Malwarebytes anti-malware successfully blocked access to a potentially malicious website

Inactive
By Larry Jay
Jul 7, 2012
  1. Hi. This message keeps popping up every 5 minutes on my Malwarebytes. I've used AVG to scan my computer and have found no problems. And my computer's speed has decreased tremendously. Please help!
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    HI there! Welcome to the forums. :cool:

    Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in

      msconfig
      safebootminimal
      activex
      drivers32
      netsvcs
      CreateRestorePoint
      %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5
      %AppData%\Local\
      %systemroot%\system32\sysprep
      *.xpi /md5
      %systemroot%\Downloaded Program Files\
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
      hklm\software\clients\startmenuinternet|command /rs
      hklm\software\clients\startmenuinternet|command /64 /rs
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\system32\drivers\*.sys /90
      %systemroot%\System32\config\*.sav
      %SYSTEMDRIVE%\*.exe /md5
      "%WinDir%\$NtUninstallKB*$." /30
      %systemdrive%\Program Files\Common Files\ComObjects\*.* /s
      %systemroot%\*. /mp /s
      %systemroot%\*. /rp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
      %USERPROFILE%\AppData\Local\ /s
      %systemroot%\Installer\ /s
      %systemroot%\system32\Cache\ /s
      %systemroot%\system32\config\systemprofile\Application Data /s
      %PROGRAMFILES%\*.
      %appdata%\*.*
      /md5start
      volsnap.sys
      services.exe
      userinit.exe
      afd.sys
      tcpip.sys
      netbt.sys
      ipsec.sys
      dnsrslvr.dll
      ipnathlp.dll
      netman.dll
      WMIsvc.dll
      srsvc.dll
      sr.sys
      wscsvc.dll
      wuauserv.dll
      qmgr.dll
      es.dll
      cryptsvc.dll
      svchost.exe
      rpcss.dll
      tdx.sys
      wininit.exe
      winlogon.exe
      atapi.sys
      explorer.exe
      /md5stop
    • Click the Run Scanbutton. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time
    Note: in the event that OTL fails to run, please use alternate download links to try again:

    http://oldtimer.geekstogo.com/OTL.com
    http://oldtimer.geekstogo.com/OTL.scr
  3. Larry Jay

    Larry Jay Newcomer, in training Topic Starter

    Thanks for the reply!

    Apparently, the logs were too long for me to post back on a reply, therefore I've attached the OTL and Extras txt files. I hope that works.

    Attached Files:

  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    It is usually the rules to post full logs in multiple replies if needed.

    I will download them this time, but next time, please post them inline.

    Is this an attempt to bypass required registration for software products? This is usually a sign of software piracy.


    We're working with XP, so please run the following scans:

    ComboFix

    Please visit this webpage for a tutorial on downloading and running ComboFix:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    See the area: Using ComboFix, and when done, post the log back here.


    Farbar Service Scanner

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Check "Include All Files" option.
      Press "Scan".
      It will create a log (FSS.txt) in the same directory the tool is run.
      Please copy and paste the log to your reply.
  5. Larry Jay

    Larry Jay Newcomer, in training Topic Starter

    Sorry about that. I'll definitely use multiple posts this time.

    On the matter of software piracy, I have no idea. My cousin and nephew also uses this computer, they may have messed around with such things, but not a 100% sure.

