Start a Conversation

Unsolved

This post is more than 5 years old

8371

November 19th, 2009 09:00

Both Firefox and IE8 open tabs to random websites

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:38 AM, on 11/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\AnVir Task Manager\AnVir.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AnVir Task Manager] "C:\Program Files\AnVir Task Manager\AnVir.exe" Minimized
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201636395109
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5829 bytes

 

About two weeks ago, after updating Firefox to version 3.5.5(or3.5.4), I noticed that when doing a search in google and clicking on a link, FF would open up several tabs to seemingly random websites (one common one was lightseek.biz, although that doesn't occur anymore).

I was running AVG antivirus with ZoneAlarm firewall (free versions). I ran a full AVG antivirus scan and found nothing.  Then I ran a full Malwarebytes' Anti-Malware. Nothing.  I then ran Ad-Aware.  Nothing.  Then I ran Spybot Search and Destroy. Nothing.  Then I ran SUPERANti-Spyware with no results. I went to Windows Live OneCare Safety Scanner, and that found nothing.

So I uninstalled AVG Antivirus and installed Avira Antivir Personal Antivirus. I ran a full system scan. Nothing.  I downloaded  Spyware Blaster. I don't remember what happened (nothing useful).

Finally, at the end of my rope, I uninstalled (using RevoUninstaller) Skype, which had given me problems with my AdBlocker Plus Add-On to Firefox (SKype allowed ads to run in my FF browser even though previously AdBlocker has suppressed them before Skype). I rebooted. My home page on Firefox had changed. So I've done everything that I know how to do. Now I've come here hoping for a fairytale ending.

Thanks in advance,

Paul

20.5K Posts

November 19th, 2009 09:00

Hi Paul,

I don't know about a "fairytale ending" but I'll try my best to figure out what's going on.

I am reviewing your log. In the meantime, you can help me by addressing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.  The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.    

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.

* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

I look forward to your reply so we can begin cleaning.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.

 

 

20.5K Posts

November 19th, 2009 10:00

Let's see what we can find.

First, please disable Teatimer so it does not block our tools or interfere with cleaning.

To disable TeaTimer:
Go to Start>Run. Type Msconfig > OK. On the next window that opens > Startup tab UNcheck the entry for TeaTimer until this is over...
1. Open Spybot
2. Click Mode > Advanced Mode
3. Click Yes
4. Click Tools (located in the bottom left corner) > Resident
5. Uncheck 'Resident "TeaTimer" (Protection of over-all system settings) active'
6. Then close Spybot.
Reboot.
Verify that TeaTimer is not running.
After ALL cleaning of your system has been completed and we have confirmed that your computer is clean, reverse these steps and re-enable the protection applets for TeaTimer.


We need to see some additional information about what is happening in your machine.

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • Click Yes at the prompt for Optional Scan.
  • When done, DDS will open two (2) logs
  • 1. DDS.txt
    2. Attach.txt

  • Save both reports to your desktop.
  • Copy/paste both logs to your reply on the forum.
  • Close the program window, and delete the program from your desktop.
  • Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.

     

60 Posts

November 19th, 2009 10:00

Hi Bugbatter,

In your order:

1) I have not posted this issue on another forum. I did as instructed with the HijackThis and the BitDefender website.  I don't know if that's a post or not.  I didn't see anything.

2) I did not disable System Restore.  I also did an external back-up using Acronis True Image, but I don't remember if that was before or after this problem started. Even if it was before this problem started, I don't know how to prevent it from happening again because I don't know how I got it in the first place. I don't use bit-torrent or limewire or any stolen software.  I find free versions (like OpenOffice and Octave) of what I want, and buy the rest (Acronis True Image, Ricochet Lost Worlds Recharged). I do play a flash based game in my browser called Boxhead where I shoot zombies (to let off steam).

3) I don't have or use any cracked software. I have downloaded songs of albums that are long out of print (never made it to CD). These are usually MP3s or are in RAR archives. Not sure if this changes anything.

4) I don't have or use any P2P software. (Against my sense of fairness.)

5)This is my computer. I am the only user.

6) I will copy instructions to Notepad and I will follow your instructions on software use/installation/re-installation etc.

7) I won't use the computer for anything except for your instructions (no surfing, etc) until officially clean.

