TechSpot

Antivir solution and search redirects

By Jeff2020
Jul 24, 2010
  1. Hello,
    Yesterday I got hit with Antivir Solution Pro. I could not open most web sites, warnings about viruses kept popping up. Went to safe mode and ran Malware bytes and it found 2 items.

    Files Infected:
    C:\Documents and Settings\Jeff Lyons\Local Settings\Temp\101.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jeff Lyons\Local Settings\Temp\4e647706.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

    It did not fix the problem, I could not open task manager or get to system restore so I went back to safe mode and ran system restore. That got rid of the Antivir issues with the warnings and I can get to all web pages but now I get redirected when clicking on a link in any search engine. Below are the logs.


    Thanks in advance for any and all help.
    Jeff
     
  2. Jeff2020

    Jeff2020 TS Rookie Topic Starter

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4344

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    7/24/2010 12:03:32 PM
    mbam-log-2010-07-24 (12-03-32).txt

    Scan type: Quick scan
    Objects scanned: 165974
    Time elapsed: 9 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    --------------------------------------------------------------------


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-24 13:41:40
    Windows 5.1.2600 Service Pack 3
    Running: kwfmqq6n.exe; Driver: C:\DOCUME~1\JEFFLY~1\LOCALS~1\Temp\kfayqaod.sys


    ---- System - GMER 1.0.15 ----

    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75D787E]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75D7BFE]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\wuauclt.exe[284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007C000A
    .text C:\WINDOWS\system32\wuauclt.exe[284] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007D000A
    .text C:\WINDOWS\system32\wuauclt.exe[284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C
    .text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007B000A
    .text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007C000A
    .text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007A000C
    .text C:\WINDOWS\System32\svchost.exe[1060] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D4000A
    .text C:\WINDOWS\Explorer.EXE[2152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2000A
    .text C:\WINDOWS\Explorer.EXE[2152] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A8000A
    .text C:\WINDOWS\Explorer.EXE[2152] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
    .text C:\WINDOWS\system32\wuauclt.exe[3620] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A4000A
    .text C:\WINDOWS\system32\wuauclt.exe[3620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A5000A
    .text C:\WINDOWS\system32\wuauclt.exe[3620] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

    ---- EOF - GMER 1.0.15 ----
     
  3. Jeff2020

    Jeff2020 TS Rookie Topic Starter

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Jeff Lyons at 13:42:21.20 on Sat 07/24/2010
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.574 [GMT -5:00]

    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Jeff Lyons\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
    IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-23 64288]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-20 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-20 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-20 243024]
    R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2010-6-20 14464]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-6-20 88192]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1181328]

    =============== Created Last 30 ================

    2010-07-24 04:02:08 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
    2010-07-24 03:52:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-07-24 03:27:58 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-07-24 02:29:17 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SecTaskMan
    2010-07-24 01:20:14 0 d-----w- c:\docume~1\jeffly~1\applic~1\Malwarebytes
    2010-07-24 01:20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-24 01:19:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-24 01:19:58 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
    2010-07-24 01:15:07 0 d-----w- c:\windows\system32\wbem\Repository
    2010-07-15 22:55:08 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-05 10:13:16 18236 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-07-01 17:21:27 248832 ----a-w- c:\windows\system32\VCLX50.BPL
    2010-07-01 17:21:27 2023424 ----a-w- c:\windows\system32\VCL50.BPL
    2010-07-01 17:21:27 147456 ----a-w- c:\windows\system32\BCBSMP50.BPL
    2010-07-01 17:21:18 299520 ----a-w- c:\windows\uninst.exe
    2010-07-01 17:21:16 0 d-----w- c:\documents and settings\jeff lyons\WINDOWS
    2010-06-29 14:47:44 0 d-----w- C:\Gemstall
    2010-06-28 13:13:16 0 d-----w- C:\SHOPAK V5.00.09 Suite Production CD

    ==================== Find3M ====================

    2010-07-24 15:54:09 14336 ----a-w- c:\windows\system32\svchost.exe
    2010-07-15 22:55:09 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-15 22:54:27 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-06-20 21:01:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-20 15:25:40 21640 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 13:42:59.65 ===============



    ------------------------------------------------------------------------------------


    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/20/2010 10:35:03 AM
    System Uptime: 7/24/2010 12:30:53 PM (1 hours ago)

