TechSpot

Browser hijacked, some sites blocked & annoying popups

Solved
By Mabana
Oct 12, 2010
  1. Malware Log:
    ==========================
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4801

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/12/2010 10:16:59 AM
    mbam-log-2010-10-12 (10-16-59).txt

    Scan type: Quick scan
    Objects scanned: 133621
    Time elapsed: 7 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER log:
    ==============================
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-10-12 11:15:16
    Windows 5.1.2600 Service Pack 3
    Running: j4uzzdbp.exe; Driver: C:\DOCUME~1\KT\LOCALS~1\Temp\uxtdqpod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA741B6C0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA741B770]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA741B810]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA741B8B0]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\explorer.exe[4776] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE000A
    .text C:\WINDOWS\explorer.exe[4776] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FF000A
    .text C:\WINDOWS\explorer.exe[4776] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FD000C
    .text C:\WINDOWS\System32\svchost.exe[4864] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DC000A
    .text C:\WINDOWS\System32\svchost.exe[4864] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DD000A
    .text C:\WINDOWS\System32\svchost.exe[4864] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DB000C
    .text C:\WINDOWS\System32\svchost.exe[4864] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E1000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1640] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01E82F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1640] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01E82CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1640] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01E82D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1640] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01E82CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Skype\Phone\Skype.exe[2208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02A92F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Skype\Phone\Skype.exe[2208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02A92CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Skype\Phone\Skype.exe[2208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [02A92D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Skype\Phone\Skype.exe[2208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02A92CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Messenger\msmsgs.exe[2524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [012C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Messenger\msmsgs.exe[2524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [012C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Messenger\msmsgs.exe[2524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [012C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Messenger\msmsgs.exe[2524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [012C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009F2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009F2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009F2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009F2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\KT\Desktop\8-steps\Step 4\j4uzzdbp.exe[6116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\KT\Desktop\8-steps\Step 4\j4uzzdbp.exe[6116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\KT\Desktop\8-steps\Step 4\j4uzzdbp.exe[6116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\KT\Desktop\8-steps\Step 4\j4uzzdbp.exe[6116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \FileSystem\Fastfat \Fat A5385D20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    ---- EOF - GMER 1.0.15 ----
     
  2. Mabana

    Mabana TS Rookie Topic Starter

    Another log

    DDS log:
    =======================

    DDS (Ver_10-10-10.03) - NTFSx86
    Run by KT at 11:37:46.51 on Tue 10/12/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1433 [GMT -6:00]

    AV: AVG Anti-Virus Free Edition 2011 *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    svchost.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\KADxMain.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\Southwest Airlines\Ding\Ding.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\KT\Desktop\8-steps\Step 5\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uInternet Settings,ProxyOverride = <local>
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
    mRun: [Xnorigusud] rundll32.exe "c:\windows\epujigulukacega.dll",Startup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [KADxMain] c:\windows\system32\KADxMain.exe
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    StartupFolder: c:\docume~1\kt\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\kt\applic~1\mozilla\firefox\profiles\v56u77vd.default\
    FF - plugin: c:\documents and settings\kt\application data\move networks\plugins\npqmp071504000001.dll
    FF - plugin: c:\documents and settings\kt\application data\move networks\plugins\npqmp071705000014.dll
    FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC} - c:\documents and settings\kt\local settings\application data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-10-12 18816]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
    S3 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-9-3 6104144]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S3 azt2320;Aztech 2320 Audio Driver (WDM);c:\windows\system32\drivers\aztw2320.sys [2009-3-12 36992]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]