8) Okay on the fact that my anti-virus (or whatever program) may think something is bad when I am following your instructions in a good manner.

Let's begin cleaning. :-)

60 Posts

November 19th, 2009 21:00

Hi Bugbatter,

First, DDS.txt


DDS (Ver_09-10-26.01) - NTFSx86  
Run by Paul at 23:56:12.96 on Thu 11/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1918.1480 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated)   {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled*   {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AnVir Task Manager\AnVir.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AnVir Task Manager] "c:\program files\anvir task manager\AnVir.exe" Minimized
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201636395109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\gyydsbit.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\paul\application data\mozilla\firefox\profiles\gyydsbit.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\documents and settings\paul\application data\mozilla\firefox\profiles\gyydsbit.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\paul\application data\mozilla\firefox\profiles\gyydsbit.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-13 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-11 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-17 108289]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-12 12672]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 7408]
S4 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-5-9 319488]

=============== Created Last 30 ================

2009-11-19 05:02:10    0    d-----w-    c:\docume~1\paul\applic~1\QuickScan
2009-11-18 01:59:01    55656    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2009-11-18 01:58:58    0    d-----w-    c:\program files\Avira
2009-11-18 01:58:58    0    d-----w-    c:\docume~1\alluse~1\applic~1\Avira
2009-11-17 02:21:30    0    d-----w-    c:\program files\common files\Logitech
2009-11-14 07:11:49    118784    ----a-w-    c:\windows\system32\MSSTDFMT.DLL
2009-11-14 07:11:49    0    d-----w-    c:\program files\SpywareBlaster
2009-11-13 23:12:11    0    d-----w-    c:\program files\Trend Micro
2009-11-13 23:00:46    15880    ----a-w-    c:\windows\system32\lsdelete.exe
2009-11-13 22:49:30    64288    ----a-w-    c:\windows\system32\drivers\Lbd.sys
2009-11-13 22:49:17    93360    ----a-w-    c:\windows\system32\drivers\SBREDrv.sys
2009-11-13 22:45:28    0    dc-h--w-    c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-13 22:45:14    0    d-----w-    c:\program files\Lavasoft
2009-11-13 19:48:33    15064    ----a-w-    c:\windows\system32\wuapi.dll.mui
2009-11-13 00:21:18    0    d-----w-    c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-13 00:21:02    0    d-----w-    c:\program files\SUPERAntiSpyware
2009-11-13 00:21:02    0    d-----w-    c:\docume~1\paul\applic~1\SUPERAntiSpyware.com
2009-11-13 00:20:04    0    d-----w-    c:\program files\common files\Wise Installation Wizard
2009-11-11 04:45:02    1885464    ----a-w-    c:\windows\system32\AutoPartNt.exe
2009-11-11 04:45:02    1024    ----a-w-    c:\windows\system32\AutoPartNt.let
2009-11-11 04:20:10    0    d-----w-    c:\windows\system32\NtmsData
2009-11-08 18:06:03    0    d-----w-    c:\docume~1\paul\applic~1\Malwarebytes
2009-11-08 18:05:55    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 18:05:54    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-11-08 18:05:54    0    d-----w-    c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-08 18:05:53    0    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2009-11-08 05:31:37    0    d--h--w-    C:\$AVG
2009-11-08 05:28:06    0    d-----w-    c:\docume~1\alluse~1\applic~1\avg9
2009-11-02 21:59:45    66    ----a-w-    C:\browserclean.bat
2009-11-02 21:48:06    0    d-----w-    c:\program files\CCleaner
2009-11-02 14:55:28    0    d-----w-    c:\program files\WinDirStat

==================== Find3M  ====================

2009-11-17 15:36:30    0    ----a-w-    c:\windows\system32\drivers\lvuvc.hs
2009-11-17 15:36:27    0    ----a-w-    c:\windows\system32\drivers\logiflt.iad
2009-09-11 14:18:39    136192    ----a-w-    c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36    58880    ----a-w-    c:\windows\system32\msasn1.dll
2009-08-29 08:08:21    916480    ----a-w-    c:\windows\system32\wininet.dll
2009-08-26 08:00:21    247326    ----a-w-    c:\windows\system32\strmdll.dll
2008-08-18 23:22:40    32768    --sha-w-    c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 23:58:02.96 ===============