    Heres the Combofix log:


    ComboFix 12-07-07.04 - Lawrence 2012-07-08 3:28.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.3536.2484 [GMT -4:00]
    Running from: c:\documents and settings\Lawrence\My Documents\Downloads\ComboFix.exe
    AV: AVG Internet Security Business Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\data
    c:\data\Lp_setup.exe
    c:\data\Tone2.exe
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\windowviewcon
    c:\documents and settings\All Users\Application Data\windowviewcon\11번가.lnk
    c:\documents and settings\All Users\Application Data\windowviewcon\11st.ico
    c:\documents and settings\All Users\Application Data\windowviewcon\옥션.lnk
    c:\documents and settings\All Users\Application Data\windowviewcon\auction.ico
    c:\documents and settings\All Users\Application Data\windowviewcon\G마켓.lnk
    c:\documents and settings\All Users\Application Data\windowviewcon\gmarket.ico
    c:\documents and settings\Lawrence\Application Data\PriceGong
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\I.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Lawrence\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\Lawrence\Favorites\11번가.url
    c:\documents and settings\Lawrence\Favorites\옥션.url
    c:\documents and settings\Lawrence\Favorites\G마켓.url
    c:\documents and settings\Lawrence\Local Settings\Application Data\Windows Server
    c:\documents and settings\Lawrence\My Documents\Downloads\PowerPointViewer.exe
    C:\FLVDirect.exe
    C:\Install.exe
    c:\program files\Keyword Find
    c:\program files\wLauncher\uninstall.exe
    c:\windows\EventSystem.log
    c:\windows\system32\Cache
    c:\windows\system32\Cache\272512937d9e61a4.fb
    c:\windows\system32\Cache\287204568329e189.fb
    c:\windows\system32\Cache\28bc8f716fd76a47.fb
    c:\windows\system32\Cache\2c53092c95605355.fb
    c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
    c:\windows\system32\Cache\32c84fe32bb74d60.fb
    c:\windows\system32\Cache\3917078cb68ec657.fb
    c:\windows\system32\Cache\404f152408d120d5.fb
    c:\windows\system32\Cache\433ca78ee8596f9a.fb
    c:\windows\system32\Cache\4e388f5d60526ce6.fb
    c:\windows\system32\Cache\590ba23ce359fd0c.fb
    c:\windows\system32\Cache\610289e025a3ee9a.fb
    c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
    c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
    c:\windows\system32\Cache\6d03dad1035885d3.fb
    c:\windows\system32\Cache\8799fc9b72398a42.fb
    c:\windows\system32\Cache\a8556537add6dfc5.fb
    c:\windows\system32\Cache\ad10a52aff5e038d.fb
    c:\windows\system32\Cache\c1fa887b03019701.fb
    c:\windows\system32\Cache\c4d28dca2e7648be.fb
    c:\windows\system32\Cache\c6e1a0f7f64c81c0.fb
    c:\windows\system32\Cache\d201ef9910cd39de.fb
    c:\windows\system32\Cache\d2e94710a5708128.fb
    c:\windows\system32\Cache\d79b9dfe81484ec4.fb
    c:\windows\system32\Cache\e0de16f883bea794.fb
    c:\windows\system32\Cache\efa5903989b02526.fb
    c:\windows\system32\Cache\f998975c9cc711ee.fb
    c:\windows\system32\msvcsv60.dll
    c:\windows\system32\SET321.tmp
    c:\windows\system32\SET3C3.tmp
    c:\windows\system32\SET3C8.tmp
    c:\windows\system32\SET3CF.tmp
    c:\windows\system32\test
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-08 to 2012-07-08 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-07 20:08 . 2012-07-07 20:08--------d-----w-c:\program files\iPod
    2012-07-07 20:08 . 2012-07-07 20:09--------d-----w-c:\program files\iTunes
    2012-07-07 07:28 . 2012-07-07 07:28--------d-----w-c:\documents and settings\Lawrence\Application Data\FabFilter
    2012-07-07 07:04 . 2012-07-07 07:04--------d-----w-c:\program files\FabFilter
    2012-07-07 05:52 . 2012-07-07 20:15--------d-----w-c:\program files\MALWAREBYTES ANTI-MALWARE
    2012-07-06 22:38 . 2012-07-06 22:38--------d-----w-c:\documents and settings\Lawrence\Application Data\AVG2012
    2012-07-06 09:07 . 2012-07-06 09:46426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-07-06 05:52 . 2012-07-06 21:17--------d-----w-c:\documents and settings\All Users\Application Data\WindowsTab
    2012-07-03 13:15 . 2012-07-03 13:15--------d-----w-C:\AVG2012
    2012-06-28 04:11 . 2012-06-28 04:12967----a-w-c:\windows\ScUnin.pif
    2012-06-28 04:11 . 2012-06-28 04:1294208----a-w-c:\windows\ScUnin.exe
