TechSpot

Had Trojan in cdrom.sys, think I fixed, hoping for confirmation

By oBx7935qq
Apr 13, 2012
  1. My computer would not recognize either of my cd/dvd drives. AVG detected trojan horse.anvh in cdrom.sys but said it was whitelisted and would not remove. I ran mbam and restarted as directed. Then I reinstalled drivers for the drivers and they seem to work. Was not sure if I was totally clean, so I found this website and ran the five step instructions on this website. i am posting logs below - hoping to know if I am clean now, or if there are still problems. Thanks very very much!

    ----------------------------------------------------------

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 912041309

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    4/13/2012 9:14:55 PM
    mbam-log-2012-04-13 (21-14-55).txt

    Scan type: Quick scan
    Objects scanned: 228453
    Time elapsed: 10 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ---------------------------------------------------

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-04-13 21:32:23
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 ST3808110AS rev.3.ADH
    Running: o3kq705z.exe; Driver: C:\DOCUME~1\Eric\LOCALS~1\Temp\pxtdapow.sys


    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
    Run by Eric at 21:36:26 on 2012-04-13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1146 [GMT -4:00]
    .
    AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
    C:\ADVANC~1\wh_exec.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Intel\IntelAppStore\bin\serviceManager.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\NETGEAR\WG111T\wlan111t.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
    mDefault_Page_URL = hxxp://www.dell.com
    mDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [InstallIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun
    uRun: [ImpulseFastStart] "c:\program files\stardock\impulse\Impulse.exe" /fastload
    uRun: [Google Update] "c:\documents and settings\eric\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
    mRun: [WheelMouse] c:\advanc~1\wh_exec.exe
    mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
    mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [Intel AppUp(SM) center] "c:\program files\intel\intelappstore\bin\serviceManager.lnk"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    dRun: [avbhhfRgwD.exe] c:\documents and settings\all users\application data\avbhhfRgwD.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hp\digital imaging\bin\hpobnz08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hp\digital imaging\bin\hpotdd01.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    Trusted Zone: musicmatch.com\online
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{BA86A414-C8E6-4471-86EF-F75F9D24A6A6} : DhcpNameServer = 75.75.75.75 75.75.76.76
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\eric\application data\mozilla\firefox\profiles\y0rsaved.new\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4e5a8ec6&i=23&tp=ab&nt=1&q=
    FF - plugin: c:\documents and settings\eric\application data\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\documents and settings\eric\application data\move networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\eric\application data\move networks\plugins\npqmp071705000014.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-27 331880]
    R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-2-8 341656]
    R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-2-8 660992]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2012-1-2 54328]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2012-1-2 574424]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
    R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-7-27 253096]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
    R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-9 24652]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
    R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-1-27 17149]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-31 105592]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110917.007\naveng.sys [2011-9-18 86136]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110917.007\navex15.sys [2011-9-18 1576312]
    R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [2007-1-25 6784]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-5 136176]
    S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
    S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-5 136176]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-16 22216]