    =============== Created Last 30 ================

    2010-10-12 15:26:23 -------- d-----w- c:\docume~1\kt\applic~1\Malwarebytes
    2010-10-12 15:26:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-12 15:26:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-10-12 15:26:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-12 15:26:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-12 14:46:19 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2010-10-12 13:55:28 -------- d-----w- c:\docume~1\kt\locals~1\applic~1\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}
    2010-10-12 04:10:52 -------- d-----w- c:\program files\Sophos
    2010-10-11 10:59:32 -------- d-----w- c:\documents and settings\kt\windows contacts contact
    2010-10-11 06:17:12 -------- d--h--w- C:\$AVG
    2010-10-11 06:15:59 -------- d-----w- c:\docume~1\kt\applic~1\AVG10
    2010-10-11 06:14:34 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2010-10-11 06:12:44 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-10-11 06:12:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2010-10-11 06:11:52 -------- d-----w- c:\program files\AVG
    2010-10-11 06:00:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-10-11 05:49:38 4952064 ----a-w- c:\windows\system32\stacgui.cpl
    2010-10-11 05:49:38 405504 ----a-w- c:\windows\stsystra.exe
    2010-10-11 05:49:38 1601536 ----a-w- c:\windows\system32\stlang.dll
    2010-10-11 05:48:41 270336 ----a-w- c:\windows\system32\stacapi.dll
    2010-10-11 05:48:41 146944 ----a-w- c:\windows\system32\st325602.dll
    2010-10-11 05:44:18 -------- d-----w- c:\docume~1\kt\locals~1\applic~1\SupportSoft
    2010-10-11 05:43:16 -------- d-----w- c:\program files\Dell Support Center
    2010-10-11 05:43:16 -------- d-----w- c:\program files\common files\supportsoft
    2010-10-11 05:41:38 -------- d-----w- c:\docume~1\kt\applic~1\Dell
    2010-10-11 05:40:58 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
    2010-10-11 05:36:00 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
    2010-10-11 05:35:59 416 ----a-w- c:\windows\system32\vcredist_x86.bat
    2010-10-11 05:35:58 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
    2010-10-11 05:35:57 143360 ----a-w- c:\windows\system32\preflib.dll
    2010-10-11 05:35:56 286720 ----a-w- c:\windows\system32\bcmwlu00.exe
    2010-10-11 05:35:55 65536 ----a-w- c:\windows\system32\wltrynt.dll
    2010-10-11 05:35:54 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
    2010-10-11 05:35:53 5029888 ----a-w- c:\windows\system32\BCMWLCPL.CPL
    2010-10-11 05:35:52 2220032 ----a-w- c:\windows\system32\WLTRAY.EXE
    2010-10-11 05:35:52 1961984 ----a-w- c:\windows\system32\BCMWLTRY.EXE
    2010-10-11 05:35:50 24064 ----a-w- c:\windows\system32\WLTRYSVC.EXE
    2010-10-11 05:35:49 143360 ----a-w- c:\windows\system32\bcmwlapi.dll
    2010-10-11 05:32:12 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
    2010-10-11 05:24:58 -------- d-----w- c:\windows\Downloaded Installations
    2010-10-11 05:23:09 172032 ----a-w- c:\windows\system32\igfxres.dll
    2010-10-11 04:24:34 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-11 04:24:34 423656 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2010-10-11 04:08:16 32256 ----a-w- c:\windows\system32\drivers\rimmptsk.sys
    2010-10-11 04:08:15 37376 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
    2010-10-11 04:08:15 16480 ----a-w- c:\windows\system32\rixdicon.dll
    2010-10-11 04:08:14 90112 ----a-w- c:\windows\system32\snymsico.dll
    2010-10-11 04:08:14 43520 ----a-w- c:\windows\system32\drivers\rimsptsk.sys
    2010-10-11 04:07:50 666 ----a-w- c:\windows\speed.reg
    2010-10-11 03:38:44 -------- d-----w- c:\program files\SigmaTel
    2010-10-11 03:13:59 2670592 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
    2010-10-11 03:13:58 753664 ----a-w- c:\windows\system32\bcm1xsup.dll
    2010-09-23 00:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2010-09-23 00:10:52 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2010-09-13 22:27:24 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys

    ==================== Find3M ====================

    2010-10-12 13:55:30 0 ----a-w- c:\windows\Kmewifigoc.bin
    2010-07-17 08:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2009-09-05 01:01:10 525656 ----a-w- c:\program files\DXSETUP.exe
    2009-09-05 01:01:08 94024 ----a-w- c:\program files\DSETUP.dll
    2009-09-05 01:01:08 1691464 ----a-w- c:\program files\dsetup32.dll

    ============= FINISH: 11:39:35.25 ===============
     
  3. Mabana

    Mabana TS Rookie Topic Starter

    Last log

    Attach log:
    ======================

    wating for some help before zipping & posting
     
  4. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Welcome aboard [​IMG]

    Attach.txt part of DDS is missing (do NOT zip it before posting).

