Inactive Malwarebytes anti-malware successfully blocked access to a potentially malicious website

[Larry Jay]

Hi. This message keeps popping up every 5 minutes on my Malwarebytes. I've used AVG to scan my computer and have found no problems. And my computer's speed has decreased tremendously. Please help!

 

[Jay Pfoutz]

HI there! Welcome to the forums.

Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in
  
  msconfig
  safebootminimal
  activex
  drivers32
  netsvcs
  CreateRestorePoint
  %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5
  %AppData%\Local\
  %systemroot%\system32\sysprep
  *.xpi /md5
  %systemroot%\Downloaded Program Files\
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\system32\drivers\*.sys /90
  %systemroot%\System32\config\*.sav
  %SYSTEMDRIVE%\*.exe /md5
  "%WinDir%\$NtUninstallKB*$." /30
  %systemdrive%\Program Files\Common Files\ComObjects\*.* /s
  %systemroot%\*. /mp /s
  %systemroot%\*. /rp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
  %USERPROFILE%\AppData\Local\ /s
  %systemroot%\Installer\ /s
  %systemroot%\system32\Cache\ /s
  %systemroot%\system32\config\systemprofile\Application Data /s
  %PROGRAMFILES%\*.
  %appdata%\*.*
  /md5start
  volsnap.sys
  services.exe
  userinit.exe
  afd.sys
  tcpip.sys
  netbt.sys
  ipsec.sys
  dnsrslvr.dll
  ipnathlp.dll
  netman.dll
  WMIsvc.dll
  srsvc.dll
  sr.sys
  wscsvc.dll
  wuauserv.dll
  qmgr.dll
  es.dll
  cryptsvc.dll
  svchost.exe
  rpcss.dll
  tdx.sys
  wininit.exe
  winlogon.exe
  atapi.sys
  explorer.exe
  /md5stop
• Click the Run Scanbutton. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time

Note: in the event that OTL fails to run, please use alternate download links to try again:

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr

 

[Larry Jay]

Thanks for the reply!

Apparently, the logs were too long for me to post back on a reply, therefore I've attached the OTL and Extras txt files. I hope that works.

 

[Jay Pfoutz]

It is usually the rules to post full logs in multiple replies if needed.

I will download them this time, but next time, please post them inline.

O1 - Hosts: 127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
O1 - Hosts: 127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
O1 - Hosts: 127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
O1 - Hosts: 127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 serial.alcohol-soft.com
O1 - Hosts: 127.0.0.1 www.alcohol-soft.com
O1 - Hosts: 127.0.0.1 images.alcohol-soft.com
O1 - Hosts: 127.0.0.1 trial.alcohol-soft.com
O1 - Hosts: 127.0.0.1 alcohol-soft.com

Is this an attempt to bypass required registration for software products? This is usually a sign of software piracy.


We're working with XP, so please run the following scans:

ComboFix

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.


Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

• Check "Include All Files" option.
  Press "Scan".
  It will create a log (FSS.txt) in the same directory the tool is run.
  Please copy and paste the log to your reply.

 

[Larry Jay]

Sorry about that. I'll definitely use multiple posts this time.

On the matter of software piracy, I have no idea. My cousin and nephew also uses this computer, they may have messed around with such things, but not a 100% sure.

Heres the Combofix log:


