Jump to content

Recommended Posts

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

My apologies. I've included them below. I notice that, for example, when I type google.com in for a URL, it gets changed to google.comm , and I'm redirected to Ask. If I take that extra "m" off of comm, then I get to Google. Also I can see Ask.com in the registry.

Here is the Malwarebytes log

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8030

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

10/27/2011 2:46:24 PM

mbam-log-2011-10-27 (14-46-24).txt

Scan type: Quick scan

Objects scanned: 175453

Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the DDS.txt log

Run by a. andrews at 14:50:08 on 2011-10-27

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.945 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG2012\avgrsx.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\AMT\UNS.exe

C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\freecell.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://andrewsullivan.thedailybeast.com/

uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL

BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10x_ActiveX.exe -update activex

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [soundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [Acrobat Synchronizer] "c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe"

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: gapublicdefender.com\jcats

Trusted Zone: gapublicdefender.com\jcatstrain

Trusted Zone: gapublicdefender.org\jcats

Trusted Zone: gapublicdefender.org\jcatstrain

Trusted Zone: gapublicdefender.com\jcats

Trusted Zone: gapublicdefender.com\jcatstrain

Trusted Zone: gapublicdefender.org\jcats

Trusted Zone: gapublicdefender.org\jcatstrain

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/chuzzle/popcaploader_v6.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{2360CBDC-6E66-499A-A47B-93DE3B53B0B6} : DhcpNameServer = 192.168.1.254

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 229840]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 295248]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-3 2521880]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]

S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\a. andrews\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2007-9-20 32768]

.

=============== Created Last 30 ================

.

2011-10-07 19:28:22 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE

2011-09-29 19:02:08 -------- d-----w- c:\documents and settings\a. andrews\application data\AVG2012

2011-09-29 19:00:48 -------- d-----w- c:\documents and settings\all users\application data\AVG2012

.

==================== Find3M ====================

.

2011-09-29 19:09:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-13 10:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll

2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-08-17 21:32:16 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-08-17 21:32:15 17408 ------w- c:\windows\system32\corpol.dll

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec

2011-08-12 17:51:26 26488 ----a-w- c:\windows\system32\spupdsvc.exe

.

============= FINISH: 14:55:29.60 ===============

I have the attach.txt saved, but I'm assuming you didn't want it at this juncture since you didn't ask for it.

Thank you so much for your assistance.

Link to post
Share on other sites

  • Staff

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    ASK.com
    :filefind
    ASK
    :folderfind
    ASK


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

When I run dds now the notepad doesn't open up and the only dds.txt I can find on the computer is the old when. I did get results, however, with combofix and SystemLook:

ComboFix 11-10-30.04 - a. andrews 10/31/2011 16:58:32.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1222 [GMT -4:00]

Running from: c:\documents and settings\a. andrews\Desktop\ComboFix.exe

AV: AVG Anti-Virus Business Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\help\tours\htmltour\unlock_playing.htm

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\linkinfo(2).dll

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))

.

.

2011-10-28 21:08 . 2011-10-31 17:49 -------- d-----w- c:\windows\system32\drivers\AVG

2011-10-07 19:28 . 2011-10-27 18:41 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-28 21:04 . 2011-05-20 18:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2004-08-11 21:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2004-08-11 21:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-13 10:30 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2011-09-09 09:12 . 2004-08-11 21:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20 . 2004-08-11 21:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 21:00 . 2010-03-12 21:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-17 21:32 . 2004-08-11 21:00 832512 ----a-w- c:\windows\system32\wininet.dll

2011-08-17 21:32 . 2004-08-11 21:00 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-08-17 21:32 . 2004-08-11 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-08-17 21:32 . 2004-08-11 21:00 17408 ------w- c:\windows\system32\corpol.dll

2011-08-17 13:49 . 2004-08-11 21:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-17 12:22 . 2004-08-11 21:00 389120 ----a-w- c:\windows\system32\html.iec

2011-08-12 17:51 . 2008-06-03 15:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe

2011-08-08 10:08 . 2011-08-08 10:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-08-04 66912]

.