    When done....

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Mabana

    Mabana TS Rookie Topic Starter

    Attach log as requested

    Any help you can offer is greatly appreciated.

    Attach log is attached.

    The log from MBRCheck is:
    ========================
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 128):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA0B8000 ohci1394.sys
    0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xBA4BC000 compbatt.sys
    0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA0D8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA330000 PartMgr.sys
    0xBA0E8000 VolSnap.sys
    0xB9F31000 atapi.sys
    0xBA338000 cercsr6.sys
    0xB9F19000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xBA0F8000 disk.sys
    0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9EF9000 fltmgr.sys
    0xB9EE7000 sr.sys
    0xB9ED0000 KSecDD.sys
    0xB9EBD000 WudfPf.sys
    0xB9E30000 Ntfs.sys
    0xB9E03000 NDIS.sys
    0xB9DE9000 Mup.sys
    0xBA340000 avgrkx86.sys
    0xBA118000 AVGIDSEH.Sys
    0xB9761000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB9147000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xB9133000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xBA3F0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB910F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA3F8000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB90E7000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB8FAC000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xB9751000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
    0xB9741000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xB8F98000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0xB9731000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
    0xB8F84000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
    0xB8F33000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
    0xB9721000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA400000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA408000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB9711000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xB9701000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xB96F1000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB8F10000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB96D9000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xB96D5000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xBA6BE000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA1F8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB96C1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB8ED5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA208000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA218000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA428000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB8EC4000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA228000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA430000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA438000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xBA238000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA62A000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB8E66000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA54C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA248000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA268000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA638000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xA8C20000 \SystemRoot\system32\drivers\sthda.sys
    0xA8BFC000 \SystemRoot\system32\drivers\portcls.sys
    0xBA288000 \SystemRoot\system32\drivers\drmk.sys
    0xA8BC8000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
    0xA8AD6000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
    0xA8A23000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xBA478000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA298000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
    0xBA4B0000 \??\C:\WINDOWS\system32\SAVRKBootTasks.sys
    0xBA662000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA713000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA664000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA350000 \SystemRoot\System32\drivers\vga.sys
    0xBA666000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA668000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA370000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA378000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB9DA5000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xA89C8000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xA896F000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xA8927000 \SystemRoot\system32\DRIVERS\avgtdix.sys
    0xA8901000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xA88D9000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xA88B7000 \SystemRoot\System32\drivers\afd.sys
    0xBA2A8000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xA888C000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA87F4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA2B8000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA87B8000 \SystemRoot\system32\DRIVERS\avgldx86.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xBA1C8000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xA8A03000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
    0xA8788000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xA8864000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA470000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA6EB000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF024000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
    0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA7CC9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA7A9C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA79BF000 \SystemRoot\system32\drivers\wdmaud.sys
    0xBA2F8000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA7855000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA7845000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xA6E6A000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
    0xA6AE9000 \SystemRoot\System32\Drivers\HTTP.sys
    0xBA278000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
    0xA7782000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
    0xA679B000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 58):
    0 System Idle Process
    4 System
    752 C:\WINDOWS\system32\smss.exe
    980 csrss.exe
    1016 C:\WINDOWS\system32\winlogon.exe
    1068 C:\WINDOWS\system32\services.exe
    1080 C:\WINDOWS\system32\lsass.exe
    1260 C:\WINDOWS\system32\svchost.exe
    1332 svchost.exe
    1484 C:\WINDOWS\system32\svchost.exe
    1664 svchost.exe
    1696 svchost.exe
    1852 C:\WINDOWS\system32\WLTRYSVC.EXE
    1952 C:\WINDOWS\system32\BCMWLTRY.EXE
    2000 C:\WINDOWS\system32\spoolsv.exe
    2012 C:\WINDOWS\explorer.exe
    156 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    316 svchost.exe
    416 C:\Program Files\AVG\AVG10\avgwdsvc.exe
    628 C:\Program Files\Java\jre6\bin\jqs.exe
    736 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    956 C:\Program Files\Dell\MediaDirect\PCMService.exe
    1436 C:\WINDOWS\system32\WLTRAY.EXE
    1504 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1616 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    1640 C:\Program Files\Logitech\QuickCam\Quickcam.exe
    1764 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    2072 C:\WINDOWS\system32\hkcmd.exe
    2080 C:\WINDOWS\system32\igfxpers.exe
    2104 C:\Program Files\Dell\QuickSet\quickset.exe
    2112 C:\WINDOWS\system32\svchost.exe
    2144 C:\WINDOWS\system32\KADxMain.exe
    2156 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    2212 C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    2224 C:\Program Files\AVG\AVG10\avgtray.exe
    2612 C:\WINDOWS\system32\ctfmon.exe
    2632 C:\WINDOWS\system32\igfxsrvc.exe
    2656 C:\Program Files\Skype\Phone\Skype.exe
    2784 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    2820 C:\Program Files\Messenger\msmsgs.exe
    3204 C:\Program Files\Palm\Hotsync.exe
    3408 C:\Program Files\Southwest Airlines\Ding\Ding.exe
    244 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
    504 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    2484 alg.exe
    3560 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
    5144 C:\Program Files\AVG\AVG10\avgemcx.exe
    2976 C:\Program Files\AVG\AVG10\avgnsx.exe
    5252 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    5352 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    5476 C:\Program Files\AVG\AVG10\avgcsrvx.exe
    548 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    4636 C:\Program Files\Internet Explorer\iexplore.exe
    3004 C:\Program Files\Internet Explorer\iexplore.exe
    6096 C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
    7416 C:\Program Files\Internet Explorer\iexplore.exe
    7344 C:\WINDOWS\system32\svchost.exe
    6664 C:\Documents and Settings\KT\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

