Jump to content

Web browser slowdown/block & Block IPs


Recommended Posts

Hi,

I am not good at this, hopefully I did this right.

Computer was infected with trojen a few days ago, did cleaned up with Malware & Avira.

I have followed all the instructions on this forum

After the clean up I noticed

Malwarebytes is blocking multiple ip addresses, all outgoing

208.73.210.29

208.87.33.151

208.87.32.75

192.168.0.104

195.3.145.105

195.3.145.182

195.3.145.251

195.3.145.252

67.29.139.153

64.111.196.124

The last 2 is new today.

In addition, when i try to go to a specific website it is being redirected to different ad sites while the page remains blank, multiple refreshing is needed to get to intended url.

Thank you for taking the time to do this. Much appreciated.

ark.zip

blumi

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26

Run by Theresa at 22:48:21 on 2011-08-11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.689 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\dllhost.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Theresa\Desktop\Defogger.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://search.live.com

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://search.live.com/sphome.aspx

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [steam] "c:\program files\steam\steam.exe" -silent

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{12A26D85-E241-4273-91C1-7B8CE65BBBD4} : DhcpNameServer = 192.168.1.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\theresa\application data\mozilla\firefox\profiles\zeop9z0d.default\

FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: extentions.y2layers.installId - de70fde7-158b-4eb0-9e22-2e7a2c303a64

FF - user.js: extentions.y2layers.installId - 58d30091-b763-4f6e-b20b-43038ca744bb

FF - user.js: extentions.y2layers.installId - 1f125cc1-4279-448f-82b0-9472c9621eec

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-9 11608]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-9 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-9 269480]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-9 66616]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-9 366640]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-9 22712]

.

=============== Created Last 30 ================

.

2011-08-12 00:51:22 -------- d-----w- c:\windows\system32\NtmsData

2011-08-12 00:49:26 -------- d-----w- c:\documents and settings\theresa\application data\Avira

2011-08-11 00:15:28 -------- d-----w- c:\documents and settings\theresa\application data\UNOUndercover

2011-08-10 02:39:04 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-10 02:39:02 -------- d-----w- c:\program files\Avira

2011-08-10 02:39:02 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-08-10 01:25:25 -------- d-----w- c:\documents and settings\theresa\application data\Anarchy

2011-08-10 00:07:02 -------- d-----w- c:\documents and settings\theresa\application data\Malwarebytes

2011-08-10 00:06:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-10 00:06:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-08-10 00:06:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-10 00:06:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-09 23:29:11 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer

2011-08-09 02:59:16 -------- d-----w- c:\documents and settings\all users\application data\Gogii

2011-08-09 00:57:34 -------- d-----w- c:\documents and settings\theresa\application data\Floodlight Games

2011-08-09 00:57:34 -------- d-----w- c:\documents and settings\all users\application data\Floodlight Games

2011-08-08 04:59:59 -------- d-----w- c:\documents and settings\theresa\Saved Games

2011-08-07 23:01:04 -------- d-----w- c:\documents and settings\theresa\application data\Big Fish Games

2011-08-07 21:49:49 -------- d-----w- c:\documents and settings\theresa\application data\Crown

2011-08-07 21:49:49 -------- d-----w- c:\documents and settings\all users\application data\Crown

2011-08-07 05:02:52 -------- d-----w- c:\documents and settings\all users\application data\Fugazo

2011-08-07 02:51:50 -------- d-----w- c:\documents and settings\all users\application data\Alawar Stargaze

2011-08-07 00:53:40 -------- d-----w- c:\documents and settings\theresa\application data\Funlinker

2011-08-06 01:57:09 -------- d-----w- c:\documents and settings\all users\application data\CropBusters

2011-08-02 02:30:49 -------- d-----w- c:\documents and settings\theresa\application data\Friday's games

.

==================== Find3M ====================

.

2011-08-12 02:46:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD6401AALS-00L3B2 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-9

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D924D0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d987d0]; MOV EAX, [0x89d9884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89E49AB8]

3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006d[0x89E4FF18]

5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DCDD98]

\Driver\atapi[0x89DD1250] -> IRP_MJ_CREATE -> 0x89D924D0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x89D9231B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 22:49:23.14 ===============

Link to post
Share on other sites

Hi blumi and Welcome to Malwarebytes!

I see you have Avira and AVG 2011 Anti-Virus in your computer. Two Anti-Virus Programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them. Also, please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • Vista/Windows 7 users right-click and select Run As Administrator.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

Hi Kenny,

Here's the log.