    Motherboard: Dell Inc. | |
    Processor: Intel(R) Pentium(R) M processor 1.73GHz | Microprocessor | 1728/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 37 GiB total, 16.585 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Dell TrueMobile 1300 WLAN Mini-PCI Card
    Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_50101468&REV_02\4&2FA23535&0&18F0
    Manufacturer: Broadcom
    Name: Dell TrueMobile 1300 WLAN Mini-PCI Card
    PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_50101468&REV_02\4&2FA23535&0&18F0
    Service: BCM43XX

    ==== System Restore Points ===================

    RP1: 6/20/2010 10:38:57 AM - System Checkpoint
    RP2: 6/20/2010 11:59:56 AM - Installed C-Major Audio
    RP3: 6/20/2010 12:00:37 PM - Installed TIPCI
    RP4: 6/20/2010 12:03:24 PM - Installed Broadcom Gigabit Integrated Controller
    RP5: 6/20/2010 12:08:26 PM - Installed MSXML 4.0 SP2 Parser and SDK
    RP6: 6/20/2010 12:09:05 PM - Installed Gemcom32
    RP7: 6/20/2010 12:10:11 PM - Installed Java(TM) 6 Update 18
    RP8: 6/20/2010 12:12:04 PM - Removed Gemcom32
    RP9: 6/20/2010 12:12:26 PM - Installed Gemcom32
    RP10: 6/20/2010 2:12:34 PM - Software Distribution Service 3.0
    RP11: 6/20/2010 2:36:15 PM - Installed AVG Free 9.0
    RP12: 6/20/2010 3:17:08 PM - Installed Java(TM) 6 Update 16
    RP13: 6/20/2010 3:18:47 PM - Installed OpenOffice.org 3.1
    RP14: 6/20/2010 3:36:32 PM - Removed OpenOffice.org 3.1
    RP15: 6/20/2010 4:00:19 PM - Removed Java(TM) 6 Update 18
    RP16: 6/20/2010 4:01:19 PM - Installed Java(TM) 6 Update 20
    RP17: 6/20/2010 4:02:31 PM - Installed OpenOffice.org 3.2
    RP18: 6/20/2010 5:15:42 PM - Software Distribution Service 3.0
    RP19: 6/20/2010 10:27:16 PM - Installed Sapphire Management Suite 1.09.06 6162009
    RP20: 6/21/2010 6:54:15 PM - Avg8 Update
    RP21: 6/21/2010 7:00:37 PM - Avg Update
    RP22: 6/22/2010 6:06:44 AM - Software Distribution Service 3.0
    RP23: 6/22/2010 5:48:55 PM - Avg Update
    RP24: 6/23/2010 8:11:43 PM - System Checkpoint
    RP25: 6/24/2010 5:07:07 PM - Avg Update
    RP26: 6/24/2010 8:54:53 PM - Installed Adobe Reader 9.3.
    RP27: 6/25/2010 8:56:12 PM - System Checkpoint
    RP28: 6/26/2010 9:56:12 PM - System Checkpoint
    RP29: 6/27/2010 10:11:01 PM - System Checkpoint
    RP30: 6/28/2010 11:16:57 PM - System Checkpoint
    RP31: 6/29/2010 11:50:09 PM - System Checkpoint
    RP32: 7/1/2010 12:50:09 AM - System Checkpoint
    RP33: 7/2/2010 12:59:53 AM - System Checkpoint
    RP34: 7/3/2010 1:37:43 AM - System Checkpoint
    RP35: 7/4/2010 3:37:44 AM - System Checkpoint
    RP36: 7/5/2010 4:37:43 AM - System Checkpoint
    RP37: 7/6/2010 4:58:11 AM - System Checkpoint
    RP38: 7/6/2010 7:18:53 PM - Installed QuickTime
    RP39: 7/7/2010 9:35:03 PM - System Checkpoint
    RP40: 7/8/2010 11:41:33 PM - System Checkpoint
    RP41: 7/10/2010 12:23:40 AM - System Checkpoint
    RP42: 7/11/2010 12:39:32 AM - System Checkpoint
    RP43: 7/12/2010 1:39:32 AM - System Checkpoint
    RP44: 7/13/2010 3:36:30 AM - System Checkpoint
    RP45: 7/14/2010 6:57:55 PM - System Checkpoint
    RP46: 7/15/2010 11:42:51 AM - Software Distribution Service 3.0
    RP47: 7/15/2010 5:52:54 PM - Avg Update
    RP48: 7/15/2010 5:55:23 PM - Avg Update
    RP49: 7/16/2010 11:21:05 PM - System Checkpoint
    RP50: 7/17/2010 11:39:40 PM - System Checkpoint
    RP51: 7/18/2010 11:56:56 PM - System Checkpoint
    RP52: 7/20/2010 12:01:18 AM - System Checkpoint
    RP53: 7/20/2010 4:18:18 PM - Avg Update
    RP54: 7/21/2010 6:30:55 AM - Software Distribution Service 3.0
    RP55: 7/22/2010 3:14:06 PM - System Checkpoint
    RP56: 7/23/2010 8:14:40 PM - Restore Operation
    RP57: 7/24/2010 11:00:20 AM - Restore Operation
    RP58: 7/24/2010 11:03:13 AM - Restore Operation