ComboFix 12-07-07.04 - Lawrence 2012-07-08 3:28.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.3536.2484 [GMT -4:00]
Running from: c:\documents and settings\Lawrence\My Documents\Downloads\ComboFix.exe
AV: AVG Internet Security Business Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\Lp_setup.exe
c:\data\Tone2.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\windowviewcon
c:\documents and settings\All Users\Application Data\windowviewcon\11번가.lnk
c:\documents and settings\All Users\Application Data\windowviewcon\11st.ico
c:\documents and settings\All Users\Application Data\windowviewcon\옥션.lnk
c:\documents and settings\All Users\Application Data\windowviewcon\auction.ico
c:\documents and settings\All Users\Application Data\windowviewcon\G마켓.lnk
c:\documents and settings\All Users\Application Data\windowviewcon\gmarket.ico
c:\documents and settings\Lawrence\Application Data\PriceGong
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\I.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Lawrence\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Lawrence\Favorites\11번가.url
c:\documents and settings\Lawrence\Favorites\옥션.url
c:\documents and settings\Lawrence\Favorites\G마켓.url
c:\documents and settings\Lawrence\Local Settings\Application Data\Windows Server
c:\documents and settings\Lawrence\My Documents\Downloads\PowerPointViewer.exe
C:\FLVDirect.exe
C:\Install.exe
c:\program files\Keyword Find
c:\program files\wLauncher\uninstall.exe
c:\windows\EventSystem.log
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\404f152408d120d5.fb
c:\windows\system32\Cache\433ca78ee8596f9a.fb
c:\windows\system32\Cache\4e388f5d60526ce6.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\8799fc9b72398a42.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\c6e1a0f7f64c81c0.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\efa5903989b02526.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\msvcsv60.dll
c:\windows\system32\SET321.tmp
c:\windows\system32\SET3C3.tmp
c:\windows\system32\SET3C8.tmp
c:\windows\system32\SET3CF.tmp
c:\windows\system32\test
.
.
((((((((((((((((((((((((( Files Created from 2012-06-08 to 2012-07-08 )))))))))))))))))))))))))))))))
.
.
2012-07-07 20:08 . 2012-07-07 20:08--------d-----w-c:\program files\iPod
2012-07-07 20:08 . 2012-07-07 20:09--------d-----w-c:\program files\iTunes
2012-07-07 07:28 . 2012-07-07 07:28--------d-----w-c:\documents and settings\Lawrence\Application Data\FabFilter
2012-07-07 07:04 . 2012-07-07 07:04--------d-----w-c:\program files\FabFilter
2012-07-07 05:52 . 2012-07-07 20:15--------d-----w-c:\program files\MALWAREBYTES ANTI-MALWARE
2012-07-06 22:38 . 2012-07-06 22:38--------d-----w-c:\documents and settings\Lawrence\Application Data\AVG2012
2012-07-06 09:07 . 2012-07-06 09:46426184----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-07-06 05:52 . 2012-07-06 21:17--------d-----w-c:\documents and settings\All Users\Application Data\WindowsTab
2012-07-03 13:15 . 2012-07-03 13:15--------d-----w-C:\AVG2012
2012-06-28 04:11 . 2012-06-28 04:12967----a-w-c:\windows\ScUnin.pif
2012-06-28 04:11 . 2012-06-28 04:1294208----a-w-c:\windows\ScUnin.exe
2012-06-21 06:10 . 2012-06-21 06:10--------d-----w-c:\program files\ShadowFlare Software
2012-06-21 06:09 . 2003-10-29 20:06366080----a-w-c:\windows\SFSetup.exe
2012-06-21 06:09 . 2003-04-02 14:1386016----a-w-c:\windows\system32\minunzip.dll
2012-06-21 06:09 . 2003-04-02 14:13722192----a-w-c:\windows\system32\VB40032.DLL
2012-06-21 06:09 . 2002-04-03 15:2060416----a-w-c:\windows\ST4UNST.EXE
2012-06-15 05:28 . 2012-06-30 00:54--------d-----w-c:\documents and settings\Lawrence\Application Data\SDR-RADIO.com
2012-06-15 05:28 . 2012-06-15 05:28--------d-----w-c:\documents and settings\All Users\Application Data\SDR-RADIO.com
2012-06-15 05:27 . 2012-06-15 05:27--------d-----w-c:\program files\SDR-RADIO.com
2012-06-13 04:03 . 2012-05-11 14:42521728-c----w-c:\windows\system32\dllcache\jsdbgui.dll
2012-06-12 19:51 . 2012-06-12 19:51--------d-----w-c:\documents and settings\All Users\Application Data\GFI Software
2012-06-11 02:08 . 2012-06-11 02:08--------d-----w-c:\documents and settings\LocalService\Application Data\Ad-Aware Antivirus
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-08 03:52 . 2009-10-13 22:240----a-w-c:\documents and settings\Lawrence\Local Settings\Application Data\WavXMapDrive.bat
2012-07-06 09:46 . 2011-05-23 15:5170344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 19:19 . 2008-10-16 18:0922040----a-w-c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2008-10-16 18:0715384----a-w-c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2008-04-25 21:27329240----a-w-c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2008-04-25 21:27219160----a-w-c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2008-04-25 21:27210968----a-w-c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2008-10-16 18:0945080----a-w-c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2008-10-16 18:0715384----a-w-c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2008-04-25 21:2753784----a-w-c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2008-04-25 21:2735864----a-w-c:\windows\system32\wups.dll
2012-06-02 19:19 . 2008-04-25 16:1697304----a-w-c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2008-10-16 18:0717944----a-w-c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2008-04-25 21:27577048----a-w-c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2008-04-25 21:271933848----a-w-c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2009-12-31 03:58275696----a-w-c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2009-12-31 03:58214256----a-w-c:\windows\system32\muweb.dll
2012-06-02 19:18 . 2009-12-31 03:5817136----a-w-c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2008-04-25 16:16599040----a-w-c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2008-04-25 16:16916992----a-w-c:\windows\system32\wininet.dll
2012-05-15 13:27 . 2008-04-25 16:161872128----a-w-c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2008-04-25 16:1643520------w-c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2008-04-25 16:161469440------w-c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2008-04-25 16:16385024------w-c:\windows\system32\html.iec
2012-05-04 13:24 . 2008-04-25 16:162148352----a-w-c:\windows\system32\ntoskrnl.exe
2012-05-04 12:41 . 2008-04-14 00:012026496----a-w-c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-04-25 21:26139656----a-w-c:\windows\system32\drivers\rdpwd.sys
2012-04-25 16:11 . 2012-01-20 01:094547944----a-w-c:\windows\system32\usbaaplrc.dll
2012-04-25 16:11 . 2012-01-20 01:0943520----a-w-c:\windows\system32\drivers\usbaapl.sys
2012-04-19 08:50 . 2012-04-19 08:5024896----a-w-c:\windows\system32\drivers\avgidshx.sys
2012-04-16 04:27 . 2012-04-16 04:2773728----a-w-c:\windows\system32\javacpl.cpl
2012-04-16 04:27 . 2010-06-11 14:16472808----a-w-c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-06-11 1524056]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-06-11 23:4149152----a-w-c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-06-11 23:4149152----a-w-c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-05-12 880496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2396160]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-07-22 1796096]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-06-03 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2009-05-18 145920]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-07-05 15872]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2010-05-05 77824]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-06-24 668912]
"dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-06-24 16624]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2012-06-11 307200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\documents and settings\Lawrence\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-7-16 1253152]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll
"midi1"=ma_cmidn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecuteREG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication PackagesREG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2012-02-29 20:294321112----a-w-c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:321230704----a-w-c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 23:33421776----a-w-c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-11-05 01:046174008----a-w-c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 17:421695232----a-w-c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-06-07 23:1717425072----a-r-c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-05-12 17:07880496----a-w-c:\program files\uTorrent\uTorrent.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Steam\\steamapps\\west1nex\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Lawrence\\My Documents\\Downloads\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dldtcoms.exe"=
"c:\\Program Files\\Dell V305\\dldtmon.exe"=
"c:\\WINDOWS\\system32\\dldtcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldttime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtjswx.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56112:TCP"= 56112:TCP:Starcraft wDetector
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-04-19 AM 4:50 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-07-11 AM 1:13 31952]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-07-08 AM 12:49 691696]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-07-11 AM 1:13 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-07-11 AM 1:14 301248]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2007-04-19 AM 6:56 133968]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [2012-07-04 PM 5:25 5160568]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2012-02-14 AM 4:53 193288]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-04-27 PM 2:40 293968]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-06-26 AM 10:26 812392]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-06-26 AM 10:26 26984]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-07-16 PM 1:04 376096]