Thanks for taking the time to help me.

blumi

2011/08/12 20:55:13.0734 2824 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13

2011/08/12 20:55:13.0984 2824 ================================================================================

2011/08/12 20:55:13.0984 2824 SystemInfo:

2011/08/12 20:55:13.0984 2824

2011/08/12 20:55:13.0984 2824 OS Version: 5.1.2600 ServicePack: 3.0

2011/08/12 20:55:13.0984 2824 Product type: Workstation

2011/08/12 20:55:13.0984 2824 ComputerName: COMPUTER-OBE3CR

2011/08/12 20:55:13.0984 2824 UserName: Theresa

2011/08/12 20:55:13.0984 2824 Windows directory: C:\WINDOWS

2011/08/12 20:55:13.0984 2824 System windows directory: C:\WINDOWS

2011/08/12 20:55:13.0984 2824 Processor architecture: Intel x86

2011/08/12 20:55:13.0984 2824 Number of processors: 2

2011/08/12 20:55:13.0984 2824 Page size: 0x1000

2011/08/12 20:55:13.0984 2824 Boot type: Normal boot

2011/08/12 20:55:13.0984 2824 ================================================================================

2011/08/12 20:55:14.0859 2824 Initialize success

Link to post
Share on other sites

Hi Kenny,

Is this what you are looking for?

Thanks.

blumi

2011/08/12 20:51:12.0640 3644 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13

2011/08/12 20:51:12.0953 3644 ================================================================================

2011/08/12 20:51:12.0953 3644 SystemInfo:

2011/08/12 20:51:12.0953 3644

2011/08/12 20:51:12.0953 3644 OS Version: 5.1.2600 ServicePack: 3.0

2011/08/12 20:51:12.0953 3644 Product type: Workstation

2011/08/12 20:51:12.0953 3644 ComputerName: COMPUTER-OBE3CR

2011/08/12 20:51:12.0953 3644 UserName: Theresa

2011/08/12 20:51:12.0953 3644 Windows directory: C:\WINDOWS

2011/08/12 20:51:12.0953 3644 System windows directory: C:\WINDOWS

2011/08/12 20:51:12.0953 3644 Processor architecture: Intel x86

2011/08/12 20:51:12.0953 3644 Number of processors: 2

2011/08/12 20:51:12.0953 3644 Page size: 0x1000

2011/08/12 20:51:12.0953 3644 Boot type: Normal boot

2011/08/12 20:51:12.0953 3644 ================================================================================

2011/08/12 20:51:13.0890 3644 Initialize success

2011/08/12 20:51:18.0671 1740 ================================================================================

2011/08/12 20:51:18.0671 1740 Scan started

2011/08/12 20:51:18.0671 1740 Mode: Manual;

2011/08/12 20:51:18.0671 1740 ================================================================================

2011/08/12 20:51:19.0468 1740 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/08/12 20:51:19.0515 1740 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/08/12 20:51:19.0562 1740 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/08/12 20:51:19.0593 1740 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

2011/08/12 20:51:19.0781 1740 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/08/12 20:51:19.0796 1740 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/08/12 20:51:19.0843 1740 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/08/12 20:51:19.0875 1740 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/08/12 20:51:20.0000 1740 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2011/08/12 20:51:20.0031 1740 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2011/08/12 20:51:20.0046 1740 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2011/08/12 20:51:20.0078 1740 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/08/12 20:51:20.0125 1740 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/08/12 20:51:20.0171 1740 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/08/12 20:51:20.0187 1740 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/08/12 20:51:20.0218 1740 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/08/12 20:51:20.0406 1740 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/08/12 20:51:20.0468 1740 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/08/12 20:51:20.0500 1740 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/08/12 20:51:20.0515 1740 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/08/12 20:51:20.0546 1740 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/08/12 20:51:20.0593 1740 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/08/12 20:51:20.0640 1740 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/08/12 20:51:20.0656 1740 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/08/12 20:51:20.0687 1740 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/08/12 20:51:20.0718 1740 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/08/12 20:51:20.0734 1740 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/08/12 20:51:20.0765 1740 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/08/12 20:51:20.0781 1740 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/08/12 20:51:20.0812 1740 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/08/12 20:51:20.0828 1740 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/08/12 20:51:20.0859 1740 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/08/12 20:51:20.0906 1740 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/08/12 20:51:20.0953 1740 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/08/12 20:51:21.0000 1740 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/08/12 20:51:21.0031 1740 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/08/12 20:51:21.0156 1740 IntcAzAudAddService (2389f12f0ed506176b7c29c8144cea09) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/08/12 20:51:21.0234 1740 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/08/12 20:51:21.0265 1740 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/08/12 20:51:21.0296 1740 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/08/12 20:51:21.0312 1740 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/08/12 20:51:21.0343 1740 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/08/12 20:51:21.0375 1740 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/08/12 20:51:21.0406 1740 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys

2011/08/12 20:51:21.0437 1740 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/08/12 20:51:21.0453 1740 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys

2011/08/12 20:51:21.0484 1740 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/08/12 20:51:21.0515 1740 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/08/12 20:51:21.0546 1740 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/08/12 20:51:21.0562 1740 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/08/12 20:51:21.0593 1740 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/08/12 20:51:21.0671 1740 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys

2011/08/12 20:51:21.0703 1740 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/08/12 20:51:21.0734 1740 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/08/12 20:51:21.0765 1740 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/08/12 20:51:21.0796 1740 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/08/12 20:51:21.0812 1740 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/08/12 20:51:21.0843 1740 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/08/12 20:51:21.0875 1740 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/08/12 20:51:21.0921 1740 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/08/12 20:51:21.0953 1740 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/08/12 20:51:22.0000 1740 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/08/12 20:51:22.0015 1740 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/08/12 20:51:22.0046 1740 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/08/12 20:51:22.0062 1740 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/08/12 20:51:22.0078 1740 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/08/12 20:51:22.0125 1740 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/08/12 20:51:22.0140 1740 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/08/12 20:51:22.0156 1740 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/08/12 20:51:22.0187 1740 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/08/12 20:51:22.0203 1740 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/08/12 20:51:22.0234 1740 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/08/12 20:51:22.0281 1740 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/08/12 20:51:22.0312 1740 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/08/12 20:51:22.0359 1740 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/08/12 20:51:22.0843 1740 nv (b9b1bb146eb9a83dcf0f5635b09d3d43) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/08/12 20:51:23.0000 1740 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/08/12 20:51:23.0015 1740 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/08/12 20:51:23.0046 1740 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/08/12 20:51:23.0078 1740 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/08/12 20:51:23.0109 1740 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/08/12 20:51:23.0125 1740 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/08/12 20:51:23.0156 1740 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/08/12 20:51:23.0187 1740 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/08/12 20:51:23.0312 1740 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/08/12 20:51:23.0328 1740 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/08/12 20:51:23.0359 1740 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/08/12 20:51:23.0375 1740 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/08/12 20:51:23.0453 1740 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/08/12 20:51:23.0484 1740 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys

2011/08/12 20:51:23.0500 1740 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/08/12 20:51:23.0531 1740 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/08/12 20:51:23.0546 1740 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/08/12 20:51:23.0562 1740 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/08/12 20:51:23.0593 1740 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/08/12 20:51:23.0609 1740 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/08/12 20:51:23.0656 1740 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/08/12 20:51:23.0687 1740 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/08/12 20:51:23.0781 1740 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/08/12 20:51:23.0796 1740 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/08/12 20:51:23.0828 1740 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/08/12 20:51:23.0843 1740 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/08/12 20:51:23.0906 1740 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/08/12 20:51:23.0921 1740 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys

2011/08/12 20:51:23.0968 1740 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/08/12 20:51:24.0000 1740 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2011/08/12 20:51:24.0031 1740 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/08/12 20:51:24.0046 1740 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/08/12 20:51:24.0156 1740 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/08/12 20:51:24.0187 1740 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/08/12 20:51:24.0218 1740 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/08/12 20:51:24.0234 1740 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/08/12 20:51:24.0250 1740 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/08/12 20:51:24.0312 1740 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/08/12 20:51:24.0359 1740 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/08/12 20:51:24.0406 1740 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/08/12 20:51:24.0437 1740 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/08/12 20:51:24.0453 1740 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/08/12 20:51:24.0468 1740 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/08/12 20:51:24.0515 1740 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/08/12 20:51:24.0531 1740 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/08/12 20:51:24.0562 1740 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/08/12 20:51:24.0578 1740 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/08/12 20:51:24.0625 1740 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/08/12 20:51:24.0671 1740 W8100PCI (bad35d128dd4e7071b3c294ee92ffd65) C:\WINDOWS\system32\DRIVERS\mrv8k51.sys