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]

2008-08-04 15:01 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]

"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2011-08-30 738776]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgwdsvc.exe"=

"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=

.

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 1:13 AM 229840]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 7:13 PM 65584]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 3:58 AM 133968]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [6/3/2008 11:15 AM 2521880]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [7/11/2011 1:14 AM 16720]

S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [9/12/2011 6:23 AM 5265248]

S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\a. andrews\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 6:10 PM 32768]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - AVGWD

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://andrewsullivan.thedailybeast.com/

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: gapublicdefender.com\jcats

Trusted Zone: gapublicdefender.com\jcatstrain

Trusted Zone: gapublicdefender.org\jcats

Trusted Zone: gapublicdefender.org\jcatstrain

Trusted Zone: gapublicdefender.com\jcats

Trusted Zone: gapublicdefender.com\jcatstrain

Trusted Zone: gapublicdefender.org\jcats

Trusted Zone: gapublicdefender.org\jcatstrain

TCP: DhcpNameServer = 192.168.1.254

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-31 17:01

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(724)

c:\windows\system32\igfxdev.dll

.

Completion time: 2011-10-31 17:03:15

ComboFix-quarantined-files.txt 2011-10-31 21:03

.

Pre-Run: 59,240,595,456 bytes free

Post-Run: 59,341,086,720 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - E8AF61EEEE93EE8CF4F733ECBED25DCC

SystemLook 30.07.11 by jpshortstuff

Log created at 17:32 on 31/10/2011 by a. andrews

Administrator - Elevation successful

========== regfind ==========

Searching for "ASK.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\bar]

"ConfigRevisionURL"="http://ccbar.ask.com/cfg/askbarcfg.jsp?s=as&p=WR"

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\SearchAssistant]

"ABS"="http://ask.askredir.com/search/cfg_redir3.jhtml?id=WR&psa=6763BEBE-BD35-4693-81CD-0B5126873E22&url=http://www.ask.com/web&l=dis&o=1251&ind=2008081513&q="

[HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar\SearchAssistant]

"DES"="http://ask.askredir.com/search/cfg_redir3.jhtml?id=WR&psa=6763BEBE-BD35-4693-81CD-0B5126873E22&url=http://www.ask.com/web&l=dis&o=1249&gc=1&gct=dns&ind=2008081513&q="

========== filefind ==========

Searching for "ASK"

No files found.

========== folderfind ==========

Searching for "ASK"

No folders found.

-= EOF =-

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    ASK.com
    :filefind
    ASK
    :folderfind
    ASK


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
Folder::
c:\program files\AskSBar

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Hello,

Something froze up right at the end, so I'm not sure the Combofix.txt is complete. I did see it deleting Ask.com, here's what was saved to the folder:

ComboFix 11-11-07.03 - a. andrews 11/07/2011 17:30:05.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1382 [GMT -5:00]

Running from: C:\Documents and Settings\a. andrews\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\a. andrews\Desktop\CFScript.txt

AV: AVG Anti-Virus Business Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\program files\AskSBar

c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

((((((((((((((((((((((((( Files Created from 2011-10-07 to 2011-11-07 )))))))))))))))))))))))))))))))

2011-10-28 21:08:01 . 2011-11-07 19:37:58 -------- d-----w- C:\WINDOWS\system32\drivers\AVG

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-10-28 21:04:44 . 2011-05-20 18:36:55 414368 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl

2011-10-07 11:23:48 . 2011-07-11 05:13:46 230608 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys

2011-10-04 11:21:42 . 2011-07-11 05:14:30 16720 ----a-w- C:\WINDOWS\system32\drivers\AVGIDSShim.sys

2011-09-26 15:41:20 . 2008-07-30 00:59:58 611328 ----a-w- C:\WINDOWS\system32\uiautomationcore.dll