    S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-7-27 70536]
    S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-2-16 402336]
    S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-2-16 1117624]
    S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2012-1-2 35264]
    S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-6-9 280344]
    .
    =============== Created Last 30 ================
    .
    2012-04-14 01:18:52 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-04-14 01:18:52 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
    2012-03-25 15:46:35 -------- d-----w- c:\documents and settings\all users\application data\Battle.net
    2012-03-25 13:53:29 -------- d-----w- c:\program files\Diablo-III-8370-enUS-Installer
    2012-03-24 13:56:28 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2012-03-24 13:56:27 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
    2012-03-19 00:57:26 -------- d--h--w- C:\$AVG
    2012-03-18 23:45:48 -------- d-----w- c:\documents and settings\eric\application data\AVG
    2012-03-18 23:22:32 -------- d-----w- c:\documents and settings\eric\application data\AVG2012
    2012-03-18 23:17:29 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
    .
    ==================== Find3M ====================
    .
    2012-03-22 12:07:41 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2012-03-22 12:07:38 88 --sh--r- c:\windows\system32\433FEA9A36.sys
    2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-28 18:50:30 667136 ----a-w- c:\windows\system32\wininet.dll
    2012-02-28 18:50:30 61952 ----a-w- c:\windows\system32\tdc.ocx
    2012-02-28 18:50:29 81920 ----a-w- c:\windows\system32\ieencode.dll
    2012-02-28 13:50:54 369664 ----a-w- c:\windows\system32\html.iec
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    2000-10-27 16:54:00 266330 ----a-r- c:\program files\ESCARPMENT.dll
    .
    ============= FINISH: 21:38:57.06 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/6/2006 5:35:04 PM
    System Uptime: 4/13/2012 8:58:51 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0HJ054
    Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Microprocessor | 2992/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 70 GiB total, 6.32 GiB free.
    D: is CDROM (UDF)
    E: is CDROM (UDF)
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0001
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0001
    Service: CVirtA
    .
    ==== System Restore Points ===================
    .
    RP30: 1/15/2012 1:30:46 PM - System Checkpoint
    RP31: 1/15/2012 2:57:30 PM - Restore Operation
    RP32: 1/15/2012 3:11:13 PM - Software Distribution Service 3.0
    RP33: 1/15/2012 9:04:27 PM - Software Distribution Service 3.0
    RP34: 1/17/2012 6:13:33 PM - Software Distribution Service 3.0
    RP35: 1/17/2012 9:20:01 PM - Software Distribution Service 3.0
    RP36: 1/18/2012 7:39:47 PM - Software Distribution Service 3.0
    RP37: 1/22/2012 9:23:16 AM - System Checkpoint
    RP38: 2/19/2012 10:22:22 AM - System Checkpoint
    RP39: 2/19/2012 11:37:05 AM - Software Distribution Service 3.0
    RP40: 2/24/2012 6:25:27 PM - System Checkpoint
    RP41: 3/6/2012 8:53:24 PM - System Checkpoint
    RP42: 3/9/2012 7:19:27 AM - System Checkpoint
    RP43: 3/12/2012 9:22:47 PM - System Checkpoint
    RP44: 3/14/2012 6:53:02 PM - System Checkpoint
    RP45: 3/14/2012 9:10:06 PM - Software Distribution Service 3.0
    RP46: 3/18/2012 10:03:15 AM - System Checkpoint
    RP47: 3/18/2012 7:16:38 PM - Installed AVG 2012
    RP48: 3/18/2012 7:17:09 PM - Installed AVG 2012
    RP49: 3/19/2012 9:26:35 PM - System Checkpoint
    RP50: 3/20/2012 10:06:58 PM - System Checkpoint
    RP51: 3/22/2012 6:41:43 AM - Removed TurboTax 2008 wpaiper
    RP52: 3/22/2012 6:41:54 AM - Removed AnswerWorks 5.0 English Runtime
    RP53: 3/22/2012 6:42:03 AM - Removed TurboTax 2008 WinPerUserEducation
    RP54: 3/22/2012 6:42:37 AM - Removed TurboTax 2008 WinPerProgramHelp
    RP55: 3/22/2012 6:43:25 AM - Removed TurboTax 2008 WinPerTaxSupport
    RP56: 3/22/2012 6:44:05 AM - Removed TurboTax 2008 WinPerFedFormset
    RP57: 3/22/2012 6:45:26 AM - Removed TurboTax 2008 WinPerReleaseEngine
    RP58: 3/22/2012 6:47:01 AM - Removed TurboTax 2008 wrapper
    RP59: 3/22/2012 8:04:23 AM - Removed SSH Secure Shell
    RP60: 3/23/2012 9:35:19 PM - System Checkpoint
    RP61: 3/25/2012 10:36:01 AM - System Checkpoint
    RP62: 3/27/2012 6:41:05 PM - System Checkpoint
    RP63: 3/29/2012 9:27:55 AM - System Checkpoint
    RP64: 4/12/2012 11:54:55 PM - System Checkpoint
    RP65: 4/13/2012 3:00:43 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Adobe Bridge 1.0
    Adobe Common File Installer