    ==== Installed Programs ======================

    Ad-Aware
    Adobe Acrobat 5.0
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.3
    ALPS Touch Pad Driver
    Apple Application Support
    Apple Software Update
    AVG Free 9.0
    Broadcom Gigabit Integrated Controller
    C-Major Audio
    CCleaner
    Conexant D110 MDC V.92 Modem
    Dell Wireless WLAN Card
    Gemcom32
    Gemstall
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB981793)
    I8kfanGUI V3.1
    ieSpell
    Intel(R) Graphics Media Accelerator Driver for Mobile
    Java Auto Updater
    Java(TM) 6 Update 16
    Java(TM) 6 Update 20
    Malwarebytes' Anti-Malware
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.6.8)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    OpenOffice.org 3.2
    QuickTime
    Sapphire Management Suite 1.09.06 6162009
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB982381)
    ServTerm
    Spybot - Search & Destroy
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)

    ==== Event Viewer Messages From Past Week ========

    7/24/2010 11:42:16 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    7/24/2010 11:42:16 AM, error: Service Control Manager [7034] - The AVG Free E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
    7/24/2010 11:42:16 AM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    7/24/2010 11:42:16 AM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    7/24/2010 11:42:10 AM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
    7/23/2010 8:59:19 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    7/23/2010 8:59:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
    7/23/2010 8:16:40 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
    7/23/2010 8:14:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/23/2010 8:13:37 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    7/23/2010 8:13:37 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    7/23/2010 11:19:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
    7/21/2010 8:10:17 AM, error: Dhcp [1002] - The IP address lease 192.168.0.101 for the Network Card with network address 0014A416AC13 has been denied by the DHCP server 192.168.50.1 (The DHCP Server sent a DHCPNACK message).
    7/21/2010 1:34:49 PM, error: Dhcp [1002] - The IP address lease 192.168.50.129 for the Network Card with network address 0014A416AC13 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

    ==== End Of File ===========================
     
  4. Jeff2020

    Jeff2020 TS Rookie Topic Starter

    I had posted more logs but it didnt post so I am attaching the logs.
     

    Attached Files:

  5. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  6. Jeff2020

    Jeff2020 TS Rookie Topic Starter

    hummm, on my desktop I see tdsskiller zip folder, I unzipped it and I see on my desktop eula.txt and tdsskiller. I copied the the text making sure I had the quotes and pasted it in run. It ask me if I want to run tdsskiller, I selected yes and it comes up with

    error
    valid command line paramaters
    -l <file name> (path to log file)
    -qpath <folder name> (path to quarantine folder)
    -qall (copy all objects to quarantine)
    -qsus (copy all suspicious objects to quarantine)
    qmbr (copy all mbr to quarantine)


    I ran it three times and got the same error each time but I did find this log in my C: drive

    2010/07/24 15:56:19.0921 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
    2010/07/24 15:56:19.0921 ================================================================================
    2010/07/24 15:56:19.0921 SystemInfo:
    2010/07/24 15:56:19.0921
    2010/07/24 15:56:19.0921 OS Version: 5.1.2600 ServicePack: 3.0
    2010/07/24 15:56:19.0921 Product type: Workstation
    2010/07/24 15:56:19.0921 ComputerName: UNITED-A4E2111A
    2010/07/24 15:56:19.0921 UserName: Jeff Lyons
    2010/07/24 15:56:19.0921 Windows directory: C:\WINDOWS
    2010/07/24 15:56:19.0921 System windows directory: C:\WINDOWS
    2010/07/24 15:56:19.0921 Processor architecture: Intel x86
    2010/07/24 15:56:19.0921 Number of processors: 1
    2010/07/24 15:56:19.0921 Page size: 0x1000
    2010/07/24 15:56:19.0921 Boot type: Normal boot
    2010/07/24 15:56:19.0921 ================================================================================
    2010/07/24 15:56:20.0593 Initialize success
    2010/07/24 15:56:23.0343 Deinitialize success
     
  7. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Hmmm....

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. Jeff2020

    Jeff2020 TS Rookie Topic Starter

    ComboFix 10-07-24.01 - Jeff Lyons 07/24/2010 16:54:09.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.607 [GMT -5:00]
    Running from: c:\documents and settings\Jeff Lyons\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ADS - WINDOWS: deleted 128 bytes in 1 streams.
    ADS - svchost.exe: deleted 88 bytes in 2 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\images

    Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
    .

    2010-07-24 04:02 . 2010-07-24 04:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
    2010-07-24 03:52 . 2010-07-24 03:50 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-07-24 03:28 . 2010-07-24 03:28 -------- d-----w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\Sunbelt Software
    2010-07-24 03:27 . 2010-07-24 03:28 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-07-24 03:27 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
    2010-07-24 03:27 . 2010-07-24 03:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
    2010-07-24 02:31 . 2010-07-24 02:31 -------- d-----w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\Help
    2010-07-24 01:20 . 2010-07-24 01:20 -------- d-----w- c:\documents and settings\Jeff Lyons\Application Data\Malwarebytes
    2010-07-24 01:20 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-24 01:19 . 2010-07-24 01:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-07-24 01:19 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-24 01:15 . 2010-07-24 01:15 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-07-15 22:55 . 2010-07-15 22:55 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-15 14:10 . 2010-07-15 14:10 -------- d-----w- c:\documents and settings\Jeff Lyons\Application Data\Apple Computer
    2010-07-15 13:19 . 2010-07-15 13:19 17712 ----a-w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-07-07 00:19 . 2010-07-07 00:19 -------- d-----w- c:\program files\QuickTime
    2010-07-07 00:18 . 2010-07-07 00:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
    2010-07-07 00:18 . 2010-07-07 00:18 -------- d-----w- c:\program files\Common Files\Apple
    2010-07-07 00:18 . 2010-07-07 00:18 -------- d-----w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\Apple
    2010-07-07 00:18 . 2010-07-07 00:18 -------- d-----w- c:\program files\Apple Software Update
    2010-07-07 00:18 . 2010-07-07 00:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
    2010-07-07 00:17 . 2010-07-07 00:17 -------- d-----w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\Apple Computer
    2010-07-05 10:13 . 2010-07-05 10:13 18236 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-07-01 17:21 . 1999-03-23 14:12 299520 ----a-w- c:\windows\uninst.exe
    2010-07-01 17:21 . 2010-07-01 17:21 -------- d-----w- c:\documents and settings\Jeff Lyons\WINDOWS
    2010-06-29 14:47 . 2010-07-21 17:06 -------- d-----w- C:\Gemstall
    2010-06-28 13:13 . 2010-06-28 13:13 -------- d-----w- C:\SHOPAK V5.00.09 Suite Production CD
    2010-06-25 02:07 . 2009-11-25 18:01 1230080 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar\IEToolbar.dll
    2010-06-25 01:56 . 2010-07-03 20:03 -------- d-----w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-24 21:31 . 2010-06-20 17:52 -------- d-----w- c:\documents and settings\Jeff Lyons\Application Data\mIRC
    2010-07-24 16:33 . 2010-05-29 23:16 0 ----a-w- c:\documents and settings\Jeff\Local Settings\Application Data\prvlcl.dat
    2010-07-24 15:54 . 2008-08-21 12:00 14336 ----a-w- c:\windows\system32\svchost.exe
    2010-07-24 04:05 . 2009-10-03 13:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-24 02:42 . 2010-07-24 02:29 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SecTaskMan
    2010-07-24 01:34 . 2009-10-03 13:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-24 01:07 . 2010-06-20 19:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
    2010-07-18 03:25 . 2010-06-20 21:09 1 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-07-15 22:55 . 2010-06-20 19:37 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-15 22:54 . 2010-06-20 19:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-06-22 00:00 . 2010-06-20 19:37 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-06-21 03:27 . 2010-06-21 03:27 40960 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\ARPPRODUCTICON.exe
    2010-06-21 03:27 . 2010-06-21 03:27 193110 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut11_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-21 03:27 . 2010-06-21 03:27 193110 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut1_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-21 03:27 . 2010-06-21 03:27 157302 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\SASTM.exe2_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-21 03:27 . 2010-06-21 03:27 157302 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\SASTM.exe_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-21 03:27 . 2010-06-21 03:27 157302 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut31_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-21 03:27 . 2010-06-21 03:27 157302 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut3_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-20 21:09 . 2010-06-20 21:09 -------- d-----w- c:\documents and settings\Jeff Lyons\Application Data\OpenOffice.org
    2010-06-20 21:03 . 2010-05-23 20:26 -------- d-----w- c:\program files\JRE
    2010-06-20 21:03 . 2009-12-06 02:29 -------- d-----w- c:\program files\OpenOffice.org 3
    2010-06-20 21:01 . 2010-06-20 21:01 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-20 19:36 . 2010-06-20 19:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
    2010-06-20 17:52 . 2009-08-31 23:41 -------- d-----w- c:\program files\mIRC
    2010-06-20 17:21 . 2010-06-20 17:21 0 ----a-w- c:\windows\nsreg.dat
    2010-06-20 17:19 . 2009-10-14 20:43 -------- d-----w- c:\program files\ieSpell
    2010-06-20 17:12 . 2010-06-20 17:12 8854 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\Uninstall_Gemcom32_85545F6251FA449E95B54442DE267E7D.exe
    2010-06-20 17:12 . 2010-06-20 17:12 40960 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\rubylink.exe_19A09CFB000C4A769EAB009413464CCF.exe
    2010-06-20 17:12 . 2010-06-20 17:12 40960 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\NewShortcut2_A7D3544621974F95824035A15208D8AE.exe
    2010-06-20 17:12 . 2010-06-20 17:12 40960 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\NewShortcut1_19A09CFB000C4A769EAB009413464CCF.exe
    2010-06-20 17:12 . 2010-06-20 17:12 10134 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\ARPPRODUCTICON.exe
    2010-06-20 17:11 . 2010-06-20 17:11 503808 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46e00657-n\msvcp71.dll
    2010-06-20 17:11 . 2010-06-20 17:11 499712 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46e00657-n\jmc.dll
    2010-06-20 17:11 . 2010-06-20 17:11 348160 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46e00657-n\msvcr71.dll
    2010-06-20 17:11 . 2010-06-20 17:11 61440 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c25c497-n\decora-sse.dll
    2010-06-20 17:11 . 2010-06-20 17:11 12800 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c25c497-n\decora-d3d.dll
    2010-06-20 17:09 . 2010-06-20 17:09 79488 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
    2010-06-20 17:09 . 2010-06-20 17:09 152576 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\jre1.6.0_18\lzma.dll
    2010-06-20 17:04 . 2009-01-16 18:35 -------- d-----w- c:\program files\Apoint
    2010-06-20 17:03 . 2010-06-20 17:03 -------- d-----w- c:\program files\Broadcom
    2010-06-20 16:35 . 2009-10-29 17:49 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-20 16:34 . 2010-06-20 16:34 -------- d-----w- c:\documents and settings\Jeff Lyons\Application Data\InterTrust
    2010-06-20 16:20 . 2010-06-20 15:28 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2010-06-20 15:25 . 2010-06-20 15:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-06-20 03:53 . 2009-12-06 02:38 1 ----a-w- c:\documents and settings\Jeff\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-06-19 21:18 . 2009-08-31 23:41 -------- d-----w- c:\documents and settings\Jeff\Application Data\mIRC
    2010-06-16 17:57 . 2010-06-16 17:57 193110 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut11_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-16 17:57 . 2010-06-16 17:57 193110 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut1_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-16 17:57 . 2010-06-16 17:57 157302 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\SASTM.exe_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-16 17:57 . 2010-06-16 17:57 157302 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut31_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-16 17:57 . 2010-06-16 17:57 157302 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut3_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-16 17:57 . 2010-06-16 17:57 40960 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\ARPPRODUCTICON.exe
    2010-06-16 17:57 . 2010-06-16 17:57 157302 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\SASTM.exe2_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
    2010-06-14 14:31 . 2010-06-20 15:26 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-05-25 15:09 . 2009-10-14 18:42 23824 ----a-w- c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-11 15:13 . 2010-05-11 15:13 45056 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{A26428D4-F486-4CA3-83E8-456B8104090B}\NewShortcut1_A26428D4F4864CA383E8456B8104090B.exe
    2010-05-11 15:13 . 2010-05-11 15:13 45056 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{A26428D4-F486-4CA3-83E8-456B8104090B}\VFIRtRCnfg.exe_C6BE42A2F5E140CF9AF72D1C5FC7BA62.exe
    2010-05-11 15:13 . 2010-05-11 15:13 10134 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{A26428D4-F486-4CA3-83E8-456B8104090B}\ARPPRODUCTICON.exe
    2010-05-08 16:03 . 2010-05-08 16:03 8854 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\Uninstall_Gemcom32_85545F6251FA449E95B54442DE267E7D.exe
    2010-05-08 16:03 . 2010-05-08 16:03 40960 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\rubylink.exe_19A09CFB000C4A769EAB009413464CCF.exe
    2010-05-08 16:03 . 2010-05-08 16:03 40960 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\NewShortcut2_A7D3544621974F95824035A15208D8AE.exe
    2010-05-08 16:03 . 2010-05-08 16:03 40960 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\NewShortcut1_19A09CFB000C4A769EAB009413464CCF.exe
    2010-05-08 16:03 . 2010-05-08 16:03 10134 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\ARPPRODUCTICON.exe
    2010-05-08 16:00 . 2010-05-08 16:00 79488 ----a-w- c:\documents and settings\Jeff\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
    2010-05-08 16:00 . 2010-05-08 16:00 152576 ----a-w- c:\documents and settings\Jeff\Application Data\Sun\Java\jre1.6.0_18\lzma.dll
    2010-05-02 05:22 . 2008-08-21 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    .
     
