Solved Browser hijacked, some sites blocked & annoying popups

Status
Not open for further replies.
M

Mabana

Posts: 10   +0
Malware Log:
==========================
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4801

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/12/2010 10:16:59 AM
mbam-log-2010-10-12 (10-16-59).txt

Scan type: Quick scan
Objects scanned: 133621
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER log:
==============================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-12 11:15:16
Windows 5.1.2600 Service Pack 3
Running: j4uzzdbp.exe; Driver: C:\DOCUME~1\KT\LOCALS~1\Temp\uxtdqpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA741B6C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA741B770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA741B810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA741B8B0]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\explorer.exe[4776] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE000A
.text C:\WINDOWS\explorer.exe[4776] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FF000A
.text C:\WINDOWS\explorer.exe[4776] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FD000C
.text C:\WINDOWS\System32\svchost.exe[4864] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[4864] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DD000A
.text C:\WINDOWS\System32\svchost.exe[4864] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DB000C
.text C:\WINDOWS\System32\svchost.exe[4864] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E1000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1640] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01E82F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1640] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01E82CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1640] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01E82D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1640] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01E82CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[2208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02A92F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[2208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02A92CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[2208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [02A92D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[2208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02A92CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Messenger\msmsgs.exe[2524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [012C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Messenger\msmsgs.exe[2524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [012C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Messenger\msmsgs.exe[2524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [012C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Messenger\msmsgs.exe[2524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [012C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009F2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009F2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009F2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009F2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\KT\Desktop\8-steps\Step 4\j4uzzdbp.exe[6116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\KT\Desktop\8-steps\Step 4\j4uzzdbp.exe[6116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\KT\Desktop\8-steps\Step 4\j4uzzdbp.exe[6116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\KT\Desktop\8-steps\Step 4\j4uzzdbp.exe[6116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat A5385D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----
 
Another log

DDS log:
=======================

DDS (Ver_10-10-10.03) - NTFSx86
Run by KT at 11:37:46.51 on Tue 10/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1433 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\KT\Desktop\8-steps\Step 5\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Xnorigusud] rundll32.exe "c:\windows\epujigulukacega.dll",Startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\docume~1\kt\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kt\applic~1\mozilla\firefox\profiles\v56u77vd.default\
FF - plugin: c:\documents and settings\kt\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\kt\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC} - c:\documents and settings\kt\local settings\application data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-10-12 18816]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-9-3 6104144]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 azt2320;Aztech 2320 Audio Driver (WDM);c:\windows\system32\drivers\aztw2320.sys [2009-3-12 36992]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]