R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-05-31 PM 4:15 654408]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [2009-07-22 PM 7:13 76288]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-10-21 AM 12:37 2358656]
R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-03-19 AM 7:38 2666880]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-10-07 PM 7:08 112512]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 PM 1:32 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 PM 1:32 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 PM 1:32 17232]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2010-11-02 AM 2:37 33792]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-10-07 PM 7:09 109568]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-05-31 PM 4:15 22344]
R3 Saffire;Saffire;c:\windows\system32\drivers\Saffire.sys [2010-10-12 PM 10:16 129376]
R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-10-07 PM 4:47 232744]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2010-05-04 AM 2:56 120472]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2009-07-09 PM 6:48 98984]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-05-30 PM 1:56 3048136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-06-07 PM 7:12 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-06 AM 5:07 250056]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-04-19 AM 6:28 42832]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2009-10-07 PM 7:09 33832]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-10-07 PM 7:09 244368]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
S3 SaffireAudio;Saffire Audio;c:\windows\system32\drivers\SaffireAudio.sys [2010-10-12 PM 10:16 28256]
S3 SaffireMidi;Saffire MIDI;c:\windows\system32\drivers\SaffireMidi.sys [2010-10-12 PM 10:16 31584]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 PM 1:37 517096]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-06 09:46]
.
2012-07-08 c:\windows\Tasks\AdobeAAMUpdater-1.0-WEST1NE-Lawrence.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-07-19 21:42]
.
2012-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-122077907-424289889-3075272132-1005Core.job
- c:\documents and settings\Lawrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-06 11:13]
.
2012-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-122077907-424289889-3075272132-1005UA.job
- c:\documents and settings\Lawrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-06 11:13]
.
2010-07-21 c:\windows\Tasks\Install_NSS.job
- c:\program files\DivX\Symantec\scstubinstaller.exe [2010-03-08 18:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Lawrence\Application Data\Mozilla\Firefox\Profiles\i3jc1cel.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb8bba1&v=6.010.023.001&I=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
AddRemove-wLauncher - c:\program files\wLauncher\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-08 03:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-122077907-424289889-3075272132-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{934A76F3-D851-140C-D713-A446F8430641}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iagbljejcoknpeaicc"=hex:69,61,67,65,66,63,62,68,67,62,6e,63,64,6c,6c,64,61,67,
00,00
"hambmlniohcehcbb"=hex:6a,61,65,66,64,62,6a,62,66,61,65,6c,68,64,61,66,62,6a,
70,62,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\wvauth.dll
c:\windows\system32\WININET.dll
.
Completion time: 2012-07-08 03:47:16
ComboFix-quarantined-files.txt 2012-07-08 07:47
.
Pre-Run: 55,110,336,512 bytes free
Post-Run: 55,554,441,216 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 284E4BA5C15B78AFEC277286617B0B12

 

[Larry Jay]

Here is the FSS log:
Farbar Service Scanner Version: 02-07-2012
Ran by Lawrence (administrator) on 08-07-2012 at 03:55:09
Running from "C:\Documents and Settings\Lawrence\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000800000006000000070000000A0000000900000005000000
IpSec Tag value is correct.

**** End of log ****


Thanks.

 

[Jay Pfoutz]

Nice! (y) Okay. We'll sort this out.

Looks like a bunch of adware and a couple of trojans. Nothing too bothersome.

Re-running ComboFix

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
  

  DDS::
  FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
  FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=13
  
  ClearJavaCache::
  
  NoOrphans::

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
• Please post the contents of the log in your next reply.

CKScanner

Please download CKScanner by askey127 from here

Save it to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• After a very short time, when the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

In your next reply, you should include, please:

• ComboFix log
• CKScanner log
• ESET scan log(s)

Also, update on the status of the machine... e.g. how it's running, error messages, etc.

 

[Jay Pfoutz]

Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.