TechSpot

'Google redirect' problem again

Solved
By mummyal
Aug 31, 2010
Topic Status:
Not open for further replies.
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, hopefully we're in. Did you do the Regedit first?

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\lvuvc.hs
    c:\windows\system32\drivers\logiflt.iad
    c:\windows\system32\?å
    c:\windows\system32\WININET.dll
    
    Folder::
    C:\32788R22FWJFW.4.tmp
    C:\32788R22FWJFW.3.tmp
    C:\32788R22FWJFW.2.tmp
    C:\32788R22FWJFW.1.tmp
    DDS::
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TCP: NameServer = 93.188.162.74,93.188.161.7
    TCP: {5A3A49FE-DBD7-4740-A224-FE86CC9B687E} = 93.188.162.74,93.188.161.7
    TCP: {F64DFC4F-12A2-4986-A7FE-1F63AB3935D6} = 93.188.162.74,93.188.161.7
    
    Registry::
    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into your next reply.
    =================================
    Now see if you can run F-SdBot

    Download F-SdBot and save to your desktop.
    • Unpack the F-SdBot utility from the provided ZIP archive
    • Run the unpacked F-SdBot.exe either of the following ways:
      [o] Doubleclick on F-SdBot from Windows explorer.
      [o] Or you can start it from a command prompt: Click on Start> Run> type in F-SdBot> Enter.

    Action:
    • First the F-SdBot utility will kill SdBot backdoor's processes in memory.
    • Then the utility will remove Registry entries created by the backdoor.
    • Finally the utility will scan all hard drives for infected files and delete them.
    • Reboot the computer.
    ==============================
    Now see if Combofix will run in Normal Mode.If it will, I'll check for remaining entries and move them.

    Note: You should also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).[/b]
    C:\WINDOWS\Temp
    C:\Documents and Settings\Ella\Local Settings\Temp[/b]

    The avz log mentions that the Telnet Service is allowed to run. It is potentially dangerous and I recommend that you disable it: TlntSvr (Telnet)
  2. mummyal

    mummyal TS Rookie Topic Starter Posts: 93

    No, I didn't do Regedit. Wasn't sure whether I shd still do it seeing as I couldn't carry out the search for I5Eexplore.exe, so I didn't.

    Shd I still carry on with the Custom CFscript eventhough I didn't do Regedit? Does it matter if my Combofix has been renamed as alice?

    How do I disable Telnet Service?
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Go ahead with the script. Hold on the Regedit., then follow with F-ScBot.

    For Telnet:
    Start> Run> type in services.msc> OK> double click on Telnet or TlntSvr> Change Startup type to Disabled> Stop the Service.
  4. mummyal

    mummyal TS Rookie Topic Starter Posts: 93

    I've opened the zip file. There's the f-sdbot.exe folder on there (in Winrar window) - do I just double click on it or do I have to extract the file and save it elsewhere? Not quite sure what you mean when you say 'run the unpacked F-sdbot'. Sorry. I'm not very good with Zip files).

    On another note - I've done a search elsewhere relating to the quarantined/removed files mentioned in my post #21 and from what I understand, they're related to Combofix. They popped up again (telling me it's a threat etc) just now when I tried to run Combofix in normal mode. Shall I just allow it next time?

    Attached is the next Combofix log after running CFScript.

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Unpacked=extracted=unzipped=open the folder with the files.

    Click to open the file and you should get ? 'do you want to extract all files'? Say Yes. Then double click on the F-SdBot.exe file to run.

    Edit: I checked the Combofix log after the script. We moved a lot of entries out. Are you noticing any difference in the system now?
  6. mummyal

    mummyal TS Rookie Topic Starter Posts: 93

    I've run F-SdBot, then tried to run Combofix on normal mode. This time, it got as far as 'preparing to run'. Then it just stopped running lol. Left it for about 15 mins but nothing happened after that. Even the pc was silent. Do you need me to run it again Safe Mode?

    On a better note, Google doesn't redirect me anymore and it takes me to where it's meant to go :) And the sound is back!
  7. mummyal

    mummyal TS Rookie Topic Starter Posts: 93

    It worked!

    Decided to try and run Combofix again in normal mode today and lo and behold, it worked fine today. No hang ups. It even updated (couldn't update/connect to the internet when in safe mode before).

    Here's the latest log.


    ComboFix 10-09-07.03 - Compaq_Administrator 08/09/2010 17:03:17.7.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1309 [GMT 1:00]
    Running from: c:\documents and settings\Compaq_Administrator\Desktop\alice.exe
    AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
    .