=============== Created Last 30 ================

2010-10-12 15:26:23 -------- d-----w- c:\docume~1\kt\applic~1\Malwarebytes
2010-10-12 15:26:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 15:26:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-12 15:26:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-12 15:26:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 14:46:19 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-10-12 13:55:28 -------- d-----w- c:\docume~1\kt\locals~1\applic~1\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}
2010-10-12 04:10:52 -------- d-----w- c:\program files\Sophos
2010-10-11 10:59:32 -------- d-----w- c:\documents and settings\kt\windows contacts contact
2010-10-11 06:17:12 -------- d--h--w- C:\$AVG
2010-10-11 06:15:59 -------- d-----w- c:\docume~1\kt\applic~1\AVG10
2010-10-11 06:14:34 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-10-11 06:12:44 -------- d-----w- c:\windows\system32\drivers\AVG
2010-10-11 06:12:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-10-11 06:11:52 -------- d-----w- c:\program files\AVG
2010-10-11 06:00:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-11 05:49:38 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2010-10-11 05:49:38 405504 ----a-w- c:\windows\stsystra.exe
2010-10-11 05:49:38 1601536 ----a-w- c:\windows\system32\stlang.dll
2010-10-11 05:48:41 270336 ----a-w- c:\windows\system32\stacapi.dll
2010-10-11 05:48:41 146944 ----a-w- c:\windows\system32\st325602.dll
2010-10-11 05:44:18 -------- d-----w- c:\docume~1\kt\locals~1\applic~1\SupportSoft
2010-10-11 05:43:16 -------- d-----w- c:\program files\Dell Support Center
2010-10-11 05:43:16 -------- d-----w- c:\program files\common files\supportsoft
2010-10-11 05:41:38 -------- d-----w- c:\docume~1\kt\applic~1\Dell
2010-10-11 05:40:58 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
2010-10-11 05:36:00 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-10-11 05:35:59 416 ----a-w- c:\windows\system32\vcredist_x86.bat
2010-10-11 05:35:58 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-10-11 05:35:57 143360 ----a-w- c:\windows\system32\preflib.dll
2010-10-11 05:35:56 286720 ----a-w- c:\windows\system32\bcmwlu00.exe
2010-10-11 05:35:55 65536 ----a-w- c:\windows\system32\wltrynt.dll
2010-10-11 05:35:54 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-10-11 05:35:53 5029888 ----a-w- c:\windows\system32\BCMWLCPL.CPL
2010-10-11 05:35:52 2220032 ----a-w- c:\windows\system32\WLTRAY.EXE
2010-10-11 05:35:52 1961984 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2010-10-11 05:35:50 24064 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2010-10-11 05:35:49 143360 ----a-w- c:\windows\system32\bcmwlapi.dll
2010-10-11 05:32:12 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2010-10-11 05:24:58 -------- d-----w- c:\windows\Downloaded Installations
2010-10-11 05:23:09 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-10-11 04:24:34 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-11 04:24:34 423656 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-11 04:08:16 32256 ----a-w- c:\windows\system32\drivers\rimmptsk.sys
2010-10-11 04:08:15 37376 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
2010-10-11 04:08:15 16480 ----a-w- c:\windows\system32\rixdicon.dll
2010-10-11 04:08:14 90112 ----a-w- c:\windows\system32\snymsico.dll
2010-10-11 04:08:14 43520 ----a-w- c:\windows\system32\drivers\rimsptsk.sys
2010-10-11 04:07:50 666 ----a-w- c:\windows\speed.reg
2010-10-11 03:38:44 -------- d-----w- c:\program files\SigmaTel
2010-10-11 03:13:59 2670592 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-10-11 03:13:58 753664 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-09-23 00:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-09-23 00:10:52 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-09-13 22:27:24 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys

==================== Find3M ====================

2010-10-12 13:55:30 0 ----a-w- c:\windows\Kmewifigoc.bin
2010-07-17 08:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-09-05 01:01:10 525656 ----a-w- c:\program files\DXSETUP.exe
2009-09-05 01:01:08 94024 ----a-w- c:\program files\DSETUP.dll
2009-09-05 01:01:08 1691464 ----a-w- c:\program files\dsetup32.dll

============= FINISH: 11:39:35.25 ===============
 
Welcome aboard
yahooo.gif


Attach.txt part of DDS is missing (do NOT zip it before posting).

When done....

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Attach log as requested

Any help you can offer is greatly appreciated.

Attach log is attached.