    PhysicalDrive0 Model Number: TOSHIBAMK1252GSX, Rev: LV011D

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    MBR looks good :)

    Combofix please.
     
  7. Mabana

    Mabana TS Rookie Topic Starter

    Combofix log -- Thanks for your help

    Combofix log:
    ======================
    ComboFix 10-10-12.03 - KT 10/13/2010 8:28.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1287 [GMT -6:00]
    Running from: c:\documents and settings\KT\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2011 *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\KT\Local Settings\Application Data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}
    c:\documents and settings\KT\Local Settings\Application Data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}\chrome.manifest
    c:\documents and settings\KT\Local Settings\Application Data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}\chrome\content\_cfg.js
    c:\documents and settings\KT\Local Settings\Application Data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}\chrome\content\overlay.xul
    c:\documents and settings\KT\Local Settings\Application Data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}\install.rdf
    c:\windows\epujigulukacega.dll
    c:\windows\jestertb.dll
    c:\windows\system32\drivers\1028_DELL_XPS_Vostro 1500 .MRK
    c:\windows\system32\drivers\DELL_XPS_Vostro 1500 .MRK

    Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
    .

    2010-10-13 09:22 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
    2010-10-13 05:17 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-13 05:17 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-13 05:17 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-12 18:59 . 2010-10-12 18:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-10-12 15:26 . 2010-10-12 15:26 -------- d-----w- c:\documents and settings\KT\Application Data\Malwarebytes
    2010-10-12 15:26 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-12 15:26 . 2010-10-12 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-12 15:26 . 2010-10-12 15:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-12 15:26 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-12 14:46 . 2010-05-26 16:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2010-10-12 04:10 . 2010-10-12 04:10 -------- d-----w- c:\program files\Sophos
    2010-10-11 15:37 . 2010-10-12 04:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-11 10:59 . 2010-10-11 10:59 -------- d-----w- c:\documents and settings\KT\windows contacts contact
    2010-10-11 08:34 . 2010-10-11 08:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2010-10-11 06:17 . 2010-10-11 06:17 -------- d-----w- C:\$AVG
    2010-10-11 06:15 . 2010-10-11 06:15 -------- d-----w- c:\documents and settings\KT\Application Data\AVG10
    2010-10-11 06:14 . 2010-10-11 06:14 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2010-10-11 06:12 . 2010-10-13 00:22 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-10-11 06:12 . 2010-10-12 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2010-10-11 06:11 . 2010-10-12 04:45 -------- d-----w- c:\program files\AVG
    2010-10-11 06:00 . 2010-10-11 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-10-11 05:49 . 2007-05-10 16:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
    2010-10-11 05:49 . 2007-05-10 16:22 405504 ----a-w- c:\windows\stsystra.exe
    2010-10-11 05:49 . 2007-04-10 23:02 1601536 ----a-w- c:\windows\system32\stlang.dll
    2010-10-11 05:48 . 2007-08-21 15:58 146944 ----a-w- c:\windows\system32\st325602.dll
    2010-10-11 05:48 . 2007-05-10 16:23 270336 ----a-w- c:\windows\system32\stacapi.dll
