Jump to content
Sign in to follow this  
mackie

Redirecting Virus

Recommended Posts

Hiya,

I've gotten great help here from you good folks before.

I'm now plagued with a virus that's redirecting my searches and even direct web page address entries. I used Security Tango's collection of fixes without success: CWShredder, Stinger, AVG2011 (free), SuperAntiSpyware, and MalWareBytes. Thanks in advance for any help.

Here are HJT and DDS logs:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 12:24:49 PM, on 11/25/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\WINDOWS\system32\dldtcoms.exe

C:\PROGRA~1\JACKFL~1\JACKFL~1\app\pppoeservice.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\AVG\AVG10\avgemcx.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Dell V305\dldtmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Dell V305\dldtMsdMon.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://frontier.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [startupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"

O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe

O4 - HKLM\..\Run: [dldtmon.exe] "C:\Program Files\Dell V305\dldtmon.exe"

O4 - HKLM\..\Run: [dldtamon] "C:\Program Files\Dell V305\dldtamon.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [sWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [sWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021 (User 'Default user')

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BFC62888-8C89-45CD-9089-408B9BD47A4F}: Domain = domain.invalid

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: dldtCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldtserv.exe

O23 - Service: dldt_device - - C:\WINDOWS\system32\dldtcoms.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\JACKFL~1\JACKFL~1\app\pppoeservice.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 

--

End of file - 9017 bytes

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_10-11-10.01)

 

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 4/17/2002 8:51:47 PM

System Uptime: 11/25/2010 11:54:18 AM (1 hours ago)

 

Motherboard: Dell Computer Corporation | | Dimension 4300

Processor: Intel® Pentium® 4 CPU 1.40GHz | Microprocessor | 1395/100mhz

 

==== Disk Partitions =========================

 

A: is Removable

C: is FIXED (NTFS) - 37 GiB total, 15.879 GiB free.

D: is CDROM ()

 

==== Disabled Device Manager Items =============

 

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Efficient Networks Enternet P.P.P.o.E Adapter

Device ID: ROOT\NET\0000

Manufacturer: Efficient Networks

Name: Efficient Networks Enternet P.P.P.o.E Adapter

PNP Device ID: ROOT\NET\0000

Service: NTSPPPOE

 

==== System Restore Points ===================

 

No restore point in system.

 

==== Installed Programs ======================

 

3Com NIC Diagnostics

ABBYY FineReader 6.0 Sprint

ACDSee

Adobe Acrobat 4.0

Adobe Download Manager 2.2 (Remove Only)

Adobe Flash Player 10 ActiveX

Adobe Reader 7.1.0

AOL Instant Messenger

ArcSoft PhotoImpression 3.0

ATI Display Driver

AVG 2011

Canon Camera Access Library

Canon Camera Support Core Library

Canon G.726 WMP-Decoder

Canon MovieEdit Task for ZoomBrowser EX

Canon RAW Image Task for ZoomBrowser EX

Canon Utilities CameraWindow

Canon Utilities CameraWindow DC

Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX

Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX

Canon Utilities EOS Utility

Canon Utilities MyCamera

Canon Utilities MyCamera DC

Canon Utilities PhotoStitch

Canon Utilities RemoteCapture Task for ZoomBrowser EX

Canon Utilities ZoomBrowser EX

Canon ZoomBrowser EX Memory Card Utility

Conexant HCF V90 56K Data Fax PCI Modem

Copy Utility

Dell Driver Download Manager

Dell ResourceCD

Dell Solution Center

Dell V305

DellTouch

DrawPlus 3.0

Efficient Networks SpeedStream DSL

Google Gmail Notifier

Google Toolbar for Internet Explorer

Google Update Helper

Google Updater

Help and Support Customization

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

iPod Updater 2004-11-15

iTunes

Jack Flash DSL

Java 6 Update 3

Kaspersky Online Scanner

KODAK Picture CD

LimeWire 4.12.6

Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Data Access Components KB870669

Microsoft Encarta Encyclopedia Standard 2002

Microsoft Money 2002

Microsoft Money 2002 System Pack

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Picture It! Photo 2002

Microsoft Streets and Trips 2002

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Web Publishing Wizard 1.52

Microsoft Word 2002

Microsoft Works 6.0

Microsoft Works Suite Add-in for Microsoft Word

Modem Helper

Mozilla Firefox (2.0.0.5)

PF1250-1650 Guide

PhoneTools

PowerDVD

PrintMaster

QuickTime

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2183461)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956390)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982381)

Security Update for Windows XP (KB982665)

Shockwave

Startup Delayer v2.3 (build 130)

SUPERAntiSpyware

Sygate Personal Firewall

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

Update for Windows XP (KB978207)

Update for Windows XP (KB980182)

WebFldrs XP

Weight Commander 8.0

Winamp (remove only)

Windows 7 Upgrade Advisor

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 8

Windows SR 2.0

Windows XP Service Pack 3

Works Suite OS Pack

Works Synchronization

Yahoo! Toolbar

 

==== Event Viewer Messages From Past Week ========

 

11/19/2010 6:33:54 PM, error: Dhcp [1002] - The IP address lease 192.168.254.2 for the Network Card with network address 000476D497A5 has been denied by the DHCP server 192.168.254.254 (The DHCP Server sent a DHCPNACK message).