    2010-09-08 15:56 . 2010-09-08 15:57 -------- d-----w- C:\alice1726a
    2010-09-07 22:13 . 2010-09-07 22:52 -------- d-----w- C:\alice24893a
    2010-09-07 18:17 . 2010-09-07 18:30 -------- d-----w- C:\alice30290a
    2010-09-07 18:13 . 2010-09-07 18:15 -------- d-----w- C:\alice7446a
    2010-09-06 22:01 . 2010-09-06 22:15 -------- d-----w- C:\alice
    2010-09-03 08:46 . 2010-09-03 08:46 -------- d-----w- c:\program files\ESET
    2010-09-01 20:18 . 2010-09-01 20:18 -------- d-----w- c:\program files\Trend Micro
    2010-09-01 07:02 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-01 07:02 . 2010-09-02 21:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-01 07:02 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-31 19:47 . 2010-08-31 19:47 503808 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\msvcp71.dll
    2010-08-31 19:47 . 2010-08-31 19:47 499712 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\jmc.dll
    2010-08-31 19:47 . 2010-08-31 19:47 348160 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\msvcr71.dll
    2010-08-31 19:47 . 2010-08-31 19:47 61440 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4395f031-n\decora-sse.dll
    2010-08-31 19:47 . 2010-08-31 19:47 12800 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4395f031-n\decora-d3d.dll
    2010-08-31 19:47 . 2010-08-31 19:47 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-31 19:47 . 2010-08-31 19:47 -------- d-----w- c:\program files\Java

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-08 07:38 . 2009-02-01 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-09-04 17:14 . 2010-04-27 22:47 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Skype
    2010-09-04 17:14 . 2009-08-25 20:11 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\skypePM
    2010-08-31 19:47 . 2006-09-08 01:19 -------- d-----w- c:\program files\Common Files\Java
    2010-07-15 22:48 . 2010-07-15 22:48 143120 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-07-15 16:45 . 2010-07-15 16:43 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GARMIN
    2010-07-07 08:13 . 2006-11-21 20:26 61448 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-06-30 12:31 . 2004-08-09 21:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:15 . 2004-08-09 21:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:15 . 2009-07-10 22:14 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-06-24 12:15 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-06-23 13:44 . 2004-08-09 21:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-22 11:15 . 2010-05-06 12:55 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-06-22 11:15 . 2010-06-22 11:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-06-22 11:15 . 2010-05-06 12:55 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
    2010-06-22 11:15 . 2010-05-06 12:55 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-06-21 15:27 . 2004-08-09 21:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-09 21:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-09 21:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-14 07:41 . 2004-08-09 21:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2006-12-19 10:50 . 2006-12-19 10:50 22 -csha-w- c:\windows\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-09-07_18.29.50 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-09-08 06:44 . 2010-09-08 06:44 16384 c:\windows\temp\Perflib_Perfdata_e4c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "ftutil2"="ftutil2.dll" [2004-06-07 106496]
    "RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-20 7622656]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-06-22 11:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
    2008-12-20 06:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [06/05/2010 13:55 25168]
    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [06/05/2010 13:55 52872]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [06/05/2010 13:55 216400]
    R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [06/05/2010 13:55 243024]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 08:56 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 08:56 74480]
    R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [22/06/2010 12:15 308136]
    R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [22/06/2010 12:15 2331032]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [28/10/2008 16:42 156968]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [06/05/2010 13:54 30104]
    R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [06/05/2010 13:55 122448]
    R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [06/05/2010 13:55 30288]
    R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [06/05/2010 13:55 26192]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/12/2009 22:51 135664]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [06/05/2010 13:54 30104]
    S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [22/06/2010 12:15 5897808]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 08:56 7408]
    .
    Contents of the 'Scheduled Tasks' folder

    2007-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]

    2010-09-08 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-01 17:57]

    2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:50]

    2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.virginmedia.com/
    mStart Page = hxxp://www.google.com
    uSearchAssistant = hxxp://www.google.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} - hxxp://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab
    DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
    DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
    DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-08 17:07
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4064)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-09-08 17:09:03
    ComboFix-quarantined-files.txt 2010-09-08 16:09
    ComboFix2.txt 2010-09-07 18:30
    ComboFix3.txt 2010-09-06 22:08

    Pre-Run: 194,608,472,064 bytes free
    Post-Run: 194,738,765,824 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - 0B561CE3F60D381F3D198DD02EDEFF85
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Looks good to me! I just want to be sure of what's included in this Directory, so run the script once more:

    CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    DirLook:
    C:\alice
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
  9. mummyal

    mummyal TS Rookie Topic Starter Posts: 93

    Forgot to mention - it was either yesterday or day before yesterday (before I was able to run combofix etc) - AVG detected something called Win32/Patched.DX. Not sure whether that is of any relevance or not.


