TechSpot

Not acquiring network address

Inactive
By CadDog
May 3, 2012
  1. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    Step 1 Done...

    Download and installed Avast and Rebooted...

    Step 2 Done...

    Ran Malwarebytes Anti-Malware...

    Here is that report:

    =============
    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.30.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 7.0.5730.11
    User :: DJSYSTEM02 [administrator]

    Protection: Enabled

    5/4/2012 6:39:22 PM
    mbam-log-2012-05-04 (18-39-22).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 207318
    Time elapsed: 10 minute(s), 20 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  2. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    Step Done...

    Download and ran Gmer...

    Here is the report:
    ============
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-05-04 19:01:59
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS721080G9SA00 rev.MC4OC10H
    Running: p5wl2qnt.exe; Driver: C:\DOCUME~1\JESSEW~1\LOCALS~1\Temp\kglcyaob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA83CA28E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA83CA0F9]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device aswSP.SYS (avast! self protection module/AVAST Software)
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
     
  3. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    Step 4...

    Download and ran DDS...

    Here is both for the reports:
    ===================================
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_31
    Run by CadDog at 19:10:09 on 2012-05-04
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2546 [GMT -7:00]
    .
    AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\igfxsrvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\dlcccoms.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.msn.com
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: CDelHotkeys Object: {78875f5c-a685-4405-8dc5-d48dc65452b0} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Delicious Toolbar: {61d1c847-df80-423a-8c6d-dc03b97e6ebe} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
    TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
    TB: ReadingBar: {5420be57-2ed4-4f4f-9eb9-381cec2290e7} - c:\program files\readbar\ReadBar.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    EB: Delicious Sidebar: {9d19c405-ba93-461b-871f-97992cc45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
    EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
    IE: Free YouTube to MP3 Converter - c:\documents and settings\CadDog\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
    IE: {2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
    IE: {2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
    IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1315245314984
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1279586973984
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280681180375
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Notification Packages = scecli scecli
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\CadDog\application data\mozilla\firefox\profiles\4uvg2s5g.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-4-17 239168]
    R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-4-17 338880]
    R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-4-17 656320]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-5-4 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-5-4 337880]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-5-4 20696]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-5-4 44768]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-26 654408]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-5 22344]
    S0 27754183;27754183;c:\windows\system32\drivers\61567167.sys --> c:\windows\system32\drivers\61567167.sys [?]
    S2 mpfirewl;Mr2kserv;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 253600]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-4-17 366840]
    S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-4-17 1150936]
    S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-12-18 189736]
    .
    =============== Created Last 30 ================
    .
    2012-05-05 01:32:30612184----a-w-c:\windows\system32\drivers\aswSnx.sys
    2012-05-05 01:32:0241184----a-w-c:\windows\avastSS.scr
    2012-05-05 01:31:41--------d-----w-c:\program files\AVAST Software
    2012-05-05 01:31:41--------d-----w-c:\documents and settings\all users\application data\AVAST Software
    2012-05-04 00:00:10--------d-----w-c:\windows\system32\NtmsData
    2012-05-03 23:48:00--------d-----w-c:\windows\system32\CatRoot2
    2012-05-02 23:43:4798816----a-w-c:\windows\sed.exe
    2012-05-02 23:43:47518144----a-w-c:\windows\SWREG.exe
    2012-05-02 23:43:47256000----a-w-c:\windows\PEV.exe
    2012-05-02 23:43:47208896----a-w-c:\windows\MBR.exe
    2012-05-02 01:15:13--------d-----w-c:\program files\My Company Name
    2012-05-02 00:49:34--------d-----w-c:\documents and settings\CadDog\local settings\application data\Toshiba
    2012-05-02 00:46:5273600----a-w-c:\windows\system32\drivers\Tosrfhid.sys
    2012-05-02 00:46:5241856----a-w-c:\windows\system32\drivers\tosrfusb.sys
    2012-05-02 00:46:52113920----a-w-c:\windows\system32\drivers\tosrfbd.sys
    2012-05-02 00:46:5136480----a-w-c:\windows\system32\drivers\tosrfbnp.sys
    2012-05-02 00:46:5118612----a-w-c:\windows\system32\drivers\tosrfnds.sys
    2012-05-02 00:46:5064896----a-w-c:\windows\system32\drivers\tosrfcom.sys
    2012-05-02 00:46:5041600----a-w-c:\windows\system32\drivers\tosporte.sys
    2012-05-02 00:46:33--------d-----w-c:\program files\Toshiba
    2012-05-02 00:44:3731744----a-w-c:\windows\system32\drivers\csrbcxp.sys
    .
    ==================== Find3M ====================
    .
    2012-05-05 01:56:464766----a-w-c:\windows\system32\PerfStringBackup.TMP
    2012-04-04 22:56:4022344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-04-04 20:03:17138496----a-w-c:\windows\system32\drivers\afd.sys
    2012-04-01 17:57:1670304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-01 17:57:16418464----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-02-25 22:55:4073728----a-w-c:\windows\system32\javacpl.cpl
    2012-02-25 22:55:40472808----a-w-c:\windows\system32\deployJava1.dll
    2011-02-19 22:13:478768200----a-w-c:\program files\common files\lpuninstall.exe
    .
    ============= FINISH: 19:10:59.12 ===============
     
