TabulaRasa Posted October 17, 2011 ID:486606 Share Posted October 17, 2011 I've got Ask.com on my computer. I can see it in the program files and registry, but need help getting rid of it. I am unable to delete the folders in Program files because of A2SRCHAS.DLLI've attached the dds.txt and attach.txt files per the instructions.I'm running Windows XP Professional Version 2002 SP3dds.txtattach.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted October 22, 2011 Staff ID:487728 Share Posted October 22, 2011 Hi and welcome to Malwarebytes. In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log. Next, run DDS again and post DDS.txt directly in your reply. Link to post Share on other sites More sharing options...
TabulaRasa Posted October 27, 2011 Author ID:489417 Share Posted October 27, 2011 Hi and welcome to Malwarebytes.In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.Next, run DDS again and post DDS.txt directly in your reply.My apologies. I've included them below. I notice that, for example, when I type google.com in for a URL, it gets changed to google.comm , and I'm redirected to Ask. If I take that extra "m" off of comm, then I get to Google. Also I can see Ask.com in the registry.Here is the Malwarebytes logMalwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8030Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.1310/27/2011 2:46:24 PMmbam-log-2011-10-27 (14-46-24).txtScan type: Quick scanObjects scanned: 175453Time elapsed: 4 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Here is the DDS.txt logRun by a. andrews at 14:50:08 on 2011-10-27Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.945 [GMT -4:00].AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}.============== Running Processes ===============.C:\PROGRA~1\AVG\AVG2012\avgrsx.exeC:\Program Files\AVG\AVG2012\avgcsrvx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Intel\ASF Agent\ASFAgent.exeC:\Program Files\Intel\AMT\atchksrv.exeC:\Program Files\AVG\AVG2012\avgwdsvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Intel\AMT\LMS.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Intel\AMT\UNS.exeC:\Program Files\AVG\AVG2012\AVGIDSAgent.exeC:\Program Files\AVG\AVG2012\avgnsx.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Citrix\ICA Client\concentr.exeC:\Program Files\AVG\AVG2012\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Citrix\ICA Client\wfcrun32.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\freecell.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://andrewsullivan.thedailybeast.com/uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLLBHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLLBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllTB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No FileEB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10x_ActiveX.exe -update activexmRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"mRun: [soundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startupmRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"mRun: [Acrobat Synchronizer] "c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe"IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLTrusted Zone: gapublicdefender.com\jcatsTrusted Zone: gapublicdefender.com\jcatstrainTrusted Zone: gapublicdefender.org\jcatsTrusted Zone: gapublicdefender.org\jcatstrainTrusted Zone: gapublicdefender.com\jcatsTrusted Zone: gapublicdefender.com\jcatstrainTrusted Zone: gapublicdefender.org\jcatsTrusted Zone: gapublicdefender.org\jcatstrainDPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cabDPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/chuzzle/popcaploader_v6.cabTCP: DhcpNameServer = 192.168.1.254TCP: Interfaces\{2360CBDC-6E66-499A-A47B-93DE3B53B0B6} : DhcpNameServer = 192.168.1.254Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dllNotify: igfxcui - igfxdev.dllAppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL.============= SERVICES / DRIVERS ===============.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 229840]R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 295248]R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-3 2521880]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\a. andrews\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2007-9-20 32768].=============== Created Last 30 ================.2011-10-07 19:28:22 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE2011-09-29 19:02:08 -------- d-----w- c:\documents and settings\a. andrews\application data\AVG20122011-09-29 19:00:48 -------- d-----w- c:\documents and settings\all users\application data\AVG2012.==================== Find3M ====================.2011-09-29 19:09:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll2011-09-13 10:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll2011-08-17 21:32:16 1830912 ------w- c:\windows\system32\inetcpl.cpl2011-08-17 21:32:15 17408 ------w- c:\windows\system32\corpol.dll2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec2011-08-12 17:51:26 26488 ----a-w- c:\windows\system32\spupdsvc.exe.============= FINISH: 14:55:29.60 ===============I have the attach.txt saved, but I'm assuming you didn't want it at this juncture since you didn't ask for it.Thank you so much for your assistance. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 31, 2011 Staff ID:490491 Share Posted October 31, 2011 Hi,Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.Please download SystemLook from one of the links below and save it to your Desktop.Download Mirror #1Download Mirror #2Double-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield::regfindASK.com:filefindASK:folderfindASKClick the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt Link to post Share on other sites More sharing options...