    Adobe Creative Suite 2
    Adobe Flash Player 10 ActiveX
    Adobe Help Center 1.0
    Adobe Photoshop CS2
    Adobe Reader 7.1.0
    Adobe Shockwave Player 11.5
    Adobe Stock Photos 1.0
    Advanced Wheel Mouse 6.0.0.000
    AiO_Scan_CDA
    AnswerWorks 4.0 Runtime - English
    AOLIcon
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Install Manager
    ATI Catalyst Registration
    ATI Control Panel
    ATI Parental Control & Encoder
    AVG 2012
    AVG PC Tuneup
    Belkin 54g USB Network Adapter
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    ccc-core-static
    ccc-utility
    CCC Help English
    Citrix Presentation Server Client - Web Only
    Conexant D850 56K V.9x DFVc Modem
    Corel Photo Album 6
    DeepBurner Pro v1.8.0.225
    Dell CinePlayer
    Dell Digital Jukebox Driver
    Dell Driver Reset Tool
    Dell Support Center (Support Software)
    Dell System Restore
    DellSupport
    Digital Content Portal
    Digital Line Detect
    Documentation & Support Launcher
    DVDFab 8.0.7.3 (29/01/2011)
    EducateU
    ELIcon
    FileZilla Client 3.2.2.1
    Free MP3 Recorder 1.0
    Games, Music, & Photos Launcher
    GameSpy Arcade
    GameSpy Comrade
    Google Chrome
    Google Desktop
    Google Toolbar for Internet Explorer
    Google Update Helper
    GTK+ 2.10.13 runtime environment
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Memories Disc
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    HP Photo and Imaging 2.0 - hp psc 2100 series
    HP Photosmart, Officejet and Deskjet 7.0.A
    hp psc 2100 series
    Impulse
    InfraRecorder
    InstallIQ Updater
    Intel AppUp(SM) center
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet for Wired Connections
    Internet Service Offers Launcher
    ISO Recorder
    iTunes
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 16
    Learn2 Player (Uninstall Only)
    LiveUpdate 2.6 (Symantec Corporation)
    Macromedia Shockwave Player
    Magic ISO Maker v5.3 (build 0216)
    MathType 6
    MCU
    Microsoft .NET Framework 1.0 Hotfix (KB2656378)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliType Pro 5.3
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C Runtime
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Xbox 360 Accessories 1.1
    mIRC
    Modem Helper
    Move Media Player
    Mozilla Firefox 11.0 (x86 en-US)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML4 Parser
    Musicmatch® Jukebox
    NETGEAR WG111T 108Mbps Wireless USB2.0 Adapter
    NetWaiting
    Panasonic DVC USB Driver
    PFConfig 1.0.127
    PFPortChecker 1.0.32
    Portal 2
    PunkBuster Services
    Python 2.7.1
    QFolder
    QuickTime
    RealPlayer
    Roxio DLA
    Roxio MyDVD LE
    Roxio RecordNow Audio
    Roxio RecordNow Copy
    Roxio RecordNow Data
    Scan
    Search Assist
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2675157)
    Skype™ 3.2
    SmartFTP Client
    SmartFTP Client 3.0 Setup Files (remove only)
    Sonic Activation Module
    Sonic Encoders
    Sonic Update Manager
    Spyware Doctor with AntiVirus 8.0
    Steam
    Suite Specific
    SUPERAntiSpyware
    Symantec AntiVirus
    TeamSpeak 2 RC2
    The GIMP 2.2.17
    The Lord of the Rings FREE Trial
    TurboTax Deluxe 2007
    TurboTax Deluxe Deduction Maximizer 2006
    TurboTax ItsDeductible 2006
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    URGE
    URL Assistant
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VPN Client
    WebCyberCoach 3.2 Dell
    WebFldrs XP
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
    Windows XP Service Pack 3
    WinRAR archiver
    WordPerfect Office 12
    X-Win32 7.1
    X-Win32 8.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/12/2012 9:54:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
    4/12/2012 9:54:35 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're not going to stay clean with 3 antivirus programs running. You have:
    AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    Please remove 2 of these, then reboot the system.
    Note: If I have you run Combofix you will have to temporarily uninstall AVG
    =======================================
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:<<< Do not add one of these if you have one of the other 3 on the system when you remove AVG
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ======================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==========================================
    Please handle the AV problem. first, then run the scans above. Leave to logs in your next reply.
    ============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. oBx7935qq