The log from MBRCheck is:
========================
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA338000 cercsr6.sys
0xB9F19000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EF9000 fltmgr.sys
0xB9EE7000 sr.sys
0xB9ED0000 KSecDD.sys
0xB9EBD000 WudfPf.sys
0xB9E30000 Ntfs.sys
0xB9E03000 NDIS.sys
0xB9DE9000 Mup.sys
0xBA340000 avgrkx86.sys
0xBA118000 AVGIDSEH.Sys
0xB9761000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9147000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB9133000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3F0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB910F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB90E7000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8FAC000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB9751000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB9741000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB8F98000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xB9731000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xB8F84000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xB8F33000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xB9721000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA400000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA408000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB9711000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB9701000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB96F1000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8F10000 \SystemRoot\system32\DRIVERS\ks.sys
0xB96D9000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB96D5000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA6BE000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB96C1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8ED5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA208000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA218000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA428000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8EC4000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA228000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA430000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA438000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA238000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA62A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8E66000 \SystemRoot\system32\DRIVERS\update.sys
0xBA54C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA248000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA268000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA638000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA8C20000 \SystemRoot\system32\drivers\sthda.sys
0xA8BFC000 \SystemRoot\system32\drivers\portcls.sys
0xBA288000 \SystemRoot\system32\drivers\drmk.sys
0xA8BC8000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xA8AD6000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xA8A23000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA478000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA298000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xBA4B0000 \??\C:\WINDOWS\system32\SAVRKBootTasks.sys
0xBA662000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA713000 \SystemRoot\System32\Drivers\Null.SYS
0xBA664000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA350000 \SystemRoot\System32\drivers\vga.sys
0xBA666000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA668000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA370000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA378000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9DA5000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA89C8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA896F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA8927000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xA8901000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA88D9000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA88B7000 \SystemRoot\System32\drivers\afd.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA888C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA87F4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA2B8000 \SystemRoot\System32\Drivers\Fips.SYS
0xA87B8000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xBA188000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA8A03000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xA8788000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8864000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA470000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6EB000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA7CC9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7A9C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA79BF000 \SystemRoot\system32\drivers\wdmaud.sys
0xBA2F8000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7855000 \SystemRoot\system32\DRIVERS\srv.sys
0xA7845000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA6E6A000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
0xA6AE9000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA278000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xA7782000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xA679B000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 58):
0 System Idle Process
4 System
752 C:\WINDOWS\system32\smss.exe
980 csrss.exe
1016 C:\WINDOWS\system32\winlogon.exe
1068 C:\WINDOWS\system32\services.exe
1080 C:\WINDOWS\system32\lsass.exe
1260 C:\WINDOWS\system32\svchost.exe
1332 svchost.exe
1484 C:\WINDOWS\system32\svchost.exe
1664 svchost.exe
1696 svchost.exe
1852 C:\WINDOWS\system32\WLTRYSVC.EXE
1952 C:\WINDOWS\system32\BCMWLTRY.EXE
2000 C:\WINDOWS\system32\spoolsv.exe
2012 C:\WINDOWS\explorer.exe
156 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
316 svchost.exe
416 C:\Program Files\AVG\AVG10\avgwdsvc.exe
628 C:\Program Files\Java\jre6\bin\jqs.exe
736 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
956 C:\Program Files\Dell\MediaDirect\PCMService.exe
1436 C:\WINDOWS\system32\WLTRAY.EXE
1504 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1616 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
1640 C:\Program Files\Logitech\QuickCam\Quickcam.exe
1764 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
2072 C:\WINDOWS\system32\hkcmd.exe
2080 C:\WINDOWS\system32\igfxpers.exe
2104 C:\Program Files\Dell\QuickSet\quickset.exe
2112 C:\WINDOWS\system32\svchost.exe
2144 C:\WINDOWS\system32\KADxMain.exe
2156 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
2212 C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
2224 C:\Program Files\AVG\AVG10\avgtray.exe
2612 C:\WINDOWS\system32\ctfmon.exe
2632 C:\WINDOWS\system32\igfxsrvc.exe
2656 C:\Program Files\Skype\Phone\Skype.exe
2784 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2820 C:\Program Files\Messenger\msmsgs.exe
3204 C:\Program Files\Palm\Hotsync.exe
3408 C:\Program Files\Southwest Airlines\Ding\Ding.exe
244 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
504 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
2484 alg.exe
3560 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
5144 C:\Program Files\AVG\AVG10\avgemcx.exe
2976 C:\Program Files\AVG\AVG10\avgnsx.exe
5252 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
5352 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
5476 C:\Program Files\AVG\AVG10\avgcsrvx.exe
548 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
4636 C:\Program Files\Internet Explorer\iexplore.exe
3004 C:\Program Files\Internet Explorer\iexplore.exe
6096 C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
7416 C:\Program Files\Internet Explorer\iexplore.exe
7344 C:\WINDOWS\system32\svchost.exe
6664 C:\Documents and Settings\KT\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK1252GSX, Rev: LV011D

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 

Attachments

  • Attach.txt
    8.6 KB · Views: 0
Combofix log -- Thanks for your help

Combofix log:
======================
ComboFix 10-10-12.03 - KT 10/13/2010 8:28.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1287 [GMT -6:00]
Running from: c:\documents and settings\KT\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\KT\Local Settings\Application Data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}
c:\documents and settings\KT\Local Settings\Application Data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}\chrome.manifest
c:\documents and settings\KT\Local Settings\Application Data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}\chrome\content\_cfg.js
c:\documents and settings\KT\Local Settings\Application Data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}\chrome\content\overlay.xul
c:\documents and settings\KT\Local Settings\Application Data\{406F1E2E-AB2D-4AC3-9D30-1F64C25A64EC}\install.rdf
c:\windows\epujigulukacega.dll
c:\windows\jestertb.dll
c:\windows\system32\drivers\1028_DELL_XPS_Vostro 1500 .MRK
c:\windows\system32\drivers\DELL_XPS_Vostro 1500 .MRK

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-13 09:22 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 05:17 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 05:17 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 05:17 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 18:59 . 2010-10-12 18:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-12 15:26 . 2010-10-12 15:26 -------- d-----w- c:\documents and settings\KT\Application Data\Malwarebytes
2010-10-12 15:26 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 15:26 . 2010-10-12 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-12 15:26 . 2010-10-12 15:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 15:26 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-12 14:46 . 2010-05-26 16:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-10-12 04:10 . 2010-10-12 04:10 -------- d-----w- c:\program files\Sophos
2010-10-11 15:37 . 2010-10-12 04:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-11 10:59 . 2010-10-11 10:59 -------- d-----w- c:\documents and settings\KT\windows contacts contact
2010-10-11 08:34 . 2010-10-11 08:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-10-11 06:17 . 2010-10-11 06:17 -------- d-----w- C:\$AVG
2010-10-11 06:15 . 2010-10-11 06:15 -------- d-----w- c:\documents and settings\KT\Application Data\AVG10
2010-10-11 06:14 . 2010-10-11 06:14 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-11 06:12 . 2010-10-13 00:22 -------- d-----w- c:\windows\system32\drivers\AVG
2010-10-11 06:12 . 2010-10-12 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-11 06:11 . 2010-10-12 04:45 -------- d-----w- c:\program files\AVG
2010-10-11 06:00 . 2010-10-11 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-11 05:49 . 2007-05-10 16:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2010-10-11 05:49 . 2007-05-10 16:22 405504 ----a-w- c:\windows\stsystra.exe
2010-10-11 05:49 . 2007-04-10 23:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2010-10-11 05:48 . 2007-08-21 15:58 146944 ----a-w- c:\windows\system32\st325602.dll
2010-10-11 05:48 . 2007-05-10 16:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2010-10-11 05:44 . 2010-10-11 05:44 -------- d-----w- c:\documents and settings\KT\Local Settings\Application Data\SupportSoft
2010-10-11 05:43 . 2010-10-11 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-10-11 05:43 . 2010-10-11 05:43 -------- d-----w- c:\program files\Dell Support Center
2010-10-11 05:43 . 2010-10-11 05:43 -------- d-----w- c:\program files\Common Files\supportsoft
2010-10-11 05:41 . 2010-10-11 05:41 -------- d-----w- c:\documents and settings\KT\Application Data\Dell
2010-10-11 05:40 . 2005-08-12 23:50 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
2010-10-11 05:36 . 2008-10-25 00:00 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-10-11 05:35 . 2008-10-25 00:00 416 ----a-w- c:\windows\system32\vcredist_x86.bat
2010-10-11 05:35 . 2008-10-25 00:00 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
2010-10-11 05:35 . 2008-10-25 00:00 143360 ----a-w- c:\windows\system32\preflib.dll
2010-10-11 05:35 . 2008-10-25 00:00 286720 ----a-w- c:\windows\system32\bcmwlu00.exe
2010-10-11 05:35 . 2008-10-25 00:00 65536 ----a-w- c:\windows\system32\wltrynt.dll
2010-10-11 05:35 . 2008-10-25 00:00 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-10-11 05:35 . 2008-10-25 00:00 5029888 ----a-w- c:\windows\system32\BCMWLCPL.CPL
2010-10-11 05:35 . 2008-10-25 00:00 2220032 ----a-w- c:\windows\system32\WLTRAY.EXE
2010-10-11 05:35 . 2008-10-25 00:00 1961984 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2010-10-11 05:35 . 2008-10-25 00:00 24064 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2010-10-11 05:35 . 2008-10-25 00:00 143360 ----a-w- c:\windows\system32\bcmwlapi.dll
2010-10-11 05:32 . 2006-11-21 10:25 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2010-10-11 05:24 . 2010-10-11 05:24 -------- d-----w- c:\windows\Downloaded Installations
2010-10-11 05:23 . 2007-05-16 22:49 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-10-11 04:25 . 2010-10-11 04:25 -------- d-----w- c:\program files\Common Files\Java
2010-10-11 04:24 . 2010-07-17 11:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-11 04:24 . 2010-07-17 11:00 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-11 04:20 . 2010-10-11 04:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-11 04:08 . 2010-10-11 04:08 -------- d-----w- c:\program files\DIFX
2010-10-11 04:08 . 2006-11-15 06:16 32256 ----a-w- c:\windows\system32\drivers\rimmptsk.sys
2010-10-11 04:08 . 2006-11-14 23:35 37376 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
2010-10-11 04:08 . 2005-05-07 01:06 16480 ----a-w- c:\windows\system32\rixdicon.dll
2010-10-11 04:08 . 2006-11-15 01:42 43520 ----a-w- c:\windows\system32\drivers\rimsptsk.sys
2010-10-11 04:08 . 2004-09-03 16:00 90112 ----a-w- c:\windows\system32\snymsico.dll
2010-10-11 04:07 . 2005-07-08 20:19 666 ----a-w- c:\windows\speed.reg
2010-10-11 03:38 . 2010-10-11 03:38 -------- d-----w- c:\program files\SigmaTel
2010-10-11 03:13 . 2008-10-25 00:00 2670592 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-10-11 03:13 . 2008-10-25 00:00 753664 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-09-23 00:10 . 2010-09-23 00:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-23 00:10 . 2010-09-23 00:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-09-18 18:23 . 2010-09-18 18:23 974848 -c----w- c:\windows\system32\dllcache\mfc42u.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-30 39408]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-25 2220032]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2010-09-15 2745696]