TabulaRasa Posted October 31, 2011 Author ID:490713 Share Posted October 31, 2011 When I run dds now the notepad doesn't open up and the only dds.txt I can find on the computer is the old when. I did get results, however, with combofix and SystemLook:ComboFix 11-10-30.04 - a. andrews 10/31/2011 16:58:32.1.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1222 [GMT -4:00]Running from: c:\documents and settings\a. andrews\Desktop\ComboFix.exeAV: AVG Anti-Virus Business Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\windows\Downloaded Program Files\popcaploader.dllc:\windows\Downloaded Program Files\popcaploader.infc:\windows\help\tours\htmltour\unlock_playing.htmc:\windows\system32\404Fix.exec:\windows\system32\Agent.OMZ.Fix.exec:\windows\system32\dumphive.exec:\windows\system32\IEDFix.C.exec:\windows\system32\IEDFix.exec:\windows\system32\linkinfo(2).dllc:\windows\system32\o4Patch.exec:\windows\system32\Process.exec:\windows\system32\SrchSTS.exec:\windows\system32\tmp.regc:\windows\system32\VACFix.exec:\windows\system32\VCCLSID.exec:\windows\system32\WS2Fix.exe..((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))..2011-10-28 21:08 . 2011-10-31 17:49 -------- d-----w- c:\windows\system32\drivers\AVG2011-10-07 19:28 . 2011-10-27 18:41 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-10-28 21:04 . 2011-05-20 18:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll2011-09-26 15:41 . 2004-08-11 21:00 220160 ----a-w- c:\windows\system32\oleacc.dll2011-09-26 15:41 . 2004-08-11 21:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll2011-09-13 10:30 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys2011-09-09 09:12 . 2004-08-11 21:00 599040 ----a-w- c:\windows\system32\crypt32.dll2011-09-06 13:20 . 2004-08-11 21:00 1858944 ----a-w- c:\windows\system32\win32k.sys2011-08-31 21:00 . 2010-03-12 21:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-08-17 21:32 . 2004-08-11 21:00 832512 ----a-w- c:\windows\system32\wininet.dll2011-08-17 21:32 . 2004-08-11 21:00 1830912 ------w- c:\windows\system32\inetcpl.cpl2011-08-17 21:32 . 2004-08-11 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll2011-08-17 21:32 . 2004-08-11 21:00 17408 ------w- c:\windows\system32\corpol.dll2011-08-17 13:49 . 2004-08-11 21:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys2011-08-17 12:22 . 2004-08-11 21:00 389120 ----a-w- c:\windows\system32\html.iec2011-08-12 17:51 . 2008-06-03 15:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe2011-08-08 10:08 . 2011-08-08 10:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-08-04 66912].[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}].[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]2008-08-04 15:01 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2011-08-30 738776]"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704].[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"="c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"="c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"="c:\\Program Files\\AVG\\AVG2012\\avgwdsvc.exe"="c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=.R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 1:13 AM 229840]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 7:13 PM 65584]R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 3:58 AM 133968]R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [6/3/2008 11:15 AM 2521880]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [7/11/2011 1:14 AM 16720]S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [9/12/2011 6:23 AM 5265248]S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\a. andrews\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 6:10 PM 32768].--- Other Services/Drivers In Memory ---.*NewlyCreated* - AVGWD..------- Supplementary Scan -------.uStart Page = hxxp://andrewsullivan.thedailybeast.com/IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000Trusted Zone: gapublicdefender.com\jcatsTrusted Zone: gapublicdefender.com\jcatstrainTrusted Zone: gapublicdefender.org\jcatsTrusted Zone: gapublicdefender.org\jcatstrainTrusted Zone: gapublicdefender.com\jcatsTrusted Zone: gapublicdefender.com\jcatstrainTrusted Zone: gapublicdefender.org\jcatsTrusted Zone: gapublicdefender.org\jcatstrainTCP: DhcpNameServer = 192.168.1.254..