    oBx7935qq TS Rookie Topic Starter

    Thanks a ton for your reply!! I uninstalled Symantec and AVG so I only have one AV, then I ran combofixnd eset as you requested. The two logs are below. Thanks again!

    COMBOFIX LOG:

    ComboFix 12-04-15.02 - Eric 04/15/2012 17:04:11.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1628 [GMT -4:00]
    Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
    AV: PC Tools Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    C:\Install.exe
    C:\Thumbs.db
    c:\windows\$NtUninstallKB31151$
    c:\windows\$NtUninstallKB31151$\1203846766\@
    c:\windows\$NtUninstallKB31151$\1203846766\bckfg.tmp
    c:\windows\$NtUninstallKB31151$\1203846766\keywords
    c:\windows\$NtUninstallKB31151$\1203846766\L(2)\pdmzmplg
    c:\windows\$NtUninstallKB31151$\1203846766\U(2)\00000001.@
    c:\windows\$NtUninstallKB31151$\1203846766\U(2)\00000002.@
    c:\windows\$NtUninstallKB31151$\1203846766\U(2)\00000004.@
    c:\windows\$NtUninstallKB31151$\1203846766\U(2)\80000000.@
    c:\windows\$NtUninstallKB31151$\1203846766\U(2)\80000004.@
    c:\windows\$NtUninstallKB31151$\1203846766\U(2)\80000032.@
    c:\windows\$NtUninstallKB31151$\3670671461
    c:\windows\dasetup.log
    c:\windows\system32\SET55.tmp
    c:\windows\system32\SET56.tmp
    c:\windows\system32\SETAB.tmp
    c:\windows\system32\SETAD.tmp
    c:\windows\system32\SETBC.tmp
    c:\windows\system32\SETD5.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-15 to 2012-04-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-14 01:18 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-04-14 01:18 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
    2012-03-25 15:46 . 2012-03-25 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Battle.net
    2012-03-25 13:53 . 2012-03-25 15:46 -------- d-----w- c:\program files\Diablo-III-8370-enUS-Installer
    2012-03-24 13:56 . 2012-03-24 13:56 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-03-24 13:56 . 2012-03-24 13:56 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    2012-03-18 23:45 . 2012-03-18 23:47 -------- d-----w- c:\documents and settings\Eric\Application Data\AVG
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-29 14:10 . 2005-08-16 09:18 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2005-08-16 09:18 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-28 18:50 . 2005-08-16 09:18 667136 ----a-w- c:\windows\system32\wininet.dll
    2012-02-28 18:50 . 2005-08-16 09:18 61952 ----a-w- c:\windows\system32\tdc.ocx
    2012-02-28 18:50 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\ieencode.dll
    2012-02-28 13:50 . 2005-08-16 09:18 369664 ----a-w- c:\windows\system32\html.iec
    2012-02-03 09:22 . 2005-08-16 09:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    2000-10-27 16:54 . 2007-09-13 21:44 266330 ----a-r- c:\program files\ESCARPMENT.dll
    2007-11-09 20:10 . 2007-11-09 20:10 30288 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2007-11-09 20:10 . 2007-11-09 20:10 79440 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2007-11-09 20:10 . 2007-11-09 20:10 75344 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2007-11-09 20:10 . 2007-11-09 20:10 140880 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2007-11-09 20:10 . 2007-11-09 20:10 42576 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2007-11-09 20:10 . 2007-11-09 20:10 50768 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2007-11-09 20:10 . 2007-11-09 20:10 34384 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
    2007-11-09 20:11 . 2007-11-09 20:11 685648 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2007-11-09 20:11 . 2007-11-09 20:11 30288 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2012-03-24 13:56 . 2011-11-05 02:13 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2009-03-30 01:31 . 2009-03-30 01:31 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
    "InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-08-09 1176064]
    "ImpulseFastStart"="c:\program files\Stardock\Impulse\Impulse.exe" [2011-02-14 2348400]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
    "WheelMouse"="c:\advanc~1\wh_exec.exe" [2007-03-11 86016]
    "type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-07 180269]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-23 149280]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-07-07 98304]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "Intel AppUp(SM) center"="c:\program files\Intel\IntelAppStore\bin\serviceManager.lnk" [2011-03-08 933]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-30 1838592]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
    Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-6-9 1524776]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-3 24576]
    hp psc 2000 Series.lnk - c:\program files\HP\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
    NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-1-27 884840]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\StarNet\\X-Win32 8.0\\xwin32.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\StarNet\\X-Win32 7.1\\xwin32.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
    "c:\\WINDOWS\\system32\\javaw.exe"=
    "c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.524\\Agent.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26000:UDP"= 26000:UDP:Nexuiz
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    .
     
  4. oBx7935qq

    oBx7935qq TS Rookie Topic Starter

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/27/2009 10:28 PM 331880]
    R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2/8/2011 7:43 PM 341656]
    R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2/8/2011 7:43 PM 660992]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [1/2/2012 12:45 PM 54328]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [1/2/2012 12:45 PM 574424]
    R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [7/27/2009 10:28 PM 253096]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/9/2007 1:49 AM 24652]
    R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [1/27/2008 11:29 PM 17149]
    R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [1/25/2007 11:45 AM 6784]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2010 5:47 PM 136176]
    S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2010 5:47 PM 136176]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/16/2011 10:09 AM 22216]
    S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [7/27/2009 10:28 PM 70536]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/16/2008 6:55 PM 402336]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [1/2/2012 12:45 PM 35264]
    S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2008-02-16 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2100 series5E771253C1676EBED677BF361FDFC537825E15B8196811904.job
    - c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]
    .
    2012-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-05 21:47]
    .
    2012-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-05 21:47]
    .
    2012-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1185286593-278694328-3660924420-1005Core.job
    - c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 04:02]
    .
    2012-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1185286593-278694328-3660924420-1005UA.job
    - c:\documents and settings\Eric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 04:02]
    .
    2012-04-15 c:\windows\Tasks\WebReg 20120111220929.job
    - c:\program files\HP\Digital Imaging\Bin\hpqwrg.exe [2003-04-06 07:01]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    Trusted Zone: musicmatch.com\online
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{BA86A414-C8E6-4471-86EF-F75F9D24A6A6}: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y0rsaved.new\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4e5a8ec6&i=23&tp=ab&nt=1&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKU-Default-Run-avbhhfRgwD.exe - c:\documents and settings\All Users\Application Data\avbhhfRgwD.exe
    Notify-NavLogon - (no file)
    AddRemove-StreetPlugin - c:\program files\Learn2.com\StRunner\stuninst.exe
    AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
    AddRemove-Google Chrome - c:\documents and settings\Eric\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\Installer\setup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-15 17:35
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\docume~1\Eric\LOCALS~1\Temp\tzk3.tmp
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1185286593-278694328-3660924420-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AB29D248-25E9-B6A9-8582-03C027A2974A}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "abmkogckamlmomnibficaaganclcnlfhig"=hex:61,61,00,00
    "bbmkogckamlmomnibfhcjphfeifbkeahkdal"=hex:61,61,00,00
    .
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1304)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    .
    - - - - - - - > 'lsass.exe'(1360)
    c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
    .
    - - - - - - - > 'explorer.exe'(2656)
    c:\advanc~1\wh_hook.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\stsystra.exe
    c:\program files\Intel\IntelAppStore\bin\serviceManager.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\windows\eHome\ehmsas.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    c:\program files\Java\jre6\bin\jucheck.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-15 17:43:36 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-15 21:43
    .
    Pre-Run: 8,383,770,624 bytes free
    Post-Run: 8,684,814,336 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 530CD23734B7BE64F846568B5A4AE745
    ESET LOG:

    C:\Documents and Settings\Eric\Application Data\AVG\Rescue\PC Tuneup 2011\120318195131780.rsc multiple threats
     
  5. oBx7935qq

    oBx7935qq TS Rookie Topic Starter

    That is it for now. Thanks for your help already and I will wait until you tell me what to do next :)
     
  6. oBx7935qq

    oBx7935qq TS Rookie Topic Starter

    Sorry to be a bother, but I will be out of town over the weekend and want to make sure this thread doesnt go inactive. If anyone is willing to help me out based on the last logs (combofix and eset) from actions recommended by bobbye that would be awsome.

    thanks in advance!
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I didnt realize you were back. I was going through my old threads and found this. There is a bit to do:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Viewpoint\Common\ViewpointService.exe
    Folder::
    c:\documents and settings\Eric\Application Data\AVG
    Rootkit::
    c:\docume~1\Eric\LOCALS~1\Temp\tzk3.tmp
    RegNull::
    [HKEY_USERS\S-1-5-21-1185286593-278694328-3660924420-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AB29D248-25E9-B6A9-8582-03C027A2974A}*]
    RegLock::
    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    Clearjavacache::
     
    Driver::
    Viewpoint Manager Service
     
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    As far as I can tell, DeterministicNetworks is related to Cisco. But the key is locked, so I need to take a look. There is a registry setting for this- are you using it?

    Also, you have an entry below:
    - - - - - - - > 'explorer.exe'(2656)
    c:\advanc~1\wh_hook.dll

    This is the Outpost hooking module, related to Outpost Firewall. Is that correct> Does it have a program it's running through? What is advanc(ed)?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Time to close the thread. Do you plan to finish?
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...