  9. Jeff2020

    Jeff2020 TS Rookie Topic Starter

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-16 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-16 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-16 118784]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

    c:\documents and settings\Jeff\Start Menu\Programs\Startup\
    Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-15 22:55 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\mirc.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/23/2010 10:52 PM 64288]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/20/2010 2:37 PM 216400]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/20/2010 2:37 PM 243024]
    R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [6/20/2010 2:46 PM 14464]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 5:54 PM 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 5:55 PM 308136]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 3:55 AM 1181328]
    R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [6/20/2010 12:00 PM 88192]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-24 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:48]

    2010-07-24 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:48]

    2010-07-24 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:48]

    2010-07-24 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:48]

    2010-07-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:48]

    2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-24 17:01
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(916)
    c:\windows\System32\BCMLogon.dll
    .
    Completion time: 2010-07-24 17:03:43
    ComboFix-quarantined-files.txt 2010-07-24 22:03

    Pre-Run: 17,711,280,128 bytes free
    Post-Run: 17,689,083,904 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 9D4BD18BEDFCEF504F95E07915D1EA2E
     
  10. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Looks good :)

    How are the issues?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  11. Jeff2020

    Jeff2020 TS Rookie Topic Starter

    Everything is working good now

    OTL Extras logfile created on: 7/24/2010 6:06:35 PM - Run 1
    OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Jeff Lyons\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,015.00 Mb Total Physical Memory | 531.00 Mb Available Physical Memory | 52.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.26 Gb Total Space | 18.65 Gb Free Space | 50.06% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: UNITED-A4E2111A
    Current User Name: Jeff Lyons
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
    "C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\mirc.exe" = C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
    "C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = TIPCI
    "{26A24AE4-039D-4CA4-87B4-2F83216016F0}" = Java(TM) 6 Update 16
    "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
    "{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
    "{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}" = Sapphire Management Suite 1.09.06 6162009
    "{7E369B27-13E2-41A5-9879-358EE1C8B5AD}" = Broadcom Gigabit Integrated Controller
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{85545F62-51FA-449E-95B5-4442DE267E7D}" = Gemcom32
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
    "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
    "Ad-Aware" = Ad-Aware
    "Adobe Acrobat 5.0" = Adobe Acrobat 5.0
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "AVG9Uninstall" = AVG Free 9.0
    "Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
    "CCleaner" = CCleaner
    "CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.92 Modem
    "Gemstall" = Gemstall
    "I8kfanGUI" = I8kfanGUI V3.1
    "ieSpell" = ieSpell
    "InstallShield_{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = Texas Instruments PCIxx21/x515/xx12 drivers.
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
    "ServTerm" = ServTerm

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 6/20/2010 4:33:59 PM | Computer Name = UNITED-A4E2111A | Source = Application Error | ID = 1000
    Description = Faulting application unopkg.bin, version 0.0.0.0, faulting module
    sal3.dll, version 3.0.500.0, fault address 0x000095e3.