2011-09-26 15:41:20 . 2004-08-11 21:00:27 220160 ----a-w- C:\WINDOWS\system32\oleacc.dll

2011-09-26 15:41:14 . 2004-08-11 21:00:27 20480 ----a-w- C:\WINDOWS\system32\oleaccrc.dll

2011-09-13 10:30:10 . 2011-09-13 10:30:10 32592 ----a-w- C:\WINDOWS\system32\drivers\avgrkx86.sys

2011-09-09 09:12:13 . 2004-08-11 21:00:04 599040 ----a-w- C:\WINDOWS\system32\crypt32.dll

2011-09-06 13:20:51 . 2004-08-11 21:00:37 1858944 ----a-w- C:\WINDOWS\system32\win32k.sys

2011-08-31 21:00:50 . 2010-03-12 21:32:47 22216 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys

2011-08-17 21:32:17 . 2004-08-11 21:00:37 832512 ----a-w- C:\WINDOWS\system32\wininet.dll

2011-08-17 21:32:16 . 2004-08-11 21:00:17 1830912 ------w- C:\WINDOWS\system32\inetcpl.cpl

2011-08-17 21:32:16 . 2004-08-11 21:00:16 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll

2011-08-17 21:32:15 . 2004-08-11 21:00:04 17408 ------w- C:\WINDOWS\system32\corpol.dll

2011-08-17 13:49:54 . 2004-08-11 21:00:00 138496 ----a-w- C:\WINDOWS\system32\drivers\afd.sys

2011-08-17 12:22:23 . 2004-08-11 21:00:16 389120 ----a-w- C:\WINDOWS\system32\html.iec

2011-08-12 17:51:26 . 2008-06-03 15:18:01 26488 ----a-w- C:\WINDOWS\system32\spupdsvc.exe

((((((((((((((((((((((((((((( SnapShot@2011-10-31_21.01.57 )))))))))))))))))))))))))))))))))))))))))

+ 2011-11-07 19:53:23 . 2011-11-07 19:53:23 16384 C:\WINDOWS\Temp\Perflib_Perfdata_154.dat

+ 2004-08-11 21:00:28 . 2011-11-07 19:55:11 73216 C:\WINDOWS\system32\perfc009.dat

+ 2004-08-11 21:00:28 . 2011-11-07 19:55:11 446136 C:\WINDOWS\system32\perfh009.dat

+ 2011-11-07 19:59:40 . 2011-11-07 19:59:40 111104 C:\WINDOWS\Installer\64cce.msi

+ 2011-11-07 19:41:42 . 2011-11-07 19:41:42 4671488 C:\WINDOWS\Installer\3332f927.msi

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 19:44:58 178712]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 23:12:48 1036288]

"ConnectionCenter"="C:\Program Files\Citrix\ICA Client\concentr.exe" [2009-09-13 04:09:10 103768]

"Acrobat Synchronizer"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2011-08-30 18:22:33 738776]

"AVG_TRAY"="C:\Program Files\AVG\AVG2012\avgtray.exe" [2011-10-25 01:29:16 2415456]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=

"C:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=

"C:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=

"C:\\Program Files\\AVG\\AVG2012\\avgwdsvc.exe"=

"C:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=

R0 AVGIDSEH;AVGIDSEH;C:\WINDOWS\system32\drivers\AVGIDSEH.sys [7/11/2011 12:14:28 AM 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;C:\WINDOWS\system32\drivers\avgrkx86.sys [9/13/2011 5:30:10 AM 32592]

R1 Avgldx86;AVG AVI Loader Driver;C:\WINDOWS\system32\drivers\avgldx86.sys [7/11/2011 12:13:46 AM 230608]

R1 Avgtdix;AVG TDI Driver;C:\WINDOWS\system32\drivers\avgtdix.sys [7/11/2011 12:14:38 AM 295248]

R1 ctxusbm;Citrix USB Monitor Driver;C:\WINDOWS\system32\drivers\ctxusbm.sys [9/8/2009 6:13:16 PM 65584]