11/18/2010 6:14:41 PM, error: Print [23] - Printer Dell Inkjet Printer J740 failed to initialize because a suitable Dell Inkjet Printer J740 driver could not be found.

11/18/2010 6:14:10 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

11/18/2010 6:14:10 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

11/18/2010 6:13:50 PM, error: Dhcp [1002] - The IP address lease 192.168.254.1 for the Network Card with network address 000476D497A5 has been denied by the DHCP server 192.168.254.254 (The DHCP Server sent a DHCPNACK message).

 

==== End Of File ===========================

 

DDS (Ver_10-11-10.01) - NTFSx86

Run by Dad at 12:07:33.59 on Thu 11/25/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.189 [GMT -5:00]

 

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

 

============== Running Processes ===============

 

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Sygate\SPF\smc.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\WINDOWS\system32\dldtcoms.exe

C:\PROGRA~1\JACKFL~1\JACKFL~1\app\pppoeservice.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\AVG\AVG10\avgemcx.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Dell V305\dldtmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Dell V305\dldtMsdMon.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\O0SJ7JYF\dds[1].pif

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://frontier.my.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mSearch Bar = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

mURLSearchHooks: H - No File

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [smcService] c:\progra~1\sygate\spf\smc.exe -startgui

mRun: [startupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher GUI.exe"

mRun: [lxccmon.exe] "c:\program files\lexmark 3300 series\lxccmon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [dldtmon.exe] "c:\program files\dell v305\dldtmon.exe"

mRun: [dldtamon] "c:\program files\dell v305\dldtamon.exe"

dRunOnce: [sWHelper] "c:\windows\system32\macromed\shockwave 8\PostUpdate.exe" 1014021

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\mnarkav6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

 

============= SERVICES / DRIVERS ===============

 

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-9-3 6104144]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]

R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]

R2 PPPoEService;PPPoE Service;c:\progra~1\jackfl~1\jackfl~1\app\pppoeservice.exe [2002-4-18 49152]

R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2002-4-5 21233]

R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2002-4-5 19534]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2008-2-25 99568]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

S3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;c:\windows\system32\drivers\ntspppoe.sys [2002-4-18 161512]

S4 vsdatant;vsdatant; [x]

 

=============== Created Last 30 ================

 

2010-11-19 04:08:57 388096 ----a-r- c:\docume~1\dad\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

 

==================== Find3M ====================

 

2010-10-22 03:56:49 1409 ----a-w- c:\windows\QTFont.for

2010-10-22 02:21:14 138216 ----a-w- c:\documents and settings\all users\SPL98.tmp

2010-09-26 02:05:50 17371355 ----a-w- c:\documents and settings\all users\SPL22.tmp

2010-09-25 17:13:57 17371355 ----a-w- c:\documents and settings\all users\SPL21.tmp

2010-09-24 12:17:34 832973 ----a-w- c:\documents and settings\all users\SPL20.tmp

2010-09-23 13:55:36 832973 ----a-w- c:\documents and settings\all users\SPL1F.tmp

2010-09-23 11:31:42 832962 ----a-w- c:\documents and settings\all users\SPL1E.tmp

2010-09-22 14:24:52 832962 ----a-w- c:\documents and settings\all users\SPL1D.tmp

2010-09-21 11:01:11 683008 ----a-w- c:\documents and settings\all users\SPL1C.tmp

2010-09-19 16:25:11 683008 ----a-w- c:\documents and settings\all users\SPL1B.tmp

2010-09-18 14:35:28 246694 ----a-w- c:\documents and settings\all users\SPL1A.tmp

2010-09-18 02:54:26 246694 ----a-w- c:\documents and settings\all users\SPL18.tmp

2010-09-17 11:27:42 246683 ----a-w- c:\documents and settings\all users\SPL17.tmp

2010-09-17 01:23:26 246683 ----a-w- c:\documents and settings\all users\SPL16.tmp

2010-09-16 13:53:31 17371355 ----a-w- c:\documents and settings\all users\SPL15.tmp

2010-09-13 22:54:05 0 ----a-w- c:\windows\Jvazi.bin

2010-09-13 22:44:51 17371355 ----a-w- c:\documents and settings\all users\SPL14.tmp

2010-09-12 21:24:27 17371355 ----a-w- c:\documents and settings\all users\SPL19.tmp

 

=================== ROOTKIT ====================

 

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: MAXTOR_6L040J2 rev.A93.0500 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

 

device: opened successfully

user: MBR read successfully

 

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83AEEEC5]<<

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x83a0f872; SUB DWORD [EBP-0x4], 0x83a0f12e; PUSH EDI; CALL 0xffffffffffffdf33; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x83BA8AB8]

3 CLASSPNP[0xF762FFD7] -> nt!IofCallDriver[0x804E37D5] -> [0x83B79030]

[0x83B81A28] -> IRP_MJ_CREATE -> 0x83AEEEC5

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_6L040J2__________________________A93.0500#3633313235333230323033332020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x83AEEAEA

user & kernel MBR OK

sectors 78177790 (+255): user != kernel

Warning: possible TDL3 rootkit infection !