**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-10-31 17:01Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(724)c:\windows\system32\igfxdev.dll.Completion time: 2011-10-31 17:03:15ComboFix-quarantined-files.txt 2011-10-31 21:03.Pre-Run: 59,240,595,456 bytes freePost-Run: 59,341,086,720 bytes free.WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect.- - End Of File - - E8AF61EEEE93EE8CF4F733ECBED25DCCSystemLook 30.07.11 by jpshortstuffLog created at 17:32 on 31/10/2011 by a. andrewsAdministrator - Elevation successful========== regfind ==========Searching for "ASK.com"[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\bar]"ConfigRevisionURL"="http://ccbar.ask.com/cfg/askbarcfg.jsp?s=as&p=WR"[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\SearchAssistant]"ABS"="http://ask.askredir.com/search/cfg_redir3.jhtml?id=WR&psa=6763BEBE-BD35-4693-81CD-0B5126873E22&url=http://www.ask.com/web&l=dis&o=1251&ind=2008081513&q="[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\SearchAssistant]"DES"="http://ask.askredir.com/search/cfg_redir3.jhtml?id=WR&psa=6763BEBE-BD35-4693-81CD-0B5126873E22&url=http://www.ask.com/web&l=dis&o=1249&gc=1&gct=dns&ind=2008081513&q="========== filefind ==========Searching for "ASK"No files found.========== folderfind ==========Searching for "ASK"No folders found.-= EOF =-Hi,Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.Please download SystemLook from one of the links below and save it to your Desktop.Download Mirror #1Download Mirror #2Double-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield::regfindASK.com:filefindASK:folderfindASKClick the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted November 6, 2011 Staff ID:492141 Share Posted November 6, 2011 Hi,Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.Next, please open Notepad - don't use any other text editor than notepad or the script will fail.Copy/paste the text in the box below into Notepad:Registry::[-HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"=-[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]Folder::c:\program files\AskSBarSave this as CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.-screen317 Link to post Share on other sites More sharing options...
TabulaRasa Posted November 7, 2011 Author ID:492529 Share Posted November 7, 2011 Hello,Something froze up right at the end, so I'm not sure the Combofix.txt is complete. I did see it deleting Ask.com, here's what was saved to the folder:ComboFix 11-11-07.03 - a. andrews 11/07/2011 17:30:05.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1382 [GMT -5:00]Running from: C:\Documents and Settings\a. andrews\Desktop\ComboFix.exeCommand switches used :: C:\Documents and Settings\a. andrews\Desktop\CFScript.txtAV: AVG Anti-Virus Business Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))c:\program files\AskSBarc:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL((((((((((((((((((((((((( Files Created from 2011-10-07 to 2011-11-07 )))))))))))))))))))))))))))))))2011-10-28 21:08:01 . 2011-11-07 19:37:58 -------- d-----w- C:\WINDOWS\system32\drivers\AVG.(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))2011-10-28 21:04:44 . 2011-05-20 18:36:55 414368 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl2011-10-07 11:23:48 . 2011-07-11 05:13:46 230608 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys2011-10-04 11:21:42 . 2011-07-11 05:14:30 16720 ----a-w- C:\WINDOWS\system32\drivers\AVGIDSShim.sys2011-09-26 15:41:20 . 2008-07-30 00:59:58 611328 ----a-w- C:\WINDOWS\system32\uiautomationcore.dll2011-09-26 15:41:20 . 2004-08-11 21:00:27 220160 ----a-w- C:\WINDOWS\system32\oleacc.dll2011-09-26 15:41:14 . 2004-08-11 21:00:27 20480 ----a-w- C:\WINDOWS\system32\oleaccrc.dll2011-09-13 10:30:10 . 2011-09-13 10:30:10 32592 ----a-w- C:\WINDOWS\system32\drivers\avgrkx86.sys2011-09-09 09:12:13 . 2004-08-11 21:00:04 599040 ----a-w- C:\WINDOWS\system32\crypt32.dll2011-09-06 13:20:51 . 2004-08-11 21:00:37 1858944 ----a-w- C:\WINDOWS\system32\win32k.sys2011-08-31 21:00:50 . 