    2010-10-11 05:44 . 2010-10-11 05:44 -------- d-----w- c:\documents and settings\KT\Local Settings\Application Data\SupportSoft
    2010-10-11 05:43 . 2010-10-11 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
    2010-10-11 05:43 . 2010-10-11 05:43 -------- d-----w- c:\program files\Dell Support Center
    2010-10-11 05:43 . 2010-10-11 05:43 -------- d-----w- c:\program files\Common Files\supportsoft
    2010-10-11 05:41 . 2010-10-11 05:41 -------- d-----w- c:\documents and settings\KT\Application Data\Dell
    2010-10-11 05:40 . 2005-08-12 23:50 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
    2010-10-11 05:36 . 2008-10-25 00:00 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
    2010-10-11 05:35 . 2008-10-25 00:00 416 ----a-w- c:\windows\system32\vcredist_x86.bat
    2010-10-11 05:35 . 2008-10-25 00:00 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
    2010-10-11 05:35 . 2008-10-25 00:00 143360 ----a-w- c:\windows\system32\preflib.dll
    2010-10-11 05:35 . 2008-10-25 00:00 286720 ----a-w- c:\windows\system32\bcmwlu00.exe
    2010-10-11 05:35 . 2008-10-25 00:00 65536 ----a-w- c:\windows\system32\wltrynt.dll
    2010-10-11 05:35 . 2008-10-25 00:00 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
    2010-10-11 05:35 . 2008-10-25 00:00 5029888 ----a-w- c:\windows\system32\BCMWLCPL.CPL
    2010-10-11 05:35 . 2008-10-25 00:00 2220032 ----a-w- c:\windows\system32\WLTRAY.EXE
    2010-10-11 05:35 . 2008-10-25 00:00 1961984 ----a-w- c:\windows\system32\BCMWLTRY.EXE
    2010-10-11 05:35 . 2008-10-25 00:00 24064 ----a-w- c:\windows\system32\WLTRYSVC.EXE
    2010-10-11 05:35 . 2008-10-25 00:00 143360 ----a-w- c:\windows\system32\bcmwlapi.dll
    2010-10-11 05:32 . 2006-11-21 10:25 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
    2010-10-11 05:24 . 2010-10-11 05:24 -------- d-----w- c:\windows\Downloaded Installations
    2010-10-11 05:23 . 2007-05-16 22:49 172032 ----a-w- c:\windows\system32\igfxres.dll
    2010-10-11 04:25 . 2010-10-11 04:25 -------- d-----w- c:\program files\Common Files\Java
    2010-10-11 04:24 . 2010-07-17 11:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-11 04:24 . 2010-07-17 11:00 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-10-11 04:20 . 2010-10-11 04:21 -------- d-----w- c:\program files\Common Files\Adobe
    2010-10-11 04:08 . 2010-10-11 04:08 -------- d-----w- c:\program files\DIFX
    2010-10-11 04:08 . 2006-11-15 06:16 32256 ----a-w- c:\windows\system32\drivers\rimmptsk.sys
    2010-10-11 04:08 . 2006-11-14 23:35 37376 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
    2010-10-11 04:08 . 2005-05-07 01:06 16480 ----a-w- c:\windows\system32\rixdicon.dll
    2010-10-11 04:08 . 2006-11-15 01:42 43520 ----a-w- c:\windows\system32\drivers\rimsptsk.sys
    2010-10-11 04:08 . 2004-09-03 16:00 90112 ----a-w- c:\windows\system32\snymsico.dll
    2010-10-11 04:07 . 2005-07-08 20:19 666 ----a-w- c:\windows\speed.reg
    2010-10-11 03:38 . 2010-10-11 03:38 -------- d-----w- c:\program files\SigmaTel
    2010-10-11 03:13 . 2008-10-25 00:00 2670592 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
    2010-10-11 03:13 . 2008-10-25 00:00 753664 ----a-w- c:\windows\system32\bcm1xsup.dll
    2010-09-23 00:10 . 2010-09-23 00:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-09-23 00:10 . 2010-09-23 00:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2010-09-18 18:23 . 2010-09-18 18:23 974848 -c----w- c:\windows\system32\dllcache\mfc42u.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-30 39408]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-25 2220032]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384]
    "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
    "AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2010-09-15 2745696]