 

============= FINISH: 12:13:46.32 ===============

Share this post


Link to post
Share on other sites

Hello mackie and :wp:

 

My name is JonTom

 

  • Malware Logs can sometimes take a lot of time to research and interpret.

  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.

  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.

  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.

  • PLEASE NOTE: If you do not reply after 3 days your thread will be closed.

 

Please run the following scan. If you encounter any difficulties let me know.

 

  • Please scan your system with GMER

     

     

    Posted Image

    Download GMER Rootkit Scanner from here or here.

    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  • Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries

 

Please post the GMER log in your next reply.

 

 

Share this post


Link to post
Share on other sites

Hello mackie and :wp:

 

My name is JonTom

 

  • Malware Logs can sometimes take a lot of time to research and interpret.

  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.

  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.

  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.

  • PLEASE NOTE: If you do not reply after 3 days your thread will be closed.

 

Please run the following scan. If you encounter any difficulties let me know.

 

  • Please scan your system with GMER

     

     

    Posted Image

    Download GMER Rootkit Scanner from here or here.

    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  • Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries

 

Please post the GMER log in your next reply.

 

 

Hi JonTom, thanks for coming to my rescue. Here is the Gmer scan. I wasn't able to find the "Drives/Partition" to uncheck. Hope it doesn't cause a problem.

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-11-25 21:09:54

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 MAXTOR_6L040J2 rev.A93.0500

Running: 10z4c3wy[1].exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\fgtoapod.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF4D10B30]

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF4D106F0]

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF4D10470]

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF22AA6C0]

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF4D10C50]

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF4D10990]

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEB0A1620]

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF22AA810]

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF22AA8B0]

 

---- Kernel code sections - GMER 1.0.15 ----

 

.rsrc C:\WINDOWS\system32\drivers\isapnp.sys entry point in ".rsrc" section [0xF75F7014]

? C:\DOCUME~1\Dad\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\WINDOWS\Explorer.EXE[324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A

.text C:\WINDOWS\Explorer.EXE[324] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A

.text C:\WINDOWS\Explorer.EXE[324] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01209315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 012DDBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 012DDD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 012E4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 01241CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 013FE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 013FDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 013FDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 013FDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 013FDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 013FE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 013FDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1768] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 012E488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\WINDOWS\system32\svchost.exe[2620] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CB000A

.text C:\WINDOWS\system32\svchost.exe[2620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CC000A

.text C:\WINDOWS\system32\svchost.exe[2620] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CA000C

.text C:\WINDOWS\system32\svchost.exe[2620] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A

.text C:\WINDOWS\system32\svchost.exe[2620] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A

.text C:\WINDOWS\system32\svchost.exe[2620] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01209315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 012E4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 013FE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 013FDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 013FDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 013FDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 013FDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 013FE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3300] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 013FDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

 

---- Devices - GMER 1.0.15 ----

 

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

 

Device \Driver\Avgtdix \Device\AvgTdi wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 83AEEAEA

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 83AEEAEA

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 83AEEAEA

 

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

 

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_6L040J2__________________________A93.0500#3633313235333230323033332020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

 

---- Disk sectors - GMER 1.0.15 ----

 

Disk \Device\Harddisk0\DR0 sectors 78177536 (+254): rootkit-like behavior;

 

---- Files - GMER 1.0.15 ----

 

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3B29LR8K\google_com[1].txt 0 bytes

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3B29LR8K\jquery.easing[1].js 3982 bytes

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3B29LR8K\nav_btn_carousel_inactive[1].gif 128 bytes

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3B29LR8K\nav_divider_sub[1].gif 44 bytes

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3B29LR8K\ShootingUSA_Nov_24_2010_Promo_125x71_125x71[1].jpg 4114 bytes

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3B29LR8K\ColtRailGun_125x71_125x71[1].jpg 11057 bytes

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S0PYT842\home;tile=3;pos=2;dcopt=ist;sz=728x90,879x40;ord=64308047707884840[1] 446 bytes

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S0PYT842\p[1].json 90 bytes

File C:\WINDOWS\system32\drivers\isapnp.sys suspicious modification; TDL3 <-- ROOTKIT !!!

 

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites

Hello mackie

 

Thank you for the log.

 

I can see that you have AVG installed. AVG is known to prevent ComboFix from running correctly. You MUST disable your AVG completely before running ComboFix. In some instances, ComboFix may notify you that it has detected AVG on your system. Should this happen you may need to uninstall AVG before running ComboFix.

 

If you have to uninstall AVG, please do not connect to the net except to download the required tools and scanners (and post replies back here).

 

Note: If ComboFix refuses to run after AVG has been uninstalled (which can happen on occassion), please run the following tool then try ComboFix again

 

 

  • Please download and run the AVG Removal Tool

     

     

    • The AVG removal tool will locate and remove all traces of AVG products from your computer.
    • To download the tool, click here and save the file (called avgremover.exe) to your desktop.
    • Right click on the avgremover.exe icon and select "Run as Admnistrator" to run the program.
    • Follow any prompts you receive.
    • Once you have run the removal tool you may delete it from your machine.