2010-03-12 21:32:47 22216 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys2011-08-17 21:32:17 . 2004-08-11 21:00:37 832512 ----a-w- C:\WINDOWS\system32\wininet.dll2011-08-17 21:32:16 . 2004-08-11 21:00:17 1830912 ------w- C:\WINDOWS\system32\inetcpl.cpl2011-08-17 21:32:16 . 2004-08-11 21:00:16 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll2011-08-17 21:32:15 . 2004-08-11 21:00:04 17408 ------w- C:\WINDOWS\system32\corpol.dll2011-08-17 13:49:54 . 2004-08-11 21:00:00 138496 ----a-w- C:\WINDOWS\system32\drivers\afd.sys2011-08-17 12:22:23 . 2004-08-11 21:00:16 389120 ----a-w- C:\WINDOWS\system32\html.iec2011-08-12 17:51:26 . 2008-06-03 15:18:01 26488 ----a-w- C:\WINDOWS\system32\spupdsvc.exe((((((((((((((((((((((((((((( SnapShot@2011-10-31_21.01.57 )))))))))))))))))))))))))))))))))))))))))+ 2011-11-07 19:53:23 . 2011-11-07 19:53:23 16384 C:\WINDOWS\Temp\Perflib_Perfdata_154.dat+ 2004-08-11 21:00:28 . 2011-11-07 19:55:11 73216 C:\WINDOWS\system32\perfc009.dat+ 2004-08-11 21:00:28 . 2011-11-07 19:55:11 446136 C:\WINDOWS\system32\perfh009.dat+ 2011-11-07 19:59:40 . 2011-11-07 19:59:40 111104 C:\WINDOWS\Installer\64cce.msi+ 2011-11-07 19:41:42 . 2011-11-07 19:41:42 4671488 C:\WINDOWS\Installer\3332f927.msi((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 19:44:58 178712]"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 23:12:48 1036288]"ConnectionCenter"="C:\Program Files\Citrix\ICA Client\concentr.exe" [2009-09-13 04:09:10 103768]"Acrobat Synchronizer"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2011-08-30 18:22:33 738776]"AVG_TRAY"="C:\Program Files\AVG\AVG2012\avgtray.exe" [2011-10-25 01:29:16 2415456][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"="C:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"="C:\\Program Files\\AVG\\AVG2012\\avgwdsvc.exe"="C:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=R0 AVGIDSEH;AVGIDSEH;C:\WINDOWS\system32\drivers\AVGIDSEH.sys [7/11/2011 12:14:28 AM 23120]R0 Avgrkx86;AVG Anti-Rootkit Driver;C:\WINDOWS\system32\drivers\avgrkx86.sys [9/13/2011 5:30:10 AM 32592]R1 Avgldx86;AVG AVI Loader Driver;C:\WINDOWS\system32\drivers\avgldx86.sys [7/11/2011 12:13:46 AM 230608]R1 Avgtdix;AVG TDI Driver;C:\WINDOWS\system32\drivers\avgtdix.sys [7/11/2011 12:14:38 AM 295248]R1 ctxusbm;Citrix USB Monitor Driver;C:\WINDOWS\system32\drivers\ctxusbm.sys [9/8/2009 6:13:16 PM 65584]R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 2:58:04 AM 133968]R2 avgwd;AVG WatchDog;C:\Program Files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09:08 AM 192776]R2 UNS;Intel® Active Management Technology User Notification Service;C:\Program Files\Intel\AMT\UNS.exe [6/3/2008 10:15:30 AM 2521880]R3 AVGIDSDriver;AVGIDSDriver;C:\WINDOWS\system32\drivers\AVGIDSDriver.sys [7/11/2011 12:14:26 AM 134608]R3 AVGIDSFilter;AVGIDSFilter;C:\WINDOWS\system32\drivers\AVGIDSFilter.sys [7/11/2011 12:14:28 AM 24272]R3 AVGIDSShim;AVGIDSShim;C:\WINDOWS\system32\drivers\AVGIDSShim.sys [7/11/2011 12:14:30 AM 16720]S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25:22 AM 4433248]S4 LkWebLink;Inter-Tel Collaboration Remote Client;C:\Documents and Settings\a. andrews\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 5:10:02 PM 32768]------- Supplementary Scan -------uStart Page = hxxp://andrewsullivan.thedailybeast.com/IE: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000Trusted Zone: gapublicdefender.com\jcatsTrusted Zone: gapublicdefender.com\jcatstrainTrusted Zone: gapublicdefender.org\jcatsTrusted Zone: gapublicdefender.org\jcatstrainTrusted Zone: gapublicdefender.com\jcatsTrusted Zone: gapublicdefender.com\jcatstrainTrusted Zone: gapublicdefender.org\jcatsTrusted Zone: gapublicdefender.org\jcatstrainTCP: DhcpNameServer = 192.168.1.254And here's the results of dds.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 7.0.5730.13Run by a. andrews at 17:53:03 on 2011-11-07Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1504 [GMT -5:00].AV: AVG Anti-Virus Business Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}.