2011/08/12 20:51:24.0703 1740 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/08/12 20:51:24.0750 1740 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/08/12 20:51:24.0843 1740 yukonwxp (936a0e2d44adf93ce0df8e92aab29c6e) C:\WINDOWS\system32\DRIVERS\yk51x86.sys

2011/08/12 20:51:24.0906 1740 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0

2011/08/12 20:51:24.0921 1740 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/08/12 20:51:24.0921 1740 Boot (0x1200) (19de61f7e9992bd33843659294005725) \Device\Harddisk0\DR0\Partition0

2011/08/12 20:51:24.0953 1740 Boot (0x1200) (5b2c751555069a2b12a7e49e4eb6e6a1) \Device\Harddisk0\DR0\Partition1

2011/08/12 20:51:24.0968 1740 ================================================================================

2011/08/12 20:51:24.0968 1740 Scan finished

2011/08/12 20:51:24.0968 1740 ================================================================================

2011/08/12 20:51:25.0015 1728 Detected object count: 1

2011/08/12 20:51:25.0015 1728 Actual detected object count: 1

2011/08/12 20:51:57.0953 1728 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/08/12 20:51:57.0953 1728 \Device\Harddisk0\DR0 - ok

2011/08/12 20:51:57.0953 1728 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure

2011/08/12 20:52:11.0140 3748 Deinitialize success

Link to post
Share on other sites

Yes, this is what I was looking for...... :)

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi Kenny,

Thanks for seeing this through. Sorry for the late reply, I don't receive an e-mail when you reply.

Here's the log.

blumi

ComboFix 11-08-14.01 - Theresa 08/13/2011 19:11:24.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1122 [GMT -4:00]

Running from: c:\documents and settings\Theresa\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\Tarma Installer

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico

c:\documents and settings\All Users\Desktop\Malware Protection.lnk

c:\documents and settings\Theresa\Application Data\Adobe\shed

c:\program files\messenger\msmsgsin.exe

c:\program files\Steam\steam.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-07-13 to 2011-08-13 )))))))))))))))))))))))))))))))

.

.

2011-08-12 00:51 . 2011-08-12 01:47 -------- d-----w- c:\windows\system32\NtmsData

2011-08-12 00:49 . 2011-08-12 00:49 -------- d-----w- c:\documents and settings\Theresa\Application Data\Avira

2011-08-12 00:42 . 2011-08-12 00:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-08-11 00:15 . 2011-08-11 00:15 -------- d-----w- c:\documents and settings\Theresa\Application Data\UNOUndercover

2011-08-10 03:58 . 2011-08-10 03:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer

2011-08-10 03:54 . 2011-08-10 03:54 -------- d-s---w- c:\documents and settings\LocalService\UserData

2011-08-10 02:39 . 2011-08-10 23:12 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-10 02:39 . 2011-08-10 23:12 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-08-10 02:39 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-08-10 02:39 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-08-10 02:39 . 2011-08-10 02:39 -------- d-----w- c:\program files\Avira

2011-08-10 02:39 . 2011-08-10 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-08-10 01:28 . 2011-08-10 01:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2011-08-10 01:25 . 2011-08-10 01:25 -------- d-----w- c:\documents and settings\Theresa\Application Data\Anarchy

2011-08-10 00:56 . 2011-08-10 00:56 -------- d-----w- c:\program files\Common Files\Java

2011-08-10 00:33 . 2011-08-10 00:33 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-08-10 00:07 . 2011-08-10 00:07 -------- d-----w- c:\documents and settings\Theresa\Application Data\Malwarebytes

2011-08-10 00:06 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-10 00:06 . 2011-08-10 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-08-10 00:06 . 2011-08-10 00:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-10 00:06 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-09 02:59 . 2011-08-09 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Gogii

2011-08-09 00:57 . 2011-08-09 00:57 -------- d-----w- c:\documents and settings\Theresa\Application Data\Floodlight Games

2011-08-09 00:57 . 2011-08-09 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Floodlight Games

2011-08-08 04:59 . 2011-08-12 02:22 -------- d-----w- c:\documents and settings\Theresa\Saved Games

2011-08-07 23:01 . 2011-08-07 23:01 -------- d-----w- c:\documents and settings\Theresa\Application Data\Big Fish Games

2011-08-07 21:49 . 2011-08-07 21:49 -------- d-----w- c:\documents and settings\Theresa\Application Data\Crown

2011-08-07 21:49 . 2011-08-07 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Crown

2011-08-07 20:36 . 2011-08-07 20:36 -------- d-----w- c:\documents and settings\Theresa\Application Data\PlayFirst