  • Combofix

     

     

    • Download ComboFix from one of the following locations:

       

      Link 1

      Link 2

    • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
    • Right click on ComboFix.exe and select "Run as Administrator" to rum the program. Follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image

     

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

     

    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

    Please post the ComboFix log in your next reply.

Share this post


Link to post
Share on other sites

Hello mackie

 

Thank you for the log.

 

I can see that you have AVG installed. AVG is known to prevent ComboFix from running correctly. You MUST disable your AVG completely before running ComboFix. In some instances, ComboFix may notify you that it has detected AVG on your system. Should this happen you may need to uninstall AVG before running ComboFix.

 

If you have to uninstall AVG, please do not connect to the net except to download the required tools and scanners (and post replies back here).

 

Note: If ComboFix refuses to run after AVG has been uninstalled (which can happen on occassion), please run the following tool then try ComboFix again

 

 

  • Please download and run the AVG Removal Tool

     

     

    • The AVG removal tool will locate and remove all traces of AVG products from your computer.
    • To download the tool, click here and save the file (called avgremover.exe) to your desktop.
    • Right click on the avgremover.exe icon and select "Run as Admnistrator" to run the program.
    • Follow any prompts you receive.
    • Once you have run the removal tool you may delete it from your machine.

  • Combofix

     

     

    • Download ComboFix from one of the following locations:

       

      Link 1

      Link 2

    • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
    • Right click on ComboFix.exe and select "Run as Administrator" to rum the program. Follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image

     

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

     

    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

    Please post the ComboFix log in your next reply.

Combofix completed: No great difficulties. I was able to uninstall AVG in the control panel.

 

ComboFix 10-11-26.04 - Dad 11/26/2010 22:30:05.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.568 [GMT -5:00]

Running from: c:\documents and settings\Dad\My Documents\ComboFix.exe

FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Dad\Application Data\ACD Systems\ACDSee\ImageDB.ddf

c:\documents and settings\Dad\Local Settings\Application Data\{295A33C9-F91F-42F0-9B9A-9F785E06A380}

c:\documents and settings\Dad\Local Settings\Application Data\{295A33C9-F91F-42F0-9B9A-9F785E06A380}\chrome\content\_cfg.js

c:\documents and settings\Dad\Local Settings\Application Data\{295A33C9-F91F-42F0-9B9A-9F785E06A380}\chrome\content\overlay.xul

c:\documents and settings\Dad\Local Settings\Application Data\{295A33C9-F91F-42F0-9B9A-9F785E06A380}\install.rdf

c:\documents and settings\Ian\Application Data\ACD Systems\ACDSee\ImageDB.ddf

c:\windows\system\msvbvm60.dll

c:\windows\system\olepro32.dll

c:\windows\system32\cd_clint.dll

 

Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))

.

 

2010-11-19 04:08 . 2010-11-19 04:08 388096 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-22 03:56 . 2010-10-22 03:56 1409 ----a-w- c:\windows\QTFont.for

2010-10-22 02:21 . 2010-10-22 02:21 138216 ----a-w- c:\documents and settings\All Users\SPL98.tmp

2010-09-26 02:05 . 2010-09-26 02:05 17371355 ----a-w- c:\documents and settings\All Users\SPL22.tmp

2010-09-25 17:13 . 2010-09-25 17:13 17371355 ----a-w- c:\documents and settings\All Users\SPL21.tmp

2010-09-24 12:17 . 2010-09-24 12:17 832973 ----a-w- c:\documents and settings\All Users\SPL20.tmp

2010-09-23 13:55 . 2010-09-23 13:55 832973 ----a-w- c:\documents and settings\All Users\SPL1F.tmp

2010-09-23 11:31 . 2010-09-23 11:31 832962 ----a-w- c:\documents and settings\All Users\SPL1E.tmp

2010-09-22 14:24 . 2010-09-22 14:24 832962 ----a-w- c:\documents and settings\All Users\SPL1D.tmp

2010-09-21 11:01 . 2010-09-21 11:01 683008 ----a-w- c:\documents and settings\All Users\SPL1C.tmp

2010-09-19 16:25 . 2010-09-19 16:25 683008 ----a-w- c:\documents and settings\All Users\SPL1B.tmp

2010-09-18 14:35 . 2010-09-18 14:35 246694 ----a-w- c:\documents and settings\All Users\SPL1A.tmp

2010-09-18 02:54 . 2010-09-18 02:54 246694 ----a-w- c:\documents and settings\All Users\SPL18.tmp

2010-09-17 11:27 . 2010-09-17 11:27 246683 ----a-w- c:\documents and settings\All Users\SPL17.tmp

2010-09-17 01:23 . 2010-09-17 01:23 246683 ----a-w- c:\documents and settings\All Users\SPL16.tmp

2010-09-16 13:53 . 2010-09-16 13:53 17371355 ----a-w- c:\documents and settings\All Users\SPL15.tmp

2010-09-13 22:44 . 2010-09-13 22:44 17371355 ----a-w- c:\documents and settings\All Users\SPL14.tmp

2010-09-13 20:27 . 2010-09-13 20:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys

2010-09-12 21:24 . 2010-09-12 21:24 17371355 ----a-w- c:\documents and settings\All Users\SPL19.tmp

2007-07-15 05:49 . 2007-07-22 12:39 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2007-07-15 05:49 . 2007-07-22 12:39 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2007-07-15 05:49 . 2007-07-22 12:39 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2007-07-15 05:49 . 2007-07-22 12:39 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2007-07-15 05:49 . 2007-07-22 12:39 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-17 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-18 2424560]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" [2007-12-14 44032]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-18 282624]

"dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-06-24 668912]

"dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-06-24 16624]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SWHelper"="c:\windows\system32\Macromed\Shockwave 8\PostUpdate.exe" [2010-11-20 53248]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk

backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DESKTOP.INI]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

backup=c:\windows\pss\DESKTOP.INICommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

backup=c:\windows\pss\Event Reminder.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk

backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^DESKTOP.INI]

path=c:\documents and settings\Ian\Start Menu\Programs\Startup\DESKTOP.INI

backup=c:\windows\pss\DESKTOP.INIStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]

TCAUDIAG -off [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Detector]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]

2001-09-05 19:28 163840 -c--a-w- c:\windows\MMKeybd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2004-10-13 21:04 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-08-18 05:46 282624 ----a-w- c:\program files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2004-12-20 18:41 33792 ----a-w- c:\program files\Winamp\winampa.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]

2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldtjswx.exe"=

"c:\\Program Files\\Dell V305\\dldtlscn.exe"=

"c:\\Program Files\\Dell V305\\Wireless\\dldtwpss.exe"=

"c:\\WINDOWS\\SYSTEM32\\dldtcoms.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldtpswx.exe"=

"c:\\Program Files\\Dell V305\\dldtmon.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldttime.exe"=

 

R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [9/13/2010 3:27 PM 25680]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]

R2 tcaicchg;tcaicchg;c:\windows\SYSTEM32\TCAICCHG.SYS [4/5/2002 12:11 AM 21233]

R2 TCAITDI;TCAITDI Protocol;c:\windows\SYSTEM32\DRIVERS\TCAITDI.SYS [4/5/2002 12:11 AM 19534]

S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\dldtserv.exe [2/25/2008 11:38 AM 99568]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:49 PM 135664]

S2 PPPoEService;PPPoE Service;c:\progra~1\JACKFL~1\JACKFL~1\app\pppoeservice.exe [4/18/2002 9:09 PM 49152]

S3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;c:\windows\SYSTEM32\DRIVERS\ntspppoe.sys [4/18/2002 9:09 PM 161512]

.

Contents of the 'Scheduled Tasks' folder

 

2010-11-27 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 03:49]

 

2010-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 04:49]

 

2010-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 04:49]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://frontier.my.yahoo.com/

mSearch Bar = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\mnarkav6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

 

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe

HKLM-Run-lxccmon.exe - c:\program files\Lexmark 3300 Series\lxccmon.exe

MSConfigStartUp-AdaptecDirectCD - c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

MSConfigStartUp-FaxCenterServer - c:\program files\Lexmark Fax Solutions\fm3032.exe

MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe

MSConfigStartUp-MMTray - c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

MSConfigStartUp-P2P Networking - c:\windows\System32\P2P Networking\P2P Networking.exe

MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

MSConfigStartUp-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe

AddRemove-Windows SR 2.0 - c:\windows\UnstSA2.exe

AddRemove-Works2002Setup - c:\program files\Microsoft Works Suite 2002\Setup\Launcher.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-26 22:43

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(484)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

Completion time: 2010-11-26 22:47:26

ComboFix-quarantined-files.txt 2010-11-27 03:47

ComboFix2.txt 2007-10-28 23:04

 

Pre-Run: 17,257,914,368 bytes free

Post-Run: 17,935,990,784 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

 

- - End Of File - - 1692A574094014F2A351F6578EA3BBB9

Share this post


Link to post
Share on other sites

Hello mackie

 

There is no need to quote my replies, just click on the "Add Reply" button when you want to respond :)

 

Thank you for the log.

 

Running from: c:\documents and settings\Dad\My Documents\ComboFix.exe

It is very important that ComboFix is saved directly to your desktop in order to run correctly.

 

Please delete this copy of ComboFix by dragging it to your Recycle Bin. Once it is there empty the bin, then download a fresh copy to your desktop. Please allow it to run and post the log created.

Share this post


Link to post
Share on other sites

So sorry. I think I have it this time.

ComboFix 10-11-27.01 - Dad 11/27/2010 17:05:26.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.423 [GMT -5:00]

Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe

FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

 

((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))

.