    c:\documents and settings\KT\Start Menu\Programs\Startup\
    DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 249424]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 298448]
    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [10/12/2010 8:46 AM 18816]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [9/3/2010 10:35 AM 6104144]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [9/10/2010 1:45 AM 265400]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 26192]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 5:48 PM 135664]
    S3 azt2320;Aztech 2320 Audio Driver (WDM);c:\windows\system32\drivers\aztw2320.sys [3/12/2009 3:20 PM 36992]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 23:48]

    2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 23:48]

    2010-10-13 c:\windows\Tasks\User_Feed_Synchronization-{C708AB7C-F400-459E-962D-5CBCBFA7A8D8}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    FF - ProfilePath - c:\documents and settings\KT\Application Data\Mozilla\Firefox\Profiles\v56u77vd.default\
    FF - plugin: c:\documents and settings\KT\Application Data\Move Networks\plugins\npqmp071504000001.dll
    FF - plugin: c:\documents and settings\KT\Application Data\Move Networks\plugins\npqmp071705000014.dll
    FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    .
    ------- File Associations -------
    .
    .reg=REG_SZ
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-Xnorigusud - c:\windows\epujigulukacega.dll
    AddRemove-WinRAR archiver - E:\uninstall.exe



    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\43.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1036)
    c:\windows\System32\BCMLogon.dll

    - - - - - - - > 'explorer.exe'(7500)
    c:\windows\system32\WININET.dll
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\progra~1\AVG\AVG10\avgchsvx.exe
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\program files\AVG\AVG10\avgnsx.exe
    c:\program files\AVG\AVG10\avgemcx.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\progra~1\AVG\AVG10\avgrsx.exe
    c:\program files\AVG\AVG10\avgcsrvx.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-13 08:43:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-13 14:43

    Pre-Run: 54,741,364,736 bytes free
    Post-Run: 54,925,492,224 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 89916B5E177953F3C3711AF7B4325B17
     
  8. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Looks good :)

    How is redirection?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. Mabana

    Mabana TS Rookie Topic Starter

    No more misdirection -- Thanks

    Attached are the logs you requested. Thinking that this poor laptop was fully repaired, my child reinstalled MS Office 2003 and Adobe Acrobat 9.0 and updated both. Hope that didn't mess up the logs too much.
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Good news :)

    My instructions clearly say, not to make any changes to the computer until we're done!