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 2:58:04 AM 133968]

R2 avgwd;AVG WatchDog;C:\Program Files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09:08 AM 192776]

R2 UNS;Intel® Active Management Technology User Notification Service;C:\Program Files\Intel\AMT\UNS.exe [6/3/2008 10:15:30 AM 2521880]

R3 AVGIDSDriver;AVGIDSDriver;C:\WINDOWS\system32\drivers\AVGIDSDriver.sys [7/11/2011 12:14:26 AM 134608]

R3 AVGIDSFilter;AVGIDSFilter;C:\WINDOWS\system32\drivers\AVGIDSFilter.sys [7/11/2011 12:14:28 AM 24272]

R3 AVGIDSShim;AVGIDSShim;C:\WINDOWS\system32\drivers\AVGIDSShim.sys [7/11/2011 12:14:30 AM 16720]

S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25:22 AM 4433248]

S4 LkWebLink;Inter-Tel Collaboration Remote Client;C:\Documents and Settings\a. andrews\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 5:10:02 PM 32768]

------- Supplementary Scan -------

uStart Page = hxxp://andrewsullivan.thedailybeast.com/

IE: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: gapublicdefender.com\jcats

Trusted Zone: gapublicdefender.com\jcatstrain

Trusted Zone: gapublicdefender.org\jcats

Trusted Zone: gapublicdefender.org\jcatstrain

Trusted Zone: gapublicdefender.com\jcats

Trusted Zone: gapublicdefender.com\jcatstrain

Trusted Zone: gapublicdefender.org\jcats

Trusted Zone: gapublicdefender.org\jcatstrain

TCP: DhcpNameServer = 192.168.1.254

And here's the results of dds

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.5730.13

Run by a. andrews at 17:53:03 on 2011-11-07

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1504 [GMT -5:00]

.

AV: AVG Anti-Virus Business Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG2012\avgrsx.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\AMT\UNS.exe

C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://andrewsullivan.thedailybeast.com/

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [soundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [Acrobat Synchronizer] "c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe"

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: gapublicdefender.com\jcats

Trusted Zone: gapublicdefender.com\jcatstrain

Trusted Zone: gapublicdefender.org\jcats

Trusted Zone: gapublicdefender.org\jcatstrain

Trusted Zone: gapublicdefender.com\jcats

Trusted Zone: gapublicdefender.com\jcatstrain

Trusted Zone: gapublicdefender.org\jcats

Trusted Zone: gapublicdefender.org\jcatstrain

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/chuzzle/popcaploader_v6.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{2360CBDC-6E66-499A-A47B-93DE3B53B0B6} : DhcpNameServer = 192.168.1.254

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 230608]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-3 2521880]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]

S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\a. andrews\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2007-9-20 32768]

.

=============== Created Last 30 ================

.

2011-11-07 22:29:15 -------- d-----w- C:\ComboFix

2011-11-02 18:44:53 -------- d-----w- c:\windows\system32\appmgmt

2011-10-31 20:57:31 -------- d-sha-r- C:\cmdcons

2011-10-31 20:56:18 98816 ----a-w- c:\windows\sed.exe

2011-10-31 20:56:18 518144 ----a-w- c:\windows\SWREG.exe

2011-10-31 20:56:18 256000 ----a-w- c:\windows\PEV.exe

2011-10-31 20:56:18 208896 ----a-w- c:\windows\MBR.exe

2011-10-28 21:08:01 -------- d-----w- c:\windows\system32\drivers\AVG

.

==================== Find3M ====================

.

2011-10-28 21:04:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-13 10:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll

2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-08-17 21:32:16 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-08-17 21:32:15 17408 ------w- c:\windows\system32\corpol.dll

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec

2011-08-12 17:51:26 26488 ----a-w- c:\windows\system32\spupdsvc.exe

.

============= FINISH: 17:53:39.07 ===============

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\AskSBar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
Folder::
c:\program files\AskSBar

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.