 

2010-11-27 21:58 . 2010-11-27 21:58 -------- d-----w- c:\windows\LastGood

2010-11-19 04:08 . 2010-11-19 04:08 388096 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-22 03:56 . 2010-10-22 03:56 1409 ----a-w- c:\windows\QTFont.for

2010-10-22 02:21 . 2010-10-22 02:21 138216 ----a-w- c:\documents and settings\All Users\SPL98.tmp

2010-09-26 02:05 . 2010-09-26 02:05 17371355 ----a-w- c:\documents and settings\All Users\SPL22.tmp

2010-09-25 17:13 . 2010-09-25 17:13 17371355 ----a-w- c:\documents and settings\All Users\SPL21.tmp

2010-09-24 12:17 . 2010-09-24 12:17 832973 ----a-w- c:\documents and settings\All Users\SPL20.tmp

2010-09-23 13:55 . 2010-09-23 13:55 832973 ----a-w- c:\documents and settings\All Users\SPL1F.tmp

2010-09-23 11:31 . 2010-09-23 11:31 832962 ----a-w- c:\documents and settings\All Users\SPL1E.tmp

2010-09-22 14:24 . 2010-09-22 14:24 832962 ----a-w- c:\documents and settings\All Users\SPL1D.tmp

2010-09-21 11:01 . 2010-09-21 11:01 683008 ----a-w- c:\documents and settings\All Users\SPL1C.tmp

2010-09-19 16:25 . 2010-09-19 16:25 683008 ----a-w- c:\documents and settings\All Users\SPL1B.tmp

2010-09-18 14:35 . 2010-09-18 14:35 246694 ----a-w- c:\documents and settings\All Users\SPL1A.tmp

2010-09-18 02:54 . 2010-09-18 02:54 246694 ----a-w- c:\documents and settings\All Users\SPL18.tmp

2010-09-17 11:27 . 2010-09-17 11:27 246683 ----a-w- c:\documents and settings\All Users\SPL17.tmp

2010-09-17 01:23 . 2010-09-17 01:23 246683 ----a-w- c:\documents and settings\All Users\SPL16.tmp

2010-09-16 13:53 . 2010-09-16 13:53 17371355 ----a-w- c:\documents and settings\All Users\SPL15.tmp

2010-09-13 22:44 . 2010-09-13 22:44 17371355 ----a-w- c:\documents and settings\All Users\SPL14.tmp

2010-09-13 20:27 . 2010-09-13 20:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys

2010-09-12 21:24 . 2010-09-12 21:24 17371355 ----a-w- c:\documents and settings\All Users\SPL19.tmp

2007-07-15 05:49 . 2007-07-22 12:39 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2007-07-15 05:49 . 2007-07-22 12:39 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2007-07-15 05:49 . 2007-07-22 12:39 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2007-07-15 05:49 . 2007-07-22 12:39 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2007-07-15 05:49 . 2007-07-22 12:39 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

 

((((((((((((((((((((((((((((( SnapShot@2010-11-27_03.43.41 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-17 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-18 2424560]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" [2007-12-14 44032]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-18 282624]

"dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-06-24 668912]

"dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-06-24 16624]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SWHelper"="c:\windows\system32\Macromed\Shockwave 8\PostUpdate.exe" [2010-11-20 53248]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk

backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DESKTOP.INI]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

backup=c:\windows\pss\DESKTOP.INICommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

backup=c:\windows\pss\Event Reminder.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk

backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^DESKTOP.INI]

path=c:\documents and settings\Ian\Start Menu\Programs\Startup\DESKTOP.INI

backup=c:\windows\pss\DESKTOP.INIStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]

TCAUDIAG -off [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Detector]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]

2001-09-05 19:28 163840 -c--a-w- c:\windows\MMKeybd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2004-10-13 21:04 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-08-18 05:46 282624 ----a-w- c:\program files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2004-12-20 18:41 33792 ----a-w- c:\program files\Winamp\winampa.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]

2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldtjswx.exe"=

"c:\\Program Files\\Dell V305\\dldtlscn.exe"=

"c:\\Program Files\\Dell V305\\Wireless\\dldtwpss.exe"=

"c:\\WINDOWS\\SYSTEM32\\dldtcoms.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldtpswx.exe"=

"c:\\Program Files\\Dell V305\\dldtmon.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldttime.exe"=

 

R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [9/13/2010 3:27 PM 25680]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]

R2 tcaicchg;tcaicchg;c:\windows\SYSTEM32\TCAICCHG.SYS [4/5/2002 12:11 AM 21233]

R2 TCAITDI;TCAITDI Protocol;c:\windows\SYSTEM32\DRIVERS\TCAITDI.SYS [4/5/2002 12:11 AM 19534]

S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\dldtserv.exe [2/25/2008 11:38 AM 99568]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 11:49 PM 135664]

S2 PPPoEService;PPPoE Service;c:\progra~1\JACKFL~1\JACKFL~1\app\pppoeservice.exe [4/18/2002 9:09 PM 49152]

S3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;c:\windows\SYSTEM32\DRIVERS\ntspppoe.sys [4/18/2002 9:09 PM 161512]

.