    ==========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\43.tmp -- (MEMSWEEP2)
      IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643
      O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      [31 C:\Documents and Settings\KT\Desktop\*.tmp files -> C:\Documents and Settings\KT\Desktop\*.tmp -> ]
      [3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
      [14 C:\Documents and Settings\KT\My Documents\*.tmp files -> C:\Documents and Settings\KT\My Documents\*.tmp -> ]
      @Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
      
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =====================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  11. Mabana

    Mabana TS Rookie Topic Starter

    OTL Log:
    ==================================
    All processes killed
    ========== OTL ==========
    Service MEMSWEEP2 stopped successfully!
    Service MEMSWEEP2 deleted successfully!
    File C:\WINDOWS\System32\43.tmp not found.
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    C:\Documents and Settings\KT\Desktop\~WRL0001.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL0002.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL0006.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL0214.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL0579.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL0624.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL0763.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL0884.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL1203.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL1340.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL1378.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL1443.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL1508.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL1601.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL1646.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL2110.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL2361.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL2488.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL2649.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL2854.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL3094.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL3119.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL3211.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL3376.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL3460.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL3541.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL3850.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL3888.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL4030.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL4053.tmp deleted successfully.
    C:\Documents and Settings\KT\Desktop\~WRL4067.tmp deleted successfully.
    C:\WINDOWS\System32\SET9B.tmp deleted successfully.
    C:\WINDOWS\System32\SET9C.tmp deleted successfully.
    C:\WINDOWS\System32\SET9E.tmp deleted successfully.
    C:\WINDOWS\System32\dllcache\SET9F.tmp deleted successfully.
    C:\WINDOWS\System32\dllcache\SETA0.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL0079.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL0148.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL0392.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL0396.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL0909.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL1019.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL1071.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL2387.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL2535.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL2863.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL2904.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL2980.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL3406.tmp deleted successfully.
    C:\Documents and Settings\KT\My Documents\~WRL3881.tmp deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 0 bytes

    User: KT
    ->Temp folder emptied: 436948 bytes
    ->Temporary Internet Files folder emptied: 15460644 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 1408 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 983174 bytes
    ->Java cache emptied: 13 bytes
    ->Flash cache emptied: 44379 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 4770 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 16.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: KT
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.15.2 log created on 10132010_213228

    Files\Folders moved on Reboot...
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\KXDBXIIR\sh24[1].html moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\KXDBXIIR\topic154781[1].html moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JT61JVRO\ads[3].htm moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JT61JVRO\iframescript[1].htm moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JT61JVRO\iframe[1].htm moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JI1Z9SP0\ads[1].htm moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JI1Z9SP0\ads[2].htm moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JI1Z9SP0\ads[3].htm moved successfully.
    File\Folder C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JI1Z9SP0\iframe[1].htm not found!
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JI1Z9SP0\topic151084[1].html moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\2RK71I1P\ads[2].htm moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\2RK71I1P\topic2520[1].htm moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
    C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

    Registry entries deleted on Reboot...
     
     
  12. Mabana

    Mabana TS Rookie Topic Starter

    Security Check report:
    =============================
    Results of screen317's Security Check version 0.99.5
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG 2011
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 21
    Adobe Flash Player
    Mozilla Firefox (3.6.3) Firefox Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgtray.exe
    AVG avgrsx.exe
    AVG avgnsx.exe
    AVG avgemc.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````
     
  13. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Update Firefox.
     
  14. Mabana

    Mabana TS Rookie Topic Starter

    I ran Temp File Cleaner, updated Firefox and scanned with ESET. The results are below:
    ====================================
    C:\Qoobox\Quarantine\C\WINDOWS\epujigulukacega.dll.vir a variant of Win32/Cimag.DP trojan
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir Win32/Olmarik.ZC trojan
    C:\System Volume Information\_restore{27880307-957D-4BDB-BB27-5980823C4C67}\RP358\A0063381.dll a variant of Win32/Cimag.CW trojan
    C:\System Volume Information\_restore{27880307-957D-4BDB-BB27-5980823C4C67}\RP360\A0066307.dll a variant of Win32/Cimag.DP trojan
     
  15. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    The above files will be removed in our next, last step.

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
     
  16. Mabana

    Mabana TS Rookie Topic Starter

    Thanks for all your help.
     
  17. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    You're very welcome [​IMG]

    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.