    Error - 6/20/2010 4:34:02 PM | Computer Name = UNITED-A4E2111A | Source = Application Error | ID = 1000
    Description = Faulting application unopkg.bin, version 0.0.0.0, faulting module
    sal3.dll, version 3.0.500.0, fault address 0x000095e3.

    Error - 6/20/2010 4:34:04 PM | Computer Name = UNITED-A4E2111A | Source = Application Error | ID = 1000
    Description = Faulting application unopkg.bin, version 0.0.0.0, faulting module
    sal3.dll, version 3.0.500.0, fault address 0x000095e3.

    Error - 7/3/2010 4:26:11 PM | Computer Name = UNITED-A4E2111A | Source = Application Hang | ID = 1002
    Description = Hanging application mirc.exe, version 6.35.0.0, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 7/3/2010 4:26:11 PM | Computer Name = UNITED-A4E2111A | Source = Application Hang | ID = 1002
    Description = Hanging application mirc.exe, version 6.35.0.0, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 7/3/2010 4:28:58 PM | Computer Name = UNITED-A4E2111A | Source = Application Hang | ID = 1002
    Description = Hanging application soffice.bin, version 3.2.9498.500, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 7/3/2010 4:31:29 PM | Computer Name = UNITED-A4E2111A | Source = Application Error | ID = 1000
    Description = Faulting application plugin-container.exe, version 1.9.2.3828, faulting
    module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

    Error - 7/23/2010 9:03:37 PM | Computer Name = UNITED-A4E2111A | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    Error - 7/23/2010 9:03:39 PM | Computer Name = UNITED-A4E2111A | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 7/23/2010 9:03:41 PM | Computer Name = UNITED-A4E2111A | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    [ System Events ]
    Error - 7/23/2010 9:35:45 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
    Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
    with the following error: %%2

    Error - 7/23/2010 9:42:29 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
    Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
    with the following error: %%2

    Error - 7/23/2010 9:42:50 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
    Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
    with the following error: %%2

    Error - 7/23/2010 9:46:38 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
    Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
    with the following error: %%2

    Error - 7/23/2010 9:52:07 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
    Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
    with the following error: %%2

    Error - 7/23/2010 9:59:06 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
    Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
    with the following error: %%2

    Error - 7/23/2010 9:59:11 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    PCIIde

    Error - 7/23/2010 9:59:19 PM | Computer Name = UNITED-A4E2111A | Source = sr | ID = 1
    Description = The System Restore filter encountered the unexpected error '0xC0000001'
    while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
    the volume.

    Error - 7/23/2010 9:59:19 PM | Computer Name = UNITED-A4E2111A | Source = Ftdisk | ID = 262189
    Description = The system could not sucessfully load the crash dump driver.

    Error - 7/23/2010 9:59:19 PM | Computer Name = UNITED-A4E2111A | Source = Ftdisk | ID = 262193
    Description = Configuring the Page file for crash dump failed. Make sure there is
    a page file on the boot partition and that is large enough to contain all physical
    memory.


    < End of report >
     
  12. Jeff2020

    Jeff2020 TS Rookie Topic Starter

    Everything seems to be going good. Have had a problem posting a reply. The logs are too big to paste so attaching them.
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Good news then :)

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

    ======================================================================

    OTL log looks very clean.

    Last scan....

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  14. Jeff2020

    Jeff2020 TS Rookie Topic Starter

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, July 25, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Sunday, July 25, 2010 02:16:33
    Records in database: 4219737
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 64100
    Threats found: 1
    Infected objects found: 4
    Suspicious objects found: 0
    Scan duration: 03:12:51


    File name / Threat / Threats count
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
    C:\Documents and Settings\Jeff\My Documents\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
    C:\Documents and Settings\Jeff Lyons\Desktop\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

    Selected area has been scanned.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Wonderful :)

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =====================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  16. Jeff2020

    Jeff2020 TS Rookie Topic Starter

    Sorry it took so long to get back, storms have had me busy at work this week.
    computer is working great. I want to thank you for all the work you do. When I get the time I need to take a look at our desktop that the son and wife both use, both download stuff all the time. When I get the time I will post a new thread if there are any issues.

    Thanks again
    Jeff
     
  17. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...