    Latest log:


    ComboFix 10-09-07.03 - Compaq_Administrator 08/09/2010 19:25:09.8.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1504 [GMT 1:00]
    Running from: c:\documents and settings\Compaq_Administrator\Desktop\alice.exe
    Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
    AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
    .

    2010-09-08 15:56 . 2010-09-08 15:57 -------- d-----w- C:\alice1726a
    2010-09-07 22:13 . 2010-09-07 22:52 -------- d-----w- C:\alice24893a
    2010-09-07 18:17 . 2010-09-07 18:30 -------- d-----w- C:\alice30290a
    2010-09-07 18:13 . 2010-09-07 18:15 -------- d-----w- C:\alice7446a
    2010-09-06 22:01 . 2010-09-06 22:15 -------- d-----w- C:\alice
    2010-09-03 08:46 . 2010-09-03 08:46 -------- d-----w- c:\program files\ESET
    2010-09-01 20:18 . 2010-09-01 20:18 -------- d-----w- c:\program files\Trend Micro
    2010-09-01 07:02 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-01 07:02 . 2010-09-02 21:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-01 07:02 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-31 19:47 . 2010-08-31 19:47 503808 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\msvcp71.dll
    2010-08-31 19:47 . 2010-08-31 19:47 499712 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\jmc.dll
    2010-08-31 19:47 . 2010-08-31 19:47 348160 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13cb64ad-n\msvcr71.dll
    2010-08-31 19:47 . 2010-08-31 19:47 61440 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4395f031-n\decora-sse.dll
    2010-08-31 19:47 . 2010-08-31 19:47 12800 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4395f031-n\decora-d3d.dll
    2010-08-31 19:47 . 2010-08-31 19:47 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-31 19:47 . 2010-08-31 19:47 -------- d-----w- c:\program files\Java

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-08 07:38 . 2009-02-01 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-09-04 17:14 . 2010-04-27 22:47 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Skype
    2010-09-04 17:14 . 2009-08-25 20:11 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\skypePM
    2010-08-31 19:47 . 2006-09-08 01:19 -------- d-----w- c:\program files\Common Files\Java
    2010-07-15 22:48 . 2010-07-15 22:48 143120 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-07-15 16:45 . 2010-07-15 16:43 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GARMIN
    2010-07-07 08:13 . 2006-11-21 20:26 61448 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-06-30 12:31 . 2004-08-09 21:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:15 . 2004-08-09 21:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:15 . 2009-07-10 22:14 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-06-24 12:15 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-06-23 13:44 . 2004-08-09 21:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-22 11:15 . 2010-05-06 12:55 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-06-22 11:15 . 2010-06-22 11:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-06-22 11:15 . 2010-05-06 12:55 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
    2010-06-22 11:15 . 2010-05-06 12:55 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-06-21 15:27 . 2004-08-09 21:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-09 21:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-09 21:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-14 07:41 . 2004-08-09 21:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2006-12-19 10:50 . 2006-12-19 10:50 22 -csha-w- c:\windows\SMINST\HPCD.sys
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of C:\alice ----

    2010-09-06 22:07 . 2010-09-06 22:07 533 ----a-w- c:\alice\mbr.txt
    2010-09-06 22:01 . 2010-09-06 22:01 389120 ----a-r- c:\alice\CF9485.cfxxe
    2010-09-06 22:01 . 2009-10-25 05:11 77312 ----a-r- c:\alice\mbr.cfxxe


    ((((((((((((((((((((((((((((( SnapShot@2010-09-07_18.29.50 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-09-08 18:15 . 2010-09-08 18:15 16384 c:\windows\temp\Perflib_Perfdata_9f4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "ftutil2"="ftutil2.dll" [2004-06-07 106496]
    "RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-20 7622656]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-06-22 11:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
    2008-12-20 06:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [06/05/2010 13:55 25168]
    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [06/05/2010 13:55 52872]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [06/05/2010 13:55 216400]
    R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [06/05/2010 13:55 243024]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 08:56 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 08:56 74480]
    R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [22/06/2010 12:15 308136]
    R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [22/06/2010 12:15 2331032]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [28/10/2008 16:42 156968]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [06/05/2010 13:54 30104]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/12/2009 22:51 135664]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [06/05/2010 13:54 30104]
    S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [22/06/2010 12:15 5897808]
    S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [06/05/2010 13:55 122448]
    S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [06/05/2010 13:55 30288]
    S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [06/05/2010 13:55 26192]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 08:56 7408]
    .
    Contents of the 'Scheduled Tasks' folder