c:\documents and settings\KT\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 249424]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 298448]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [10/12/2010 8:46 AM 18816]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [9/3/2010 10:35 AM 6104144]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [9/10/2010 1:45 AM 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 26192]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 5:48 PM 135664]
S3 azt2320;Aztech 2320 Audio Driver (WDM);c:\windows\system32\drivers\aztw2320.sys [3/12/2009 3:20 PM 36992]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\43.tmp --> c:\windows\system32\43.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 23:48]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 23:48]

2010-10-13 c:\windows\Tasks\User_Feed_Synchronization-{C708AB7C-F400-459E-962D-5CBCBFA7A8D8}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\documents and settings\KT\Application Data\Mozilla\Firefox\Profiles\v56u77vd.default\
FF - plugin: c:\documents and settings\KT\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\KT\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
.reg=REG_SZ
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Xnorigusud - c:\windows\epujigulukacega.dll
AddRemove-WinRAR archiver - E:\uninstall.exe



[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\43.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(7500)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\AVG\AVG10\avgnsx.exe
c:\program files\AVG\AVG10\avgemcx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-10-13 08:43:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-13 14:43

Pre-Run: 54,741,364,736 bytes free
Post-Run: 54,925,492,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 89916B5E177953F3C3711AF7B4325B17
 
Looks good :)

How is redirection?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
No more misdirection -- Thanks

Attached are the logs you requested. Thinking that this poor laptop was fully repaired, my child reinstalled MS Office 2003 and Adobe Acrobat 9.0 and updated both. Hope that didn't mess up the logs too much.
 

Attachments

  • OTL.Txt
    159.8 KB · Views: 1
  • Extras.Txt
    36.3 KB · Views: 1
Good news :)

My instructions clearly say, not to make any changes to the computer until we're done!

==========================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\43.tmp -- (MEMSWEEP2)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643
O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
[31 C:\Documents and Settings\KT\Desktop\*.tmp files -> C:\Documents and Settings\KT\Desktop\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[14 C:\Documents and Settings\KT\My Documents\*.tmp files -> C:\Documents and Settings\KT\My Documents\*.tmp -> ]
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4



:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

=====================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
OTL Log:
==================================
All processes killed
========== OTL ==========
Service MEMSWEEP2 stopped successfully!
Service MEMSWEEP2 deleted successfully!
File C:\WINDOWS\System32\43.tmp not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
C:\Documents and Settings\KT\Desktop\~WRL0001.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL0002.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL0006.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL0214.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL0579.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL0624.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL0763.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL0884.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL1203.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL1340.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL1378.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL1443.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL1508.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL1601.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL1646.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL2110.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL2361.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL2488.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL2649.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL2854.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL3094.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL3119.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL3211.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL3376.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL3460.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL3541.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL3850.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL3888.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL4030.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL4053.tmp deleted successfully.
C:\Documents and Settings\KT\Desktop\~WRL4067.tmp deleted successfully.
C:\WINDOWS\System32\SET9B.tmp deleted successfully.
C:\WINDOWS\System32\SET9C.tmp deleted successfully.
C:\WINDOWS\System32\SET9E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA0.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL0079.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL0148.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL0392.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL0396.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL0909.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL1019.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL1071.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL2387.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL2535.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL2863.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL2904.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL2980.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL3406.tmp deleted successfully.
C:\Documents and Settings\KT\My Documents\~WRL3881.tmp deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: KT
->Temp folder emptied: 436948 bytes
->Temporary Internet Files folder emptied: 15460644 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 1408 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 983174 bytes
->Java cache emptied: 13 bytes
->Flash cache emptied: 44379 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 4770 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 16.00 mb


[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: KT
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.15.2 log created on 10132010_213228

Files\Folders moved on Reboot...
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\KXDBXIIR\sh24[1].html moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\KXDBXIIR\topic154781[1].html moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JT61JVRO\ads[3].htm moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JT61JVRO\iframescript[1].htm moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JT61JVRO\iframe[1].htm moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JI1Z9SP0\ads[1].htm moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JI1Z9SP0\ads[2].htm moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JI1Z9SP0\ads[3].htm moved successfully.
File\Folder C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JI1Z9SP0\iframe[1].htm not found!
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\JI1Z9SP0\topic151084[1].html moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\2RK71I1P\ads[2].htm moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\Content.IE5\2RK71I1P\topic2520[1].htm moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\KT\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...
 
Security Check report:
=============================
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2011
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Adobe Flash Player
Mozilla Firefox (3.6.3) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
 
I ran Temp File Cleaner, updated Firefox and scanned with ESET. The results are below:
====================================
C:\Qoobox\Quarantine\C\WINDOWS\epujigulukacega.dll.vir a variant of Win32/Cimag.DP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{27880307-957D-4BDB-BB27-5980823C4C67}\RP358\A0063381.dll a variant of Win32/Cimag.CW trojan
C:\System Volume Information\_restore{27880307-957D-4BDB-BB27-5980823C4C67}\RP360\A0066307.dll a variant of Win32/Cimag.DP trojan
 
The above files will be removed in our next, last step.

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how is your computer doing.
 
Status
Not open for further replies.

Similar threads

S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back