    2012-06-21 06:10 . 2012-06-21 06:10--------d-----w-c:\program files\ShadowFlare Software
    2012-06-21 06:09 . 2003-10-29 20:06366080----a-w-c:\windows\SFSetup.exe
    2012-06-21 06:09 . 2003-04-02 14:1386016----a-w-c:\windows\system32\minunzip.dll
    2012-06-21 06:09 . 2003-04-02 14:13722192----a-w-c:\windows\system32\VB40032.DLL
    2012-06-21 06:09 . 2002-04-03 15:2060416----a-w-c:\windows\ST4UNST.EXE
    2012-06-15 05:28 . 2012-06-30 00:54--------d-----w-c:\documents and settings\Lawrence\Application Data\SDR-RADIO.com
    2012-06-15 05:28 . 2012-06-15 05:28--------d-----w-c:\documents and settings\All Users\Application Data\SDR-RADIO.com
    2012-06-15 05:27 . 2012-06-15 05:27--------d-----w-c:\program files\SDR-RADIO.com
    2012-06-13 04:03 . 2012-05-11 14:42521728-c----w-c:\windows\system32\dllcache\jsdbgui.dll
    2012-06-12 19:51 . 2012-06-12 19:51--------d-----w-c:\documents and settings\All Users\Application Data\GFI Software
    2012-06-11 02:08 . 2012-06-11 02:08--------d-----w-c:\documents and settings\LocalService\Application Data\Ad-Aware Antivirus
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-08 03:52 . 2009-10-13 22:240----a-w-c:\documents and settings\Lawrence\Local Settings\Application Data\WavXMapDrive.bat
    2012-07-06 09:46 . 2011-05-23 15:5170344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 19:19 . 2008-10-16 18:0922040----a-w-c:\windows\system32\wucltui.dll.mui
    2012-06-02 19:19 . 2008-10-16 18:0715384----a-w-c:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 19:19 . 2008-04-25 21:27329240----a-w-c:\windows\system32\wucltui.dll
    2012-06-02 19:19 . 2008-04-25 21:27219160----a-w-c:\windows\system32\wuaucpl.cpl
    2012-06-02 19:19 . 2008-04-25 21:27210968----a-w-c:\windows\system32\wuweb.dll
    2012-06-02 19:19 . 2008-10-16 18:0945080----a-w-c:\windows\system32\wups2.dll
    2012-06-02 19:19 . 2008-10-16 18:0715384----a-w-c:\windows\system32\wuapi.dll.mui
    2012-06-02 19:19 . 2008-04-25 21:2753784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 19:19 . 2008-04-25 21:2735864----a-w-c:\windows\system32\wups.dll
    2012-06-02 19:19 . 2008-04-25 16:1697304----a-w-c:\windows\system32\cdm.dll
    2012-06-02 19:19 . 2008-10-16 18:0717944----a-w-c:\windows\system32\wuaueng.dll.mui
    2012-06-02 19:19 . 2008-04-25 21:27577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 19:19 . 2008-04-25 21:271933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 19:18 . 2009-12-31 03:58275696----a-w-c:\windows\system32\mucltui.dll
    2012-06-02 19:18 . 2009-12-31 03:58214256----a-w-c:\windows\system32\muweb.dll
    2012-06-02 19:18 . 2009-12-31 03:5817136----a-w-c:\windows\system32\mucltui.dll.mui
    2012-05-31 13:22 . 2008-04-25 16:16599040----a-w-c:\windows\system32\crypt32.dll
    2012-05-16 15:08 . 2008-04-25 16:16916992----a-w-c:\windows\system32\wininet.dll
    2012-05-15 13:27 . 2008-04-25 16:161872128----a-w-c:\windows\system32\win32k.sys
    2012-05-11 14:42 . 2008-04-25 16:1643520------w-c:\windows\system32\licmgr10.dll
    2012-05-11 14:42 . 2008-04-25 16:161469440------w-c:\windows\system32\inetcpl.cpl
    2012-05-11 11:38 . 2008-04-25 16:16385024------w-c:\windows\system32\html.iec
    2012-05-04 13:24 . 2008-04-25 16:162148352----a-w-c:\windows\system32\ntoskrnl.exe
    2012-05-04 12:41 . 2008-04-14 00:012026496----a-w-c:\windows\system32\ntkrnlpa.exe
    2012-05-02 13:46 . 2008-04-25 21:26139656----a-w-c:\windows\system32\drivers\rdpwd.sys
    2012-04-25 16:11 . 2012-01-20 01:094547944----a-w-c:\windows\system32\usbaaplrc.dll
    2012-04-25 16:11 . 2012-01-20 01:0943520----a-w-c:\windows\system32\drivers\usbaapl.sys
    2012-04-19 08:50 . 2012-04-19 08:5024896----a-w-c:\windows\system32\drivers\avgidshx.sys
    2012-04-16 04:27 . 2012-04-16 04:2773728----a-w-c:\windows\system32\javacpl.cpl
    2012-04-16 04:27 . 2010-06-11 14:16472808----a-w-c:\windows\system32\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-06-11 1524056]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-06-11 23:4149152----a-w-c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-06-11 23:4149152----a-w-c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-05-12 880496]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2396160]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
    "DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-07-22 1796096]
    "ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-06-03 184320]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2009-05-18 145920]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-07-05 15872]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2010-05-05 77824]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-06-24 668912]
    "dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-06-24 16624]
    "H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2012-06-11 307200]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    .
    c:\documents and settings\Lawrence\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-7-16 1253152]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "wave"=DrvTrNTm.dll
    "mixer"=DrvTrNTm.dll
    "midi1"=ma_cmidn.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecuteREG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication PackagesREG_MULTI_SZ msv1_0 wvauth
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
    2012-02-29 20:294321112----a-w-c:\program files\AIM\aim.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2011-02-15 01:321230704----a-w-c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-06-07 23:33421776----a-w-c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2010-11-05 01:046174008----a-w-c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 17:421695232----a-w-c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2012-06-07 23:1717425072----a-r-c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    2012-05-12 17:07880496----a-w-c:\program files\uTorrent\uTorrent.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
    "c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
    "c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
    "c:\\Program Files\\Steam\\steamapps\\west1nex\\counter-strike\\hl.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Lawrence\\My Documents\\Downloads\\uTorrent.exe"=
    "c:\\WINDOWS\\system32\\dldtcoms.exe"=
    "c:\\Program Files\\Dell V305\\dldtmon.exe"=
    "c:\\WINDOWS\\system32\\dldtcfg.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtpswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldttime.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtjswx.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Starcraft\\StarCraft.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56112:TCP"= 56112:TCP:Starcraft wDetector
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-04-19 AM 4:50 24896]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-07-11 AM 1:13 31952]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-07-08 AM 12:49 691696]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-07-11 AM 1:13 235216]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-07-11 AM 1:14 301248]
    R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2007-04-19 AM 6:56 133968]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [2012-07-04 PM 5:25 5160568]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2012-02-14 AM 4:53 193288]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-04-27 PM 2:40 293968]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-06-26 AM 10:26 812392]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-06-26 AM 10:26 26984]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-07-16 PM 1:04 376096]
    R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-05-31 PM 4:15 654408]
    R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [2009-07-22 PM 7:13 76288]
    R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-10-21 AM 12:37 2358656]
    R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-03-19 AM 7:38 2666880]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-10-07 PM 7:08 112512]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 PM 1:32 139856]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 PM 1:32 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 PM 1:32 17232]
    R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2010-11-02 AM 2:37 33792]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-10-07 PM 7:09 109568]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-05-31 PM 4:15 22344]
    R3 Saffire;Saffire;c:\windows\system32\drivers\Saffire.sys [2010-10-12 PM 10:16 129376]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-10-07 PM 4:47 232744]
    R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2010-05-04 AM 2:56 120472]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
    S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2009-07-09 PM 6:48 98984]
    S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-05-30 PM 1:56 3048136]
    S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-06-07 PM 7:12 160944]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-06 AM 5:07 250056]
    S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-04-19 AM 6:28 42832]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2009-10-07 PM 7:09 33832]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-10-07 PM 7:09 244368]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
    S3 SaffireAudio;Saffire Audio;c:\windows\system32\drivers\SaffireAudio.sys [2010-10-12 PM 10:16 28256]
    S3 SaffireMidi;Saffire MIDI;c:\windows\system32\drivers\SaffireMidi.sys [2010-10-12 PM 10:16 31584]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 PM 1:37 517096]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-08 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-06 09:46]
    .
    2012-07-08 c:\windows\Tasks\AdobeAAMUpdater-1.0-WEST1NE-Lawrence.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-07-19 21:42]
    .
    2012-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-122077907-424289889-3075272132-1005Core.job
    - c:\documents and settings\Lawrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-06 11:13]
    .
    2012-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-122077907-424289889-3075272132-1005UA.job
    - c:\documents and settings\Lawrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-06 11:13]
    .
    2010-07-21 c:\windows\Tasks\Install_NSS.job
    - c:\program files\DivX\Symantec\scstubinstaller.exe [2010-03-08 18:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Lawrence\Application Data\Mozilla\Firefox\Profiles\i3jc1cel.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=13
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb8bba1&v=6.010.023.001&I=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
    AddRemove-wLauncher - c:\program files\wLauncher\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-08 03:40
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-122077907-424289889-3075272132-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{934A76F3-D851-140C-D713-A446F8430641}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "iagbljejcoknpeaicc"=hex:69,61,67,65,66,63,62,68,67,62,6e,63,64,6c,6c,64,61,67,
    00,00
    "hambmlniohcehcbb"=hex:6a,61,65,66,64,62,6a,62,66,61,65,6c,68,64,61,66,62,6a,
    70,62,00,00
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(856)
    c:\windows\system32\wvauth.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2012-07-08 03:47:16
    ComboFix-quarantined-files.txt 2012-07-08 07:47
    .
    Pre-Run: 55,110,336,512 bytes free
    Post-Run: 55,554,441,216 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 284E4BA5C15B78AFEC277286617B0B12
  6. Larry Jay

    Larry Jay Newcomer, in training Topic Starter

    Here is the FSS log:
    Farbar Service Scanner Version: 02-07-2012
    Ran by Lawrence (administrator) on 08-07-2012 at 03:55:09
    Running from "C:\Documents and Settings\Lawrence\My Documents\Downloads"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Avgtdix(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
    0x0A000000040000000100000002000000030000000800000006000000070000000A0000000900000005000000
    IpSec Tag value is correct.

    **** End of log ****


    Thanks.
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Nice! (y) Okay. We'll sort this out.

    Looks like a bunch of adware and a couple of trojans. Nothing too bothersome.

    Re-running ComboFix

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.


    CKScanner

    Please download CKScanner by askey127 from here

    Save it to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • After a very short time, when the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic


    In your next reply, you should include, please:

    • ComboFix log
    • CKScanner log
    • ESET scan log(s)

    Also, update on the status of the machine... e.g. how it's running, error messages, etc. :)
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.