Contents of the 'Scheduled Tasks' folder

 

2010-11-27 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 03:49]

 

2010-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 04:49]

 

2010-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 04:49]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://frontier.my.yahoo.com/

mSearch Bar = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\mnarkav6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-27 17:12

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(480)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

- - - - - - - > 'explorer.exe'(3772)

c:\windows\system32\SSSensor.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-11-27 17:16:38

ComboFix-quarantined-files.txt 2010-11-27 22:16

ComboFix2.txt 2010-11-27 03:47

ComboFix3.txt 2007-10-28 23:04

 

Pre-Run: 17,895,731,200 bytes free

Post-Run: 17,876,426,752 bytes free

 

- - End Of File - - 9F11D972E8C819AD48CD4738D04852B1

Share this post


Link to post
Share on other sites

Hello mackie

 

Thank you for the log :)

 

Please do the following:

 

 

  • Please download OTM

     

     

    • Please download OTM by OldTimer by clicking here.
    • Save the file (called OTM.exe) to your desktop.
    • Double click on the OTM.exe icon to run the program. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

     

    :Processes 
    explorer.exe
    
    :Files
    c:\documents and settings\All Users\SPL98.tmp
    c:\documents and settings\All Users\SPL22.tmp
    c:\documents and settings\All Users\SPL21.tmp
    c:\documents and settings\All Users\SPL20.tmp
    c:\documents and settings\All Users\SPL1F.tmp
    c:\documents and settings\All Users\SPL1E.tmp
    c:\documents and settings\All Users\SPL1D.tmp
    c:\documents and settings\All Users\SPL1C.tmp
    c:\documents and settings\All Users\SPL1B.tmp
    c:\documents and settings\All Users\SPL1A.tmp
    c:\documents and settings\All Users\SPL18.tmp
    c:\documents and settings\All Users\SPL17.tmp
    c:\documents and settings\All Users\SPL16.tmp
    c:\documents and settings\All Users\SPL15.tmp
    c:\documents and settings\All Users\SPL14.tmp
    c:\documents and settings\All Users\SPL19.tmp
    
    :Commands
    [Purity]
    [EmptyTemp]
    [Emptyflash]
    [Start Explorer]
    [Reboot]
    
    

     

    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM.
    • Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • MalwareBytes AntiMalware:

     

     

    • I can see that you have MBAM installed.
    • Double click on your MalwareBytes AntiMalware icon to launch the program.
    • Click on the "Update" tab and then on "Check for Updates".
    • The program will now install the latest Malware definition files.
    • Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
    • Once the program has scanned your computer, a log file will be created in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

     

    • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
    • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
    • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
    • Come back here to this thread and Paste the log in your next reply.

  • Please update your Java

     

     

    • Click on "Start", then on "Control Panel".
    • Go to "Add or Remove Programs" and uninstall any previous versions of Java that you find (Java™ 6 Update 3).
    • Reboot your computer.
    • Next, download the latest version of Java by clicking here
    • Scroll down the page until you reach "Java Platform Standard Edition".
    • Beneath this and to the right, you will see a button marked "Download JRE".
    • Click the "Download JRE" button.
    • Select the platform (Windows, in your case), multi language.
    • Accept the license agreement and click on "Continue".
    • You do not have to register if you do not want to (the registration step is optional).
    • Scroll down and click on the file called jre-6u22-windows-i586.exe located under "Windows Offline Installation".
    • Save the file to your desktop.
    • Do not select Run.
    • Double click on the saved file (jre-6u22-windows-i586.exe) to install the update.
    • Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.

    Please post the MBAM log in your next reply and let me know how your machine is running now :)

Share this post


Link to post
Share on other sites

OTM log:

 

All processes killed

========== PROCESSES ==========

No active process named explorer.exe was found!

========== FILES ==========

File/Folder c:\documents and settings\All Users\SPL98.tmp not found.

File/Folder c:\documents and settings\All Users\SPL22.tmp not found.

File/Folder c:\documents and settings\All Users\SPL21.tmp not found.

File/Folder c:\documents and settings\All Users\SPL20.tmp not found.

File/Folder c:\documents and settings\All Users\SPL1F.tmp not found.

File/Folder c:\documents and settings\All Users\SPL1E.tmp not found.

File/Folder c:\documents and settings\All Users\SPL1D.tmp not found.

File/Folder c:\documents and settings\All Users\SPL1C.tmp not found.

File/Folder c:\documents and settings\All Users\SPL1B.tmp not found.

File/Folder c:\documents and settings\All Users\SPL1A.tmp not found.

File/Folder c:\documents and settings\All Users\SPL18.tmp not found.

File/Folder c:\documents and settings\All Users\SPL17.tmp not found.

File/Folder c:\documents and settings\All Users\SPL16.tmp not found.

File/Folder c:\documents and settings\All Users\SPL15.tmp not found.

File/Folder c:\documents and settings\All Users\SPL14.tmp not found.

File/Folder c:\documents and settings\All Users\SPL19.tmp not found.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 120245 bytes

 

User: All Users

 

User: Dad

->Temp folder emptied: 519916 bytes

->Temporary Internet Files folder emptied: 4035080 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Flash cache emptied: 434 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: Owner

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 664 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 4.00 mb

 

 

OTM by OldTimer - Version 3.1.17.2 log created on 12012010_104124

 

Files moved on Reboot...

 

Registry entries deleted on Reboot...

 

MBAM log:

 

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

 

Database version: 5214

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

12/1/2010 11:08:41 AM

mbam-log-2010-12-01 (11-08-41).txt

 

Scan type: Quick scan

Objects scanned: 149736

Time elapsed: 4 minute(s), 24 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} (Adware.EBates) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Hello mackie

 

Thank you for the log.