  4. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    Second File: (attach.txt)
    =====================
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/9/2007 10:34:29 PM
    System Uptime: 5/4/2012 6:51:47 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0NF743
    Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | Microprocessor | 1828/166mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 42.912 GiB free.
    D: is CDROM ()
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Modem Device on High Definition Audio Bus
    Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&346F9A3C&0&0102
    Manufacturer:
    Name: Modem Device on High Definition Audio Bus
    PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&346F9A3C&0&0102
    Service:
    .
    ==== System Restore Points ===================
    .
    RP49: 2/25/2012 2:54:42 PM - Restore Operation
    RP50: 2/25/2012 2:54:49 PM - Removed Java(TM) 6 Update 11
    RP51: 2/25/2012 2:55:27 PM - Installed Java(TM) 6 Update 31
    RP52: 3/2/2012 4:24:57 PM - Installed Ultra Hal Text-to-Speech Reader
    RP53: 3/3/2012 9:37:45 PM - System Checkpoint
    RP54: 3/5/2012 1:24:33 PM - System Checkpoint
    RP55: 3/10/2012 12:49:03 PM - Removed Ultra Hal Text-to-Speech Reader
    RP56: 3/12/2012 9:27:51 AM - System Checkpoint
    RP57: 3/12/2012 6:34:27 PM - Spyware Doctor: Cleaning Threats
    RP58: 3/12/2012 6:42:52 PM - Installed VirtualDJ PRO Full
    RP59: 3/16/2012 6:13:49 PM - System Checkpoint
    RP60: 3/17/2012 2:22:32 PM - Spyware Doctor: Cleaning Threats
    RP61: 3/17/2012 3:21:27 PM - Spyware Doctor: Cleaning Threats
    RP62: 3/30/2012 11:14:53 PM - Installed Dell Driver Reset Tool
    RP63: 4/1/2012 10:42:34 AM - Spyware Doctor: Cleaning Threats
    RP64: 4/2/2012 8:08:18 PM - Spyware Doctor: Cleaning Threats
    RP65: 4/2/2012 8:09:32 PM - Spyware Doctor: Cleaning Threats
    RP66: 4/2/2012 8:10:32 PM - Spyware Doctor: Cleaning Threats
    RP67: 4/3/2012 5:34:55 PM - Spyware Doctor: Cleaning Threats
    RP68: 4/3/2012 5:35:53 PM - Spyware Doctor: Cleaning Threats
    RP69: 4/14/2012 9:13:12 AM - Restore Operation
    RP70: 4/14/2012 9:14:37 AM - Restore Operation
    RP71: 4/14/2012 9:40:46 AM - Restore Operation
    RP72: 4/22/2012 9:29:21 PM - Restore Operation
    RP73: 4/24/2012 2:29:50 PM - System Checkpoint
    RP74: 5/1/2012 5:46:29 PM - Installed Bluetooth Stack for Windows by Toshiba
    RP75: 5/3/2012 11:13:40 AM - System Checkpoint
    RP76: 5/4/2012 6:31:41 PM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 8.1.3
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ares 2.1.7
    Audiograbber 1.83 SE
    Audiograbber MP3 Plugin
    avast! Free Antivirus
    Bluetooth Stack for Windows by Toshiba
    Broadcom 440x 10/100 Integrated Controller
    CCleaner
    Compatibility Pack for the 2007 Office system
    Delicious Add-on for Internet Explorer
    Dell Driver Reset Tool
    Dell Photo AIO Printer 924
    Dell Wireless WLAN Card
    FolderSync 1.1
    Free YouTube to MP3 Converter version 3.10.14.1206
    Google Updater
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    J2SE Runtime Environment 5.0 Update 3
    Jasc Paint Shop Photo Album 5
    Jasc Paint Shop Pro Studio, Dell Editon
    Java Auto Updater
    Java(TM) 6 Update 31
    L&H TTS3000 British English
    L&H TTS3000 Deutsch
    L&H TTS3000 Español
    L&H TTS3000 Français
    L&H TTS3000 Italiano
    L&H TTS3000 Nederlands
    LastPass (uninstall only)
    Lernout & Hauspie TruVoice American English TTS Engine
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft .NET Compact Framework 2.0 SP1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Text-to-Speech Engine 4.0 (English)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Move Networks Media Player for Internet Explorer
    Mozilla Firefox 11.0 (x86 en-US)
    Multiple File Search and Replace
    muvee Reveal Seagate Edition
    Notepad++
    PCDJ DAC-2 USB Drivers
    PCDJ Red
    PCDJ Red 5.2
    QuickTime
    ReadPlease 2003/ReadPlease PLUS 2003
    Seagate Manager Installer
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    SigmaTel Audio
    Sony Media Manager 2.1
    Spyware Doctor with AntiVirus 8.0
    TagScanner 5.1.605
    Tango
    TreeSize Professional 2.43
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Virtual DJ - Atomix Productions
    Virtual DJ Pro Full - Atomix Productions
    VirtualDJ PRO Full
    WavePad Uninstall
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/4/2012 5:30:50 PM, error: PSched [14107] - QoS [Adapter {0F146D1C-DAEC-47A7-8447-53931ED9F84C}]: The Packet Scheduler could not initialize the virtual miniport with NDIS.
    5/3/2012 8:04:46 PM, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library USB DISK 2.0 USB Device.
    5/3/2012 5:01:00 PM, error: Service Control Manager [7023] - The Background Intelligent Transfer Service service terminated with the following error: The system cannot find the file specified.
    5/2/2012 4:58:40 PM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
    5/2/2012 4:58:10 PM, error: Service Control Manager [7023] - The WMI Performance Adapter service terminated with the following error: Unspecified error
    5/2/2012 4:58:02 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Windowblinds service terminated with the following error: The specified module could not be found.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Wceusbsh service terminated with the following error: The system cannot find the file specified.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Vstor2-ws60 service terminated with the following error: The specified module could not be found.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Swmsflt service terminated with the following error: The specified module could not be found.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Sscdbhk5 service terminated with the following error: The specified module could not be found.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The SE2Bbus service terminated with the following error: The system cannot find the file specified.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The RapiMgr service terminated with the following error: The system cannot find the file specified.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Perfdisk service terminated with the following error: The system cannot find the file specified.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Mxnic service terminated with the following error: The system cannot find the file specified.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Mr2kserv service terminated with the following error: The specified module could not be found.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Klblmain service terminated with the following error: The specified module could not be found.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Icam4usb service terminated with the following error: The specified module could not be found.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Iam service terminated with the following error: The specified module could not be found.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Ghostsec service terminated with the following error: The specified module could not be found.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The E1000 service terminated with the following error: The system cannot find the file specified.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Djsnetcn service terminated with the following error: The system cannot find the file specified.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The Cdfsvc service terminated with the following error: The specified module could not be found.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7023] - The A016bus service terminated with the following error: The system cannot find the file specified.
    5/2/2012 4:58:00 PM, error: Service Control Manager [7001] - The Windows Service Pack Installer update service service depends on the Security Accounts Manager service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    5/2/2012 4:13:45 PM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the AFD Networking Support Environment service which failed to start because of the following error: The system cannot find the file specified.
    5/2/2012 4:13:45 PM, error: Service Control Manager [7000] - The AFD Networking Support Environment service failed to start due to the following error: The system cannot find the file specified.
    5/2/2012 4:08:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ASPI32
    5/2/2012 4:08:36 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
    5/2/2012 4:08:36 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
    5/2/2012 4:08:36 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    5/2/2012 4:08:36 PM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    5/2/2012 2:50:58 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    5/2/2012 2:16:19 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: The system cannot find the file specified.
    5/2/2012 1:27:48 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the AFD Networking Support Environment service which failed to start because of the following error: The system cannot find the file specified.
    5/2/2012 1:27:48 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    5/1/2012 6:30:19 PM, error: Server [2505] - The server could not bind to the transport \Device\NwlnkNb because another computer on the network has the same name. The server could not start.
    5/1/2012 4:39:42 PM, error: BTHUSB [17] - The local Bluetooth radio has failed in an undetermined manner and will be unloaded.
    .
    ==== End Of File ===========================
     
  5. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    Step 5...

    See above Logs...

    Let me know if I missed any...

    Thanks
     
  6. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    You're running three AV programs, Spyware Doctor with AntiVirus, Avast and McAfee.
    You must uninstall TWO of them.
    If McAfee is one of them use this tool to uninstall it: http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

    When done....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  7. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    We posted at the same time....
     
  8. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    Removed two of the programs as directed.

    Here is the aswMER report:
    ====================
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-05-05 07:20:27
    -----------------------------
    07:20:27.453 OS Version: Windows 5.1.2600 Service Pack 3
    07:20:27.453 Number of processors: 2 586 0xE08
    07:20:27.453 ComputerName: DJSYSTEM02 UserName:
    07:20:28.031 Initialize success
    07:20:28.218 AVAST engine defs: 12030600
    07:20:51.921 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    07:20:51.921 Disk 0 Vendor: Hitachi_HTS721080G9SA00 MC4OC10H Size: 76319MB BusType: 3
    07:20:51.921 Disk 0 MBR read successfully
    07:20:51.921 Disk 0 MBR scan
    07:20:51.921 Disk 0 Windows XP default MBR code
    07:20:51.921 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
    07:20:51.921 Disk 0 scanning sectors +156296385
    07:20:52.031 Disk 0 scanning C:\WINDOWS\system32\drivers
    07:21:04.968 Service scanning
    07:21:21.640 Modules scanning
    07:21:27.296 Disk 0 trace - called modules:
    07:21:27.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    07:21:27.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae858f0]
    07:21:27.312 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000081[0x8ad943b8]
    07:21:27.312 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8adaf940]
    07:21:27.859 AVAST engine scan C:\WINDOWS
    07:21:35.937 AVAST engine scan C:\WINDOWS\system32
    07:23:30.343 AVAST engine scan C:\WINDOWS\system32\drivers
    07:23:40.750 AVAST engine scan C:\Documents and Settings\Jesse Wheat
    07:28:39.640 AVAST engine scan C:\Documents and Settings\All Users
    07:28:58.078 Scan finished successfully
    07:29:44.781 Disk 0 MBR has been saved successfully to "F:\! 01 A Problem\MBR.dat"
    07:29:44.812 The log file has been saved successfully to "F:\! 01 A Problem\aswMBR.txt"

    =========
    I also saved a copy of both MBR.dat and aswMBR.txt on my desktop...
     
  9. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    Here is the Bootkit report:
    ==================
    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  10. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  11. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    ComboFix is telling me through a dialog that
    both McAfee and Spyware are running
    but I have uninstalled them on the steps above.
    I also check control "add and remove" I didn't these there...
    I stop ComboFix and turn my laptop off for a minute
    and try to run ComboFix again and got the same message...

    What should I do...???
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    If Combofix just warns you but it'll run go for it.
     
  13. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    ComboFix stated "the above are active"
    I hit ok

    the laptop does not have Recovery console installed. An existing installation of the recovery console may be prevent but requires updating.

    Without it, ComboFix shall not attempt the fixing of some serious infections.

    check YES to have ComboFix download/install it.

    Note: this requires an active internet connection...
    (Which I don't have at this time. What should I do...???)

    Do I select Yes knowing I don't a connection or
    No...???

    Sorry for all these small questions...
     
  14. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Skip Recovery Console installation.
     
  15. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    I selected NO...
    It is running now...

    ComboFix...

    Now it states:

    That I have RootkitZeroAccess
    which has installed itself into the tcp/ip...

    ComboFix... continued myself...

    Now ... is rebooting...

    (sorry the other step didn't have so many warning and dialog coming up)

    NOTE: I'm using a flash drive to load all these programs..

    ComboFix... is continuing to run...

    It is now going through Stage_1.... etc...
     
  16. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    Looks like this may take a little while...

    ComboFix has been doing Stage_3 for the pass 20 minutes...
    The hour glass is popping up so I know it's still working...
    Wow... just moved to Stage_4...
    I best walk away and stop watching...
    I will post again once ComboFix has done it's work...

    Thanks
     
  17. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    OK I'm a little worried...

    It just finish Stage_4...

    How many Stages does ComboFix go through...?

    I'm only asking because at the top of the AutoScan screen
    it states... "that it would typically take 10 minutes but sometime
    easily double"... 10x2=20 but it is way longer then that at Stage_5...

    :eek:
     
  18. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    There are 50 steps.
    Be patient.
     
  19. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    It just came back and
    it said that it needed to do a big search
    and it may take a while...

    I said OK...

    Here are a few file it listed as be attempting to restore:
    >>> beep.sys
    >>> taskmage.exe
    >>> msgsve.dll
    >>> agp440.sys
    >>> asyncmac.sys
    >>> comres.dll

    This is where it at now...

    Boy...!!! I'm sure glade I found this site.
    I would of been able to do this by myself...

    :)
     
  20. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    :)
    Be patient...
     
  21. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    The laptop just blue screened with this message:
    ==========================
    Technical information:

    *** STOP: 0x0000008E (0xC0000005.oxA7DDD5Ao,0xB9444A2C,0x00000000)
    *** aswSMX,SYS - Address A7DDD5AO base at A7DBD000, DateStamp 4f56a5e5

    I needed to press the off button to continue...

    I Restarted the laptop at 3:14pm

    Stop aVast to let ComboFix continue...

    Here is the ComboFix Report:
    =====================

    ComboFix 12-05-05.06 - CadDog 05/05/2012 11:15:26.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2657 [GMT -7:00]
    Running from: f:\! 01 a problem\5 steps\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    Overlay aborted ... Please run ComboFix once more
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\a016mdfl.dll
    c:\windows\system32\ARSVC.dll
    c:\windows\system32\Atmuni.dll
    c:\windows\system32\ghoststartservice.dll
    c:\windows\system32\kbdhid.dll
    c:\windows\system32\logonsvcid.dll
    c:\windows\system32\pivotmou.dll
    c:\windows\system32\s616mdfl.dll
    c:\windows\system32\tifsfilter.dll
    c:\windows\system32\tnidriver.dll
    .
    c:\windows\system32\drivers\beep.sys . . . is infected!!
    .
    c:\windows\system32\taskmgr.exe . . . is infected!!
    .
    c:\windows\system32\msgsvc.dll . . . is infected!!
    .
    c:\windows\system32\vssvc.exe . . . is infected!!
    .
    c:\windows\system32\drivers\AGP440.sys . . . is infected!!
    .
    c:\windows\system32\drivers\asyncmac.sys . . . is infected!!
    .
    c:\windows\system32\comres.dll . . . is infected!!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_AMDK7
    -------\Legacy_MPFIREWL
    -------\Legacy_MSSQL$MSSMLBIZ
    -------\Legacy_OLCAMSRV
    -------\Legacy_OMNIDRV
    -------\Legacy_PRISMXL
    -------\Legacy_SRESCAN
    -------\Legacy_SYMPROXYSVC
    -------\Legacy_TCSD_WIN32.EXE
    -------\Legacy_Z800MGMT
    -------\Service_amdk7
    -------\Service_mpfirewl
    -------\Service_MSSQL$MSSMLBIZ
    -------\Service_olcamsrv
    -------\Service_omnidrv
    -------\Service_prismxl
    -------\Service_srescan
    -------\Service_symproxysvc
    -------\Service_tcsd_win32.exe
    -------\Service_z800mgmt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-05 to 2012-05-05 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-05 22:15 . 2011-04-15 03:164766----a-w-c:\windows\system32\PerfStringBackup.TMP
    2012-04-04 22:56 . 2011-09-06 02:1022344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-04-04 20:03 . 2002-09-03 16:27138496----a-w-c:\windows\system32\drivers\afd.sys
    2012-04-01 17:57 . 2012-04-01 17:57418464----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-04-01 17:57 . 2011-05-16 00:3270304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-25 22:55 . 2012-02-25 22:5573728----a-w-c:\windows\system32\javacpl.cpl
    2012-02-25 22:55 . 2010-04-29 01:27472808----a-w-c:\windows\system32\deployJava1.dll
    2011-02-19 22:13 . 2011-02-19 22:138768200----a-w-c:\program files\Common Files\lpuninstall.exe
    2012-03-27 05:46 . 2011-04-17 15:4097208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15123536----a-w-c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-17 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
    "Persistence"="c:\windows\System32\igfxpers.exe" [2007-01-14 135168]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-01-14 131072]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-01-14 163840]
    "dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    "DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-2-19 8768200]
    Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-2-19 8768200]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2006-5-24 49152]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ultra Hal Text-to-Speech Reader Startup.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ultra Hal Text-to-Speech Reader Startup.lnk
    backup=c:\windows\pss\Ultra Hal Text-to-Speech Reader Startup.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^CadDog^Start Menu^Programs^Startup^NeoPlanet.lnk]
    path=c:\documents and settings\CadDog\Start Menu\Programs\Startup\NeoPlanet.lnk
    backup=c:\windows\pss\NeoPlanet.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^CadDog^Start Menu^Programs^Startup^Seagate 2GE6D6WE Product Registration.lnk]
    path=c:\documents and settings\CadDog\Start Menu\Programs\Startup\Seagate 2GE6D6WE Product Registration.lnk
    backup=c:\windows\pss\Seagate 2GE6D6WE Product Registration.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
    2010-10-27 09:001015808----a-w-c:\progra~1\Ares\Ares.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-01-25 23:08421160----a-w-c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2012-04-04 22:56462408----a-w-c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
    2009-12-18 18:24197928----a-w-c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Themes"=2 (0x2)
    "wuauserv"=2 (0x2)
    "SamSs"=2 (0x2)
    "wscsvc"=2 (0x2)
    "Bonjour Service"=2 (0x2)
    "FreeAgentGoNext Service"=2 (0x2)
    "mnmsrvc"=3 (0x3)
    "QuestBrowser Service"=2 (0x2)
    "AresChatServer"=3 (0x3)
    "McShield"=2 (0x2)
    "McNaiAnn"=2 (0x2)
    "mfevtp"=2 (0x2)
    "McAfee SiteAdvisor Service"=2 (0x2)
    "mcmscsvc"=2 (0x2)
    "McODS"=3 (0x3)
    "McProxy"=2 (0x2)
    "McMPFSvc"=2 (0x2)
    "McNASvc"=2 (0x2)
    "mfefire"=2 (0x2)
    "McAWFwk"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/4/2012 6:32 PM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/4/2012 6:32 PM 337880]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/4/2012 6:32 PM 20696]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2010 5:51 PM 654408]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/5/2011 7:10 PM 22344]
    S0 27754183;27754183;c:\windows\system32\drivers\61567167.sys --> c:\windows\system32\drivers\61567167.sys [?]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/1/2012 10:57 AM 253600]
    S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    deventagent
    cusrvc
    BrPar
    amdk8
    btwhid
    dphost
    qbposdbextservices
    avupdsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-05 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 17:57]
    .
    2012-05-03 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-04-17 02:26]
    .
    2012-05-05 c:\windows\Tasks\User_Feed_Synchronization-{94AE8699-29C6-4632-8C9D-74C2EAB4B4EE}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.msn.com
    IE: Free YouTube to MP3 Converter - c:\documents and settings\CadDog\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\CadDog\Application Data\Mozilla\Firefox\Profiles\4uvg2s5g.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-448539723-1958367476-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1112)
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(4052)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\savedump.exe
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\System32\locator.exe
    c:\windows\stsystra.exe
    c:\windows\System32\igfxsrvc.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    c:\windows\system32\dlcccoms.exe
    .
    **************************************************************************
    .
    Completion time: 2012-05-05 15:18:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-05-05 22:18
    ComboFix2.txt 2012-05-03 01:23
    ComboFix3.txt 2012-05-03 00:11
    .
    Pre-Run: 46,052,585,472 bytes free
    Post-Run: 46,292,201,472 bytes free
    .
    - - End Of File - - 26A975AA65A986796AE13D1377B9DB4A
     