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------And Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/29/2008 12:15:51 PM
System Uptime: 11/19/2009 11:44:45 PM (0 hours ago)

Motherboard: Dell Inc. |  | 0WY383
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-55 | Socket M2/S1G1 | 1795/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 102 GiB total, 83.931 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.897 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP56: 12/9/2008 10:29:33 PM - System Checkpoint
RP57: 12/22/2008 1:26:39 PM - Avg8 Update
RP58: 12/22/2008 1:29:10 PM - Software Distribution Service 3.0
RP59: 1/1/2009 6:41:33 PM - System Checkpoint
RP60: 1/27/2009 9:40:49 AM - Software Distribution Service 3.0
RP61: 3/3/2009 11:26:01 AM - Avg8 Update
RP62: 3/3/2009 11:27:15 AM - Avg8 Update
RP63: 3/3/2009 11:38:18 AM - Software Distribution Service 3.0
RP64: 3/3/2009 5:04:47 PM - Software Distribution Service 3.0
RP65: 3/4/2009 9:59:37 AM - Avg8 Update
RP66: 3/7/2009 1:41:00 PM - System Checkpoint
RP67: 3/8/2009 1:56:05 PM - System Checkpoint
RP68: 3/12/2009 7:47:38 AM - Software Distribution Service 3.0
RP69: 3/12/2009 10:31:14 PM - Removed Java(TM) 6 Update 10
RP70: 3/12/2009 10:31:48 PM - Installed Java(TM) 6 Update 12
RP71: 3/13/2009 12:07:14 AM - Installed Java Runtime Environment
RP72: 3/27/2009 9:21:58 AM - Avg8 Update
RP73: 3/27/2009 9:22:45 AM - Avg8 Update
RP74: 4/7/2009 2:20:37 PM - Installed Java(TM) 6 Update 13
RP75: 4/24/2009 5:08:10 PM - Avg8 Update
RP76: 4/24/2009 5:31:30 PM - Software Distribution Service 3.0
RP77: 5/5/2009 1:44:00 AM - Software Distribution Service 3.0
RP78: 5/5/2009 9:20:27 AM - Installed Acronis True Image Home
RP79: 5/5/2009 9:27:23 AM - Avg8 Update
RP80: 5/5/2009 9:28:55 AM - Avg8 Update
RP81: 5/5/2009 11:19:55 AM - Logitech QuickCam v11.50.1145
RP82: 5/16/2009 12:16:21 PM - Avg8 Update
RP83: 5/22/2009 11:34:05 AM - Avg8 Update
RP84: 5/22/2009 11:34:48 AM - Avg8 Update
RP85: 5/22/2009 1:59:32 PM - Software Distribution Service 3.0
RP86: 6/22/2009 9:00:16 AM - Software Distribution Service 3.0
RP87: 6/22/2009 9:15:22 AM - Installed Java(TM) 6 Update 14
RP88: 6/27/2009 10:28:15 AM - Avg8 Update
RP89: 6/27/2009 10:29:31 AM - Avg8 Update
RP90: 7/1/2009 8:04:32 AM - Software Distribution Service 3.0
RP91: 7/16/2009 1:53:56 PM - Software Distribution Service 3.0
RP92: 7/24/2009 10:13:00 AM - Avg8 Update
RP93: 7/24/2009 10:14:30 AM - Avg8 Update
RP94: 7/24/2009 10:22:07 AM - Revo Uninstaller's restore point - GNU Octave 3.0.3
RP95: 7/24/2009 10:35:18 AM - Installed WinZip 12.1
RP96: 7/31/2009 11:48:27 AM - Software Distribution Service 3.0
RP97: 8/5/2009 12:54:37 PM - Installed Java(TM) 6 Update 15
RP98: 9/24/2009 11:54:22 AM - Avg8 Update
RP99: 9/24/2009 11:55:34 AM - Avg8 Update
RP100: 9/24/2009 1:14:17 PM - Software Distribution Service 3.0
RP101: 10/6/2009 4:11:32 PM - Avg8 Update
RP102: 10/6/2009 4:12:40 PM - Avg8 Update
RP103: 10/7/2009 8:31:32 AM - Avg8 Update
RP104: 10/7/2009 9:12:45 AM - Before installing WinRAR cracker.
RP105: 10/7/2009 10:23:44 AM - Removed WinZip 12.1
RP106: 10/14/2009 8:16:14 AM - Software Distribution Service 3.0
RP107: 10/27/2009 10:24:01 PM - Avg8 Update
RP108: 11/4/2009 9:31:37 PM - Avg8 Update
RP109: 11/5/2009 9:05:03 PM - Avg8 Update
RP110: 11/8/2009 12:27:53 AM - Installed AVG Free 9.0
RP111: 11/9/2009 10:00:30 AM - Software Distribution Service 3.0
RP112: 11/10/2009 9:07:39 AM - Avg8 Update
RP113: 11/10/2009 9:08:34 AM - Avg8 Update
RP114: 11/12/2009 9:33:05 AM - Avg8 Update
RP115: 11/12/2009 7:21:01 PM - Installed SUPERAntiSpyware Free Edition
RP116: 11/13/2009 2:49:49 PM - Software Distribution Service 3.0
RP117: 11/13/2009 5:34:25 PM - Cleaned registry with Windows Live OneCare safety scanner
RP118: 11/13/2009 6:00:43 PM - Ad-Aware Checkpoint
RP119: 11/17/2009 8:45:46 PM - Revo Uninstaller's restore point - AVG Free 9.0
RP120: 11/17/2009 8:47:48 PM - Removed AVG Free 9.0
RP121: 11/17/2009 8:50:05 PM - Installed AVG Free 9.0
RP122: 11/17/2009 8:56:13 PM - Avira AntiVir Personal - 11/17/2009 20:56
RP123: 11/19/2009 11:04:12 AM - Revo Uninstaller's restore point - Skype™ 4.0
RP124: 11/19/2009 11:05:16 AM - Removed Skype™ 4.0

==== Installed Programs ======================

Acronis True Image Home
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11
Amazon Games & Software Downloader
Amazon MP3 Downloader 1.0.5
AMD Processor Driver
AnVir Task Manager
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
CCleaner
Conexant HDA D330 MDC V.92 Modem
CPUID HWMonitor 1.14
Critical Update for Windows Media Player 11 (KB959772)
Dell Resource CD
Dell Touchpad
Dell Wireless WLAN Card
Digital Line Detect
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Java(TM) 6 Update 15
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Updater
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Modem Diagnostic Tool
Mouse Suite for Laptop Computers
Mozilla Firefox (3.5.5)
MSN
OpenOffice.org 2.3
PrimoPDF
Revo Uninstaller 1.83
Ricochet Lost Worlds Recharged
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SigmaTel Audio
Spybot - Search & Destroy
SpywareBlaster 4.2
SUPERAntiSpyware Free Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WinDirStat 1.1.2
Windows Driver Package - Ricoh Company (rimsptsk) hdc  (11/14/2006 6.00.01.04)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

11/18/2009 10:16:43 PM, error: AmdK8 [2]  - The Acpi 2.0 _PCT object returned an invalid value of 3
11/14/2009 12:59:30 AM, error: Service Control Manager [7034]  - The Acronis Try And Decide Service service terminated unexpectedly.  It has done this 1 time(s).
11/14/2009 12:58:59 AM, error: Service Control Manager [7031]  - The Lavasoft Ad-Aware Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
11/14/2009 12:57:51 AM, error: Service Control Manager [7031]  - The Lavasoft Ad-Aware Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
11/14/2009 12:33:20 AM, error: Ftdisk [49]  - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/14/2009 12:33:20 AM, error: Ftdisk [45]  - The system could not sucessfully load the crash dump driver.
11/14/2009 1:03:11 AM, error: Service Control Manager [7034]  - The Lavasoft Ad-Aware Service service terminated unexpectedly.  It has done this 3 time(s).

==== End Of File ===========================

------------------------------------------------------------------------------------------------------------------ I didn't see note about disabling antivirus protection until after I ran DDS. But I did not get any errors or encounter any problems running DDS.

Should I re-run DDS with Avira disabled?

-Paul

20.5K Posts

November 20th, 2009 04:00

As long as DDS ran, we don't need to do it again right now. However, please disable all security/AV if the instructions ask for that from now on. We will be using some more powerful tools that can have problems if AV's interfere.

Download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a "quick" rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to launch it

  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.

  • When the "quick" scan is finished (a few seconds), save the scan log to the Windows clipboard

  • Open Notepad or a similar text editor

  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V

  • Exit the Program

  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it, please.

  • Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.

60 Posts

November 20th, 2009 06:00

Hi Bugbatter,

I'm not sure if this info is important or not. I left the computer on all night (I set power options so it does not go to sleep). When I saw the computer this morning, I saw the following warning message : "AntiVir Guard:Attention.Detected" ,  "A virus or unwanted program was found", "What should happen with this fie?", "C:/Documents and Settings/Paul/Local Settings/.../_CACHE_002_" , "Contains recognition pattern of the HTML/Infected WebPage.Gen HTML script virus".  It (Antivir Guard) defaulted to "Deny Access" (options were: Move to quarantine, Delete, Rename, Deny Access, Ignore).

I couldn't get Firefox to run this morning because I got an error that it was still running. I opened Task Manager and tried to kill firefox.exe without success.  Then I opened Anvir Task Manager to try and kill firefox.exe without success.  So I tried running IE8 which immediately took me to the Yellowcom.addresses.com website, even though my startup page is yahoo.com. Clearly bad things are still happening.

So I am typing this to you on my much older Toshiba laptop. I will type "OK" to Antivir Guard to "Deny Access" to the script access.  Then reboot the Dell machine, and follow your latest instructions.

-Paul

60 Posts

November 20th, 2009 06:00

Hi Bugbatter,

I'm not sure if this info is important or not. I left the computer on all night (I set power options so it does not go to sleep). When I saw the computer this morning, I saw the following warning message : "AntiVir Guard:Attention.Detected" ,  "A virus or unwanted program was found", "What should happen with this fie?", "C:/Documents and Settings/Paul/Local Settings/.../_CACHE_002_" , "Contains recognition pattern of the HTML/Infected WebPage.Gen HTML script virus".  It (Antivir Guard) defaulted to "Deny Access" (options were: Move to quarantine, Delete, Rename, Deny Access, Ignore).

I couldn't get Firefox to run this morning because I got an error that it was still running. I opened Task Manager and tried to kill firefox.exe without success.  Then I opened Anvir Task Manager to try and kill firefox.exe without success.  So I tried running IE8 which immediately took me to the Yellowcom.addresses.com website, even though my startup page is yahoo.com. Clearly bad things are still happening.

So I am typing this to you on my much older Toshiba laptop. I will type "OK" to Antivir Guard to "Deny Access" to the script access.  Then reboot the Dell machine, and follow your latest instructions.

-Paul

60 Posts

November 20th, 2009 07:00

Hi Bugbatter,

I downloaded the GMER rootkit detector to c:/ARK, then proceeded to read about turning off the antivirus. Some window came up very quickly and beeped at me, then was gone. I'm assuming Avira Antivir thought it was a virus. So I disabled the Avira Antivir and dowloaded the GMER rootkit to C:/ARK2.  I ran GMER and got the results in a small window. I didn't know how to send it to the clipboard, so I did a PRNTSCRN of it and went to PAINT and saved it as a JPG image file. Hope this is okay. If not, please tell me how to do it again. I've attached  ARK.jpg to this message.

60 Posts

November 20th, 2009 07:00

Hi Bugbatter,

I figured out how to send the GMER output to the clipboard, then paste the clipboard to Notepad, and paste it here. Sorry about that.

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit quick scan 2009-11-20 10:25:00
Windows 5.1.2600 Service Pack 3
Running: iv9ouwin.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\kgpcraog.sys


---- Devices - GMER 1.0.15 ----

Device          \Driver\Tcpip \Device\Ip                                 vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device          \Driver\Tcpip \Device\Tcp                                vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device          \Driver\Tcpip \Device\Udp                                vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device          \Driver\Tcpip \Device\RawIp                              vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                  SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1                  SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device          \Driver\00001432 -> \Driver\atapi \Device\Harddisk0\DR0  8A53550C

---- EOF - GMER 1.0.15 ----

20.5K Posts

November 20th, 2009 13:00

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are still using ZoneAlarm