 

Please do the following:

 

 

  • Please run the following scan

     

     

  • Note: You will need to use Internet Explorer for this scan.
  • Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
  • Please disable your real time security programs before performing the scan.

 

  • Scan your system with Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.

 

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the "Start" button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Please post the ESET log in your next reply and let me know how your machine is running now.

 

 

Share this post


Link to post
Share on other sites

ESET scan complete. My computer seems faster. However, as I'm still running without AV protection and disabled firewall I haven't ventured any browsing to see if redirecting issue is resolved.

 

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000033.sys Win32/Olmarik.ZC trojan cleaned - quarantined

Share this post


Link to post
Share on other sites

Hello mackie

 

Thank you for the log.

 

The items detected by ESET were located in ComboFix quarantine and an infected Restore point.

 

  • Please create a new System Restore point

     

     

  • Click on "Start" > "All Programs" > "Accessories" > "System tools" > "System Restore".
  • In the dialogue box that appears select "Create a Restore Point".
  • Click "Next".
  • Enter a name
  • e.g. Todays date.
  • Click "Create".

Please re-engage your resident security and let me know how your system is running now.

 

Share this post


Link to post
Share on other sites

Hello mackie

 

Shall I continue with these or do you have recco's?

There is nothing wrong with the products you have (I try not to recommend one product over another) but there are other good programs available (Sygate FW is actually on my list):

 

 

 

  • For a free Firewall try one of the following:
  • Comodo Personal Firewall
  • NOTE: If you use a Third Party AnitiVirus, make sure you uncheck the option to install Comodo AntiVirus when you install Comodo Firewall.

 

  • IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system.

Once you have installed an AV and FW, update the AV definition files and run a full system scan then let me know how the machine is running :)

 

Share this post


Link to post
Share on other sites

OK JonTom,

I've loaded Avira as my AV and kept Sygate. Before I commence browsing in earnest I'd like to be sure I don't have programs working at cross purposes. Please tell me which, of the now many, programs I should remove/uninstall.

CMER, OTM, ESET, COMBOFIX, and from my SecurityTango cleaning attempt, I have SuperAntiSpyware, MalwareBytes, Stinger and CWShredder.

Share this post


Link to post
Share on other sites

Hi mackie,

 

JonTom is away from the forums for a few days and asked if I would finish this with you.

 

Everything looks good so we will clean up the tools. The ESET detections will be taken care of as part of the tools removal.

 

Please note that some of these tools have their own unique method for removal. Please follow the steps as posted.

 

From your desktop, please delete, if present

  • any notepads/logs that were created
  • GMER (10z4c3wy[1].exe)

You can also delete these programs from wherever you saved them to.

  • CWShredder
  • Stinger
I suggest you keep MBAM. Keep it updated and use it regularly.

 

SuperAntiSpyware, your choice, it's a decent on demand scanner. If you would rather not have it you can uninstall it via add/remove programs.

 

ESET can be uninstalled via ADD/Remove programs.

 

 

Next

 

Click the Start button, click Run. Copy and paste the following line into the run box and click OK

 

Combofix /uninstall

 

 

Open OTM then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

 

 

Updates and upgrades

 

You have an older version of Adobe Reader. You can download the current version HERE

 

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

 

Visit their support forum

Foxit Forum

 

In either case you should uninstall Adobe Reader 7.1.0 first. Be sure to move any PDF documents to another folder first though.

 

 

Some Recommendations and prevention tips

 

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have most of them.

 

For resident antispyware I suggest either

 

Windows Defender

OR

Winpatrol

 

 

You should also use Spyware Blaster to help immunize your computer.

 

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer

settings that will protect you from running and downloading known malicious programs.

 

OR

 

A guide to understanding and using the hosts file.

 

Learn how your Hosts file can protect you and how you can protect it.

Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.

HOSTS

 

Please read the info on disabling the DNS Client before installing a custom hosts file.

 

 

-Secure your Internet Explorer

 

From within Internet Explorer click on the Tools menu and then click on Options.

  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

 

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

 

- Make sure Automatic Updates is set to your chosen option. Click your start button > Control Panel > System

 

 

- Keep your antivirus program updated, as well as any other security programs you have.

 

 

-More tips and programs can be found HERE

 

 

- You may also want to read this article By Tony Klein

http://www.freedomlist.com/forum/viewtopic.php?t=22879

 

Please post back if you have any problems.

 

Take care

Share this post


Link to post
Share on other sites

Thanks Oldman960 for taking over.

I believe I've completed my assigned homework. Along with my new Adobe X was downloaded McAfee Security Scan Plus. Do I want/need this program?

Share this post


Link to post
Share on other sites

My computer seems to be well sorted out and running nicely. Thanks so very much to JonTom and oldman960 for taking the time and patience to help me through this and to the forum for providing the venue.

Share this post


Link to post
Share on other sites

You are Very Welcome mackie, glad we could help. I would also like to pass on my most sincere thanks to oldman960 for picking up the thread when I had to leave :b33r:

 

As your problems appear to be resolved this thread is now closed.

 

Have a great Christmas

 

JonTom

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×