============== Running Processes ===============.C:\PROGRA~1\AVG\AVG2012\avgrsx.exeC:\Program Files\AVG\AVG2012\avgcsrvx.exeC:\WINDOWS\system32\svchost.exe -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Intel\ASF Agent\ASFAgent.exeC:\Program Files\Intel\AMT\atchksrv.exeC:\Program Files\AVG\AVG2012\avgwdsvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Intel\AMT\LMS.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Intel\AMT\UNS.exeC:\Program Files\AVG\AVG2012\AVGIDSAgent.exeC:\Program Files\AVG\AVG2012\avgnsx.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Citrix\ICA Client\concentr.exeC:\Program Files\Citrix\ICA Client\wfcrun32.exeC:\Program Files\AVG\AVG2012\avgtray.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\AVG\AVG2012\avgcsrvx.exeC:\WINDOWS\system32\NOTEPAD.EXE.============== Pseudo HJT Report ===============.uStart Page = hxxp://andrewsullivan.thedailybeast.com/BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"mRun: [soundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startupmRun: [Acrobat Synchronizer] "c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe"mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLTrusted Zone: gapublicdefender.com\jcatsTrusted Zone: gapublicdefender.com\jcatstrainTrusted Zone: gapublicdefender.org\jcatsTrusted Zone: gapublicdefender.org\jcatstrainTrusted Zone: gapublicdefender.com\jcatsTrusted Zone: gapublicdefender.com\jcatstrainTrusted Zone: gapublicdefender.org\jcatsTrusted Zone: gapublicdefender.org\jcatstrainDPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cabDPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/chuzzle/popcaploader_v6.cabTCP: DhcpNameServer = 192.168.1.254TCP: Interfaces\{2360CBDC-6E66-499A-A47B-93DE3B53B0B6} : DhcpNameServer = 192.168.1.254Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dllNotify: igfxcui - igfxdev.dll.============= SERVICES / DRIVERS ===============.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 230608]R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-3 2521880]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\a. andrews\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2007-9-20 32768].=============== Created Last 30 ================.2011-11-07 22:29:15 -------- d-----w- C:\ComboFix2011-11-02 18:44:53 -------- d-----w- c:\windows\system32\appmgmt2011-10-31 20:57:31 -------- d-sha-r- C:\cmdcons2011-10-31 20:56:18 98816 ----a-w- c:\windows\sed.exe2011-10-31 20:56:18 518144 ----a-w- c:\windows\SWREG.exe2011-10-31 20:56:18 256000 ----a-w- c:\windows\PEV.exe2011-10-31 20:56:18 208896 ----a-w- c:\windows\MBR.exe2011-10-28 21:08:01 -------- d-----w- c:\windows\system32\drivers\AVG.==================== Find3M ====================.2011-10-28 21:04:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll2011-09-13 10:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll2011-08-17 21:32:16 1830912 ------w- c:\windows\system32\inetcpl.cpl2011-08-17 21:32:15 17408 ------w- c:\windows\system32\corpol.dll2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec2011-08-12 17:51:26 26488 ----a-w- c:\windows\system32\spupdsvc.exe.============= FINISH: 17:53:39.07 ===============Hi,Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.Next, please open Notepad - don't use any other text editor than notepad or the script will fail.Copy/paste the text in the box below into Notepad:Registry::[-HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"=-[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]Folder::c:\program files\AskSBarSave this as CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted November 12, 2011 Staff ID:493873 Share Posted November 12, 2011 Hi, Next, please run a free online scan with the ESET Online Scanner Note: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick Scan Wait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topic Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document. Let me know how things are running now and what issues remain. Link to post Share on other sites More sharing options...
Staff screen317 Posted November 21, 2011 Staff ID:496676 Share Posted November 21, 2011 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
Staff screen317 Posted December 6, 2011 Staff ID:501828 Share Posted December 6, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts