

MD5: ac6ff1df22ed90bad6417ee5a4c6e2f0 C:\Windows\servicing\TrustedInstaller.exe

MD5: 0e4f5f276ac0dd50233fc4074cf30f8c C:\Windows\system32\aticfx32.dll

MD5: 9f4ce6acf73fc5b2e0c5025eb52f547c C:\Windows\system32\atiu9pag.dll

MD5: 04a518f86d66e856feb554b924749fcc C:\Windows\system32\atiumdag.dll

MD5: 75fca6334dd97b196d269c10aa7f8abb C:\Windows\system32\atiumdva.dll

MD5: 448a3447460f72a71bd8ffc482f8a124 C:\Windows\system32\BCRYPT.dll

MD5: 74f26fc01b180d4a99a168ed69c30a53 C:\Windows\system32\cmd.exe

MD5: d306ea7436ac1587463a89be29b456fb C:\Windows\System32\davclnt.dll

MD5: 5665120753fce7123c4deace241ee715 C:\Windows\system32\DNSAPI.dll

MD5: a9542ff2e9a82cf100e5729ec79068f0 C:\Windows\system32\FLTLIB.DLL

MD5: 53d5a2f9ce6ae47d7507727df1da79f8 C:\Windows\System32\hidserv.dll

MD5: 5bb1b169530e1d48ab302ed086f5ecf9 C:\Windows\system32\IEFRAME.dll

MD5: b2aa9fde39074713ed3bc9e523b470c7 C:\Windows\system32\IEUI.dll

MD5: ca3091655e2257b3e3ea86f79a696c56 C:\Windows\system32\IMM32.DLL

MD5: 7db516326ef135dc100f198f6ec341b3 C:\Windows\system32\msfeeds.dll

MD5: 0e34cff4b801cd104d3f35f8d992bf17 C:\Windows\system32\msftedit.dll

MD5: 29bd913d8fd1feb6728dc9b43b55c1d2 C:\Windows\system32\MSRATING.dll

MD5: 73fd66b14d3c4252f7a524b8836a4359 C:\Windows\System32\mstask.dll

MD5: 6c94f54e3ec097702a8ce8f46d687959 C:\Windows\system32\msvcp60.dll

MD5: 1e3fdb80e40a3ce645f229dfbdfb7694 C:\Windows\System32\shsvcs.dll

MD5: 88b630f6aeb5a11f6ad064930b38c2c0 C:\Windows\system32\uxtheme.dll

MD5: 52a53bcccf489d4097191b7b78dffa58 C:\Windows\system32\wbem\fastprox.dll

MD5: da39b480239feb2cc0f4be7b185b63db C:\Windows\system32\wbem\wbemprox.dll

MD5: a9662bcf218bc76869a8d91635d5f93a C:\Windows\System32\Wpc.dll

MD5: 8fcf03e4d7be9b5587ccf11719959006 C:\Windows\SysWOW64\corpol.dll

MD5: c59a3a06ecdcd12facb81807e43a983e C:\Windows\syswow64\GDI32.dll

MD5: 5bb1b169530e1d48ab302ed086f5ecf9 c:\windows\syswow64\ieframe.dll

MD5: 9f439371530a3e7b76c6851260ae4fb0 C:\Windows\SysWOW64\iepeers.dll

MD5: b86cb6276da2518d3501b4991e9ad4ce C:\Windows\syswow64\iertutil.dll

MD5: 812b78d537e5ba9d8d25a66e20a37c35 C:\Windows\SysWow64\JScript.dll

MD5: 6ebbe14be54877c386c63ffed52d391d C:\Windows\syswow64\kernel32.dll

MD5: 6fc8ac168b7e9bf46a0db29e58cb60d2 C:\Windows\syswow64\LPK.DLL

MD5: 741a3be8299b2f168c9d523ebd5b7759 C:\Windows\SysWOW64\msfeedsbs.dll

MD5: 6d1e32a3c964baf06b7973e7b18e3212 C:\Windows\SysWOW64\mshtml.dll

MD5: 9eff03aebf5c90db22ff15c6b0f3c26d C:\Windows\SysWOW64\ntdll.dll

MD5: aa406846dd60e3a4536dbaab4037b685 C:\Windows\syswow64\ole32.dll

MD5: fa6bd25a5a65a6ff5be4385098e3bdef C:\Windows\syswow64\OLEAUT32.dll

MD5: 0ed8727ea0172860f47258456c06caea C:\Windows\SysWow64\perfhost.exe

MD5: 5cde851457f12a41dd99c762fd687903 C:\Windows\syswow64\RPCRT4.dll

MD5: 6528ee11efa77f8c8b1c6ead401f907f C:\Windows\SysWOW64\schannel.dll

MD5: ae15f258520720056e4c815f466be8c1 C:\Windows\syswow64\Secur32.dll

MD5: 048b65ec931a39a5f42016be04775274 C:\Windows\syswow64\SHELL32.dll

MD5: 44338cab70f1db264d2f3f9f86a5d281 C:\Windows\syswow64\SHLWAPI.dll

MD5: 5f9785e7535f8f602cb294a54962c9e7 C:\Windows\SysWOW64\speedfan.sys

MD5: 45f40b53ec32daf51aabad4e0cd1fa0b C:\Windows\syswow64\urlmon.dll

MD5: 3d691030dbd3bd75de1501be54f0d425 C:\Windows\syswow64\USER32.dll

MD5: a23e4692716c25e5aea300ed74e73a1c C:\Windows\syswow64\USP10.dll

MD5: de4685de5130039fa63da66c0f72f787 C:\Windows\syswow64\WININET.dll

MD5: 0b3595a4ff0b36d68e5fc67fd7d70fdc C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCP80.dll

MD5: c9564cf4976e7e96b4052737aa2492b4 C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll

MD5: 4c39358ebdd2ffcd9132a30e1ec31e16 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCP90.dll

MD5: cdbe9690cf2b8409facad94fac9479c9 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll

MD5: ca6ade4f7761bb15b3325356dc3b82bb C:\Windows\WinSxS\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_4bf7e3e2bf9ada4c\mfc90u.dll

MD5: fbfca1a574d47ee575448b719cbbf2e4 C:\Windows\WinSxS\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_49768ef57548175e\MFC90ENU.DLL

MD5: e402a6e79d1e4dbfeba8b364c67a3158 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.6001.18523_none_886c608850a2f36f\COMCTL32.dll

MD5: d702b4e30b31bfcab7bd4e5965c1a5dc C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll

MD5: 81e199bfe82c106d38f989674d0dec1f C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll

No file uploaded.

Scan finished - communication took 2 sec

Total traffic - 0.01 MB sent, 0.53 KB recvd

Scanned 318 files and modules - 10 seconds

==============================================================================

Both come up apparently clean. Are we ready for the 'all clear' post?

I cannot thank you, and the other selfless forum helpers, enough.

Link to post
Share on other sites

I cannot thank you, and the other selfless forum helpers, enough.

No problem! :)

Both come up apparently clean. Are we ready for the 'all clear' post?

Correct ;)

Unless there are any further issues, I will now provide you with some suggestions for security software, but first, ComboFix must be uninstalled ;):

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :)

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

A tutorial on understanding and using firewalls may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

No, I believe everything is taken care of, concerning the computer's infections.

Do you have any information regarding the dangers of using a VPN connection to my school's server? I am a student who may sometimes wish to connect to my institution's file server from my home computer. The computer we just cleaned is that home computer, and my infections coincided with my first use of the VPN connection. If this might not be a coincidence, I am interested in learning anything I can about safely making that connection. I have not connected to my school's network from home again since clearing the infections.

Thank you in advance, sir.

Link to post
Share on other sites

You might want to apprise your school of the situation you were recently in- their server may very well be infected. However, it may have just been a coincidence- regardless, running a good antivirus/anti-spyware/firewall program should keep you relatively safe ;)

Here are some links for you:

Cisco: VPN Security

Cisco: VPN Safety PDF (lengthy read)

Network World: How Safe is a VPN

About: VPN Security Technology

Encryption and Security Protocols in a VPN

Common VPN Security Flaws

VPNs and Internet Connection Security

Let me know if that helps.

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.