    2007-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]

    2010-09-08 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-01 17:57]

    2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:50]

    2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.virginmedia.com/
    mStart Page = hxxp://www.google.com
    uSearchAssistant = hxxp://www.google.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} - hxxp://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab
    DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
    DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
    DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-08 19:29
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(988)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-09-08 19:30:37
    ComboFix-quarantined-files.txt 2010-09-08 18:30
    ComboFix2.txt 2010-09-08 16:09
    ComboFix3.txt 2010-09-07 18:30
    ComboFix4.txt 2010-09-06 22:08

    Pre-Run: 194,692,345,856 bytes free
    Post-Run: 194,718,879,744 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - BE2BC8DCB9F33C57B4001253E9E88AB6
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes, Win32/Patched.DX is something to remove.Let's see if Eset can pick it up: You should already have it on the system, so run a scan again. I'm checking Combofix now.

    Edit: Combofix looks okay. Are you having any unresolved problems except for the patched file?
  11. mummyal

    mummyal TS Rookie Topic Starter Posts: 93

    The pc seems to be working fine (as far as I'm aware anyway).

    Here's the ESET log. I think today's scan has been saved in the existing log file that was there previously. Anyway, I've pasted the entire log in here but I guess it's the 2nd half that you need.


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17080 (vista_gdr.100616-0452)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=53848ace982d1f40bf5e518ec9e446f3
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-09-03 09:36:12
    # local_time=2010-09-03 10:36:12 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 131473 131473 0 0
    # compatibility_mode=1031 16777173 100 93 2005 10353273 0 0
    # compatibility_mode=8192 67108863 100 0 167 167 0 0
    # scanned=115509
    # found=0
    # cleaned=0
    # scan_time=2796
    # version=7
    # iexplore.exe=7.00.6000.17080 (vista_gdr.100616-0452)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=53848ace982d1f40bf5e518ec9e446f3
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-09-10 06:44:46
    # local_time=2010-09-10 07:44:46 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 769584 769584 0 0
    # compatibility_mode=1031 16777189 100 93 1427 10991384 0 0
    # compatibility_mode=8192 67108863 100 0 638278 638278 0 0
    # scanned=117100
    # found=0
    # cleaned=0
    # scan_time=2399
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, the Eset log is clean. It would appear that AVG dealt with the file. Please run a new HJT scan to make sure no bad entries remain.
  13. mummyal

    mummyal TS Rookie Topic Starter Posts: 93

    HJT Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:11:41, on 11/09/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17080)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\AVG\AVG9\avgfws9.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://p.playfirst.com/play/game/cookingdash/CookingDashWeb.1.0.0.9.cab
    O16 - DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} (VM_ActX_2 Control) - http://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://uk.mcafee.com/Apps/WSC/en-gb/WscWlanScannerCtrl.cab
    O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader4.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} (VM_1.VM_Control) - http://downloads.virginmedia.com/CST/ver1/xp_mail.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
    O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 11070 bytes
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Looks good Alice. If we have resolved the malware problems, let's clean up:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
    ====================================================
    I have probably given you this when we cleaned the other systems, but it still applies:
    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
    6. Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
    7. Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    8. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Let me know if you have any more questions.
  15. mummyal

    mummyal TS Rookie Topic Starter Posts: 93

    I've uninstalled Combofix and reset System Restore Point. Have also installed TFC and Spywareblaster. For Spywareblaster, I have basically enabled protection for everything - ActiveX, Cookies and Restricted Sites. Is that right?

    Can I also just remove MBAM and Super Anti Spyware which is still on my machine?

    Thank you SO SO much for your help once again. Will probably be popping on here again in a few months' time lol ;)
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sounds good! Use TFC when you do the maintenance- usually about once a week. I have Spywareblaster and just let it do it's thing- didn't change anything. You can uninstall Mbam and SAS in Add/Remove Programs in the Control Panel. Then go to Windows Explorer> My Computer> Local Drive> Programs and delete their program folders.

    You're very welcome- glad to help. Keep Barbie out of trouble!:)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.