  22. Broni

    Broni Malware Annihilator Posts: 47,647   +267

    Combofix reported:
    but let's see if we can use what we have....

    Download OTL to your Desktop.

    Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

    Use the following settings:

    • Click the NONE button
    • Under Custom Scans/Fixes paste:
    Code:
    /md5start
    comres.dll
    asyncmac.sys
    AGP440.sys
    vssvc.exe
    msgsvc.dll
    taskmgr.exe
    beep.sys
    /md5stop
    • Finally hit Run Scan and wait for the log to open.
    • Please post the content of the log into your next reply.

    NOTE.
    Be aware that from what I can see we may be facing Windows reinstallation due to rather serious infection of system files.
     
  23. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    Sorry...
    Do you want me to run combofix again or OTL...???

    I just want to be sure.

    "NOTE.
    Be aware that from what I can see we may be facing Windows reinstallation due to rather serious infection of system files."

    That may be a problem because I'm not sure where or if I still have my window install CD... :(
     
  24. Broni

    Broni Malware Annihilator Posts: 47,647   +267

  25. CadDog

    CadDog TS Rookie Topic Starter Posts: 51

    OK


    Here is the OTL report:
    ================
    OTL logfile created on: 5/5/2012 3:44:59 PM - Run 1
    OTL by OldTimer - Version 3.2.42.2 Folder = F:\! 01 A Problem\5 steps
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.11)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.99 Gb Total Physical Memory | 2.48 Gb Available Physical Memory | 83.01% Memory free
    4.32 Gb Paging File | 4.00 Gb Available in Paging File | 92.46% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.53 Gb Total Space | 43.14 Gb Free Space | 57.88% Space Free | Partition Type: NTFS
    Drive F: | 7.63 Gb Total Space | 5.06 Gb Free Space | 66.31% Space Free | Partition Type: FAT32

    Computer Name: DJSYSTEM02 | User Name: CadDog | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

    < End of report >
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.