2011-08-07 20:36 . 2011-08-07 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst

2011-08-07 05:02 . 2011-08-07 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Fugazo

2011-08-07 02:51 . 2011-08-07 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze

2011-08-07 00:53 . 2011-08-07 00:53 -------- d-----w- c:\documents and settings\Theresa\Application Data\Funlinker

2011-08-06 01:57 . 2011-08-06 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\CropBusters

2011-08-02 02:30 . 2011-08-02 02:30 -------- d-----w- c:\documents and settings\Theresa\Application Data\Friday's games

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-12 02:46 . 2011-06-25 02:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2011-07-08 07:16 . 2011-05-24 21:15 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]

"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNjMwODAxMzE0LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSUMrMjItU1AxKzEtRkwxMCsxLVNQMVMyKzEtU1VEKzEtUzFJKzEtU1UzKzEtRERUKzA∏=90&ver=10.0.1392" [?]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-11-7 106560]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Steam\\steamapps\\chinkchunk@chookies.com\\half-life\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\jerjerjeremy@hotmail.com\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\jerjerjeremy@hotmail.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\chinkchunk@chookies.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/9/2011 10:39 PM 136360]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/9/2011 8:06 PM 366640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/9/2011 8:06 PM 22712]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-13 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2010-11-12 03:18]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Theresa\Application Data\Mozilla\Firefox\Profiles\zeop9z0d.default\

FF - user.js: extentions.y2layers.installId - de70fde7-158b-4eb0-9e22-2e7a2c303a64

FF - user.js: extentions.y2layers.installId - 58d30091-b763-4f6e-b20b-43038ca744bb

FF - user.js: extentions.y2layers.installId - 1f125cc1-4279-448f-82b0-9472c9621eec

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-Steam - c:\program files\Steam\steam.exe

AddRemove-Steam App 10 - c:\program files\Steam\steam.exe

AddRemove-Steam App 240 - c:\program files\Steam\steam.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-13 19:14

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2011-08-13 19:15:21

ComboFix-quarantined-files.txt 2011-08-13 23:15

.

Pre-Run: 73,709,518,848 bytes free

Post-Run: 73,705,291,776 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

.

- - End Of File - - F88FC163D92AC3E64D735200A31ADF69

Link to post
Share on other sites

The search redirections should have stopped now.

Please run this online scan to help look for remnants.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Hi Kenny,

Thanks you for helping me.

MBAM has stopped blocking the ip's and the redirecting seems to have stopped. I can open pdf's again without having my comp crashing.

Here's the log.

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=e89d26f3f628d248a6c41661f841b67a

# end=stopped

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-08-14 07:40:57

# local_time=2011-08-14 03:40:57 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 23747878 23747878 0 0

# compatibility_mode=1797 16775125 100 93 0 48943868 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=3624

# found=0

# cleaned=0

# scan_time=338

ESETSmartInstaller@High as downloader log:

all ok

esets_scanner_update returned -1 esets_gle=53251

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=e89d26f3f628d248a6c41661f841b67a

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-08-14 08:21:38

# local_time=2011-08-14 04:21:38 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 23748316 23748316 0 0

# compatibility_mode=1797 16775141 100 93 0 48944306 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=56393

# found=0

# cleaned=0

# scan_time=2341

Link to post
Share on other sites

Let's check your security so, this will not happen again.

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Hi Kenny,

Sounds great. Thanks for all of your help. :lol:

Here's the log.

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 6 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Avira AntiVir Personal - Free Antivirus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 26

Adobe Flash Player 10.3.183.5

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

Link to post
Share on other sites

I recommend to update Internet Explorer:

http://windows.microsoft.com/en-US/internet-explorer/products/ie/home

Other than this all looks great blumi!

Purge old temporary files. Now that we are done.... :)

Please download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

You should keep TFC and run it once a week.

Your Computer is Clean

mr-clean.gif

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

It's a good idea to Flush your System Restore after removing malware and create a new restore point.

To SET A NEW RESTORE POINT:

1. Go to Start > Programs > Accessories > System Tools and click "System Restore".

2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

3. Then go to Start > Run and type: Cleanmgr

4. Click "OK".

5. Click the "More Options" Tab.

6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.

How to Create a Restore Point.

How to use Cleanmgr.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Tips for Speeding Up Your PC

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

You're welcome!

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK. If not, reboot your computer

Your Emulation drivers are now re-enabled. You can remove DeFogger off your desktop.

Link to post
Share on other sites

Hi Kenny,

Sorry to be a bother.

The problem resurfaced. It's not as frequent as before and it only happened a couple of times, there is no redirecting but it could be due to the installation of WOT/ NO script. Just to be on the safe side I am posting the log and the Mbram log and I will keep you posted if I continue to get the outgoing blocks.

attach.zip

Thanks for all of your help!!

Blumi

protection log

-------------

11:44:34 Theresa MESSAGE Protection started successfully

11:44:39 Theresa MESSAGE IP Protection started successfully

16:36:35 Theresa MESSAGE Protection started successfully

16:36:41 Theresa MESSAGE IP Protection started successfully

16:37:37 Theresa MESSAGE IP Protection stopped

16:37:37 Theresa MESSAGE Scheduled update executed successfully

16:37:41 Theresa MESSAGE Database updated successfully

16:37:43 Theresa MESSAGE IP Protection started successfully

19:54:27 Theresa MESSAGE Protection started successfully

19:54:31 Theresa MESSAGE IP Protection started successfully

20:04:03 Theresa IP-BLOCK 194.14.0.170 (Type: outgoing)

20:04:06 Theresa IP-BLOCK 194.14.0.170 (Type: outgoing)

20:04:12 Theresa IP-BLOCK 194.14.0.170 (Type: outgoing)

20:16:26 Theresa IP-BLOCK 208.87.32.69 (Type: outgoing)

20:16:30 Theresa IP-BLOCK 208.87.32.69 (Type: outgoing)

20:16:36 Theresa IP-BLOCK 208.87.32.69 (Type: outgoing)

20:19:05 Theresa MESSAGE IP Protection stopped

20:19:10 Theresa MESSAGE Database updated successfully

20:19:12 Theresa MESSAGE IP Protection started successfully

20:22:33 Theresa IP-BLOCK 208.87.32.69 (Type: outgoing)

20:22:36 Theresa IP-BLOCK 208.87.32.69 (Type: outgoing)

20:22:42 Theresa IP-BLOCK 208.87.32.69 (Type: outgoing)

---------------------------------------

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Theresa at 20:25:49 on 2011-08-16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1225 [GMT -4:00]

.

AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Theresa\Desktop\Defogger.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNjMwODAxMzE0LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSUMrMjItU1AxKzEtRkwxMCsxLVNQMVMyKzEtU1VEKzEtUzFJKzEtU1UzKzEtRERUKzA"&"prod=90"&"ver=10.0.1392

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{12A26D85-E241-4273-91C1-7B8CE65BBBD4} : DhcpNameServer = 192.168.1.1

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\theresa\application data\mozilla\firefox\profiles\zeop9z0d.default\

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: extentions.y2layers.installId - de70fde7-158b-4eb0-9e22-2e7a2c303a64

FF - user.js: extentions.y2layers.installId - 58d30091-b763-4f6e-b20b-43038ca744bb

FF - user.js: extentions.y2layers.installId - 1f125cc1-4279-448f-82b0-9472c9621eec

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-9 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-9 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-9 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-9 66616]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-9 366640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-9 22712]

.

=============== Created Last 30 ================

.

2011-08-14 21:29:56 -------- d-sh--w- c:\documents and settings\theresa\IETldCache

2011-08-14 21:26:46 -------- d-----w- c:\windows\ie8updates

2011-08-14 21:24:56 -------- dc-h--w- c:\windows\ie8

2011-08-14 21:23:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-08-14 21:23:06 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-08-14 21:23:06 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-08-14 21:23:05 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-08-14 21:23:04 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-08-14 21:23:04 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-08-14 21:23:04 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-08-14 21:23:02 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-08-14 14:45:01 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-14 14:45:00 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-08-14 14:44:09 758784 -c--a-w- c:\windows\system32\dllcache\vgx.dll

2011-08-14 14:43:59 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-13 23:10:43 -------- d-sha-r- C:\cmdcons

2011-08-12 00:51:22 -------- d-----w- c:\windows\system32\NtmsData

2011-08-12 00:49:26 -------- d-----w- c:\documents and settings\theresa\application data\Avira

2011-08-11 00:15:28 -------- d-----w- c:\documents and settings\theresa\application data\UNOUndercover

2011-08-10 02:39:04 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-10 02:39:02 -------- d-----w- c:\program files\Avira

2011-08-10 02:39:02 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-08-10 01:25:25 -------- d-----w- c:\documents and settings\theresa\application data\Anarchy

2011-08-10 00:07:02 -------- d-----w- c:\documents and settings\theresa\application data\Malwarebytes

2011-08-10 00:06:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-10 00:06:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-08-10 00:06:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-10 00:06:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-09 02:59:16 -------- d-----w- c:\documents and settings\all users\application data\Gogii

2011-08-09 00:57:34 -------- d-----w- c:\documents and settings\theresa\application data\Floodlight Games

2011-08-09 00:57:34 -------- d-----w- c:\documents and settings\all users\application data\Floodlight Games

2011-08-08 04:59:59 -------- d-----w- c:\documents and settings\theresa\Saved Games

2011-08-07 23:01:04 -------- d-----w- c:\documents and settings\theresa\application data\Big Fish Games

2011-08-07 21:49:49 -------- d-----w- c:\documents and settings\theresa\application data\Crown

2011-08-07 21:49:49 -------- d-----w- c:\documents and settings\all users\application data\Crown

2011-08-07 05:02:52 -------- d-----w- c:\documents and settings\all users\application data\Fugazo

2011-08-07 02:51:50 -------- d-----w- c:\documents and settings\all users\application data\Alawar Stargaze

2011-08-07 00:53:40 -------- d-----w- c:\documents and settings\theresa\application data\Funlinker

2011-08-06 01:57:09 -------- d-----w- c:\documents and settings\all users\application data\CropBusters

2011-08-02 02:30:49 -------- d-----w- c:\documents and settings\theresa\application data\Friday's games

.

==================== Find3M ====================

.

2011-08-12 02:46:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 20:26:14.03 ===============

Link to post
Share on other sites

Hi blumi,

your router seems to be infected as well. Router reset, you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into the small hole labeled Reset located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds).

Next

Flush the DNS cache:

Click the Start logo in the bottom left corner of the screen

Click on Run

In the command window copy/paste the following:

ipconfig /flushdns

Then hit enter.

Exit the command window.

Please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Hi Kenny,

Thanks for the follow up. :)

My router is set to also send out wifi signals and my is also on it, however this computer uses a line. Do you think it will be a problem.

Meanwhile I will do as instructed and report back and see if there are any changes.

With Thanks.

blumi

Link to post
Share on other sites

Hi,

A question not sure if it is related or not, when you ask me to flush my dns... The window pops up and close by itself right after. Is this normal?

Yes this is normal.

Don't know what I did. Internet is connected but doesnt work.I am using my phone to send you this message hopefully I can figure out how to resolve that soon.

Is your PC still having this problem? If this is still the case. Please following the instructions below. By the way, For the next several months, I'm spending very little time on my PC and there will be delays between my requests.

Please read carefully and let me know if you have any questions.

Create a batch file:

Note: You will need to save any work before double clicking the fix.bat file because it will automatically restart your computer

  • Please copy and paste the following text in the Code box exactly as written into notepad (not wordpad or any other text editor):
    @echo off
    ipconfig /release
    ipconfig /renew
    ipconfig /flushdns
    netsh winsock reset all
    netsh int ip reset all
    shutdown -r -t 10
    del /f /q %0


  • Once you've done that click on File and select Save As...
  • In the Save dialogue box click on the drop down menu next to Save as type and select All Files
  • Name the file fix.bat (the .bat extension is very important)
  • Save the file to your desktop and double click it to run it.
  • Once it runs it will automatically restart your computer
  • Once your computer boots again, check to see if your internet performance has improved

Please let me know how it went and a update on how your PC is doing.

Link to post
Share on other sites

Hi Kenny,

Thanks for sticking with me and the heads up!

I am still trying to connect to the Internet. I will try out what you ask me and report back.

I have also notice that no matter what ipconfig I type into run it will just automatically do the same thing, is that normal as well?

Oh and I just notice that when I start my comp before everything loads it will go to the prompt for safe mode and use your arrows to move up and down screen but when I tried to use the buttons to get to save mode it doesn't work.

Thanks for all of your help!! :)

blumi

Link to post
Share on other sites

Hi Kenny,

So far things are quiet other than one incident of outgoing IPs to 216.150.79.18. then everything went back to normal.

03:24:41 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:24:42 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:24:44 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:24:44 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:24:50 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:24:50 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:25:08 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:25:08 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:25:11 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:25:11 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:25:17 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:25:17 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:25:29 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:25:32 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

03:25:38 Theresa IP-BLOCK 216.150.79.18 (Type: outgoing)

I am hoping this is an isolated incident, however I am running the logs just in case. Gmer is taking longer time than usual, I have tried running it a couple of times for the last 2 days, still couldn't get to the end. I shall post the log once it's done.

blumi

Link to post
Share on other sites

Hi Kenny,

Here's the log. attach.zip

Thanks for helping me during your down time. :D

blumi

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Theresa at 4:08:34 on 2011-08-21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1293 [GMT -4:00]

.

AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Theresa\Desktop\gsphrzpi.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNjMwODAxMzE0LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMS1MSUMrMjItU1AxKzEtRkwxMCsxLVNQMVMyKzEtU1VEKzEtUzFJKzEtU1UzKzEtRERUKzA"&"prod=90"&"ver=10.0.1392

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{12A26D85-E241-4273-91C1-7B8CE65BBBD4} : DhcpNameServer = 192.168.1.1

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\theresa\application data\mozilla\firefox\profiles\zeop9z0d.default\

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: extentions.y2layers.installId - de70fde7-158b-4eb0-9e22-2e7a2c303a64

FF - user.js: extentions.y2layers.installId - 58d30091-b763-4f6e-b20b-43038ca744bb

FF - user.js: extentions.y2layers.installId - 1f125cc1-4279-448f-82b0-9472c9621eec

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-8-9 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-9 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-9 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-9 66616]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-9 366640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-9 22712]

.

=============== Created Last 30 ================

.

2011-08-18 03:29:36 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-08-18 03:29:36 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-17 23:51:55 -------- d-sh--w- c:\documents and settings\theresa\PrivacIE

2011-08-17 06:15:33 -------- d-----w- c:\program files\VeBest

2011-08-14 21:29:56 -------- d-sh--w- c:\documents and settings\theresa\IETldCache

2011-08-14 21:26:46 -------- d-----w- c:\windows\ie8updates

2011-08-14 21:24:56 -------- dc-h--w- c:\windows\ie8

2011-08-14 21:23:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-08-14 21:23:06 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-08-14 21:23:06 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-08-14 21:23:05 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-08-14 21:23:04 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-08-14 21:23:04 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-08-14 21:23:04 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-08-14 21:23:02 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-08-14 14:45:01 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-14 14:45:00 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-08-14 14:44:09 758784 -c--a-w- c:\windows\system32\dllcache\vgx.dll

2011-08-14 14:43:59 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-13 23:10:43 -------- d-sha-r- C:\cmdcons

2011-08-12 00:51:22 -------- d-----w- c:\windows\system32\NtmsData

2011-08-12 00:49:26 -------- d-----w- c:\documents and settings\theresa\application data\Avira

2011-08-11 00:15:28 -------- d-----w- c:\documents and settings\theresa\application data\UNOUndercover

2011-08-10 02:39:04 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-10 02:39:02 -------- d-----w- c:\program files\Avira

2011-08-10 02:39:02 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-08-10 01:25:25 -------- d-----w- c:\documents and settings\theresa\application data\Anarchy

2011-08-10 00:07:02 -------- d-----w- c:\documents and settings\theresa\application data\Malwarebytes

2011-08-10 00:06:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-10 00:06:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-08-10 00:06:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-10 00:06:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-09 02:59:16 -------- d-----w- c:\documents and settings\all users\application data\Gogii

2011-08-09 00:57:34 -------- d-----w- c:\documents and settings\theresa\application data\Floodlight Games

2011-08-09 00:57:34 -------- d-----w- c:\documents and settings\all users\application data\Floodlight Games

2011-08-08 04:59:59 -------- d-----w- c:\documents and settings\theresa\Saved Games

2011-08-07 23:01:04 -------- d-----w- c:\documents and settings\theresa\application data\Big Fish Games

2011-08-07 21:49:49 -------- d-----w- c:\documents and settings\theresa\application data\Crown

2011-08-07 21:49:49 -------- d-----w- c:\documents and settings\all users\application data\Crown

2011-08-07 05:02:52 -------- d-----w- c:\documents and settings\all users\application data\Fugazo

2011-08-07 02:51:50 -------- d-----w- c:\documents and settings\all users\application data\Alawar Stargaze

2011-08-07 00:53:40 -------- d-----w- c:\documents and settings\theresa\application data\Funlinker

2011-08-06 01:57:09 -------- d-----w- c:\documents and settings\all users\application data\CropBusters

2011-08-02 02:30:49 -------- d-----w- c:\documents and settings\theresa\application data\Friday's games

.

==================== Find3M ====================

.

2011-08-12 02:46:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 4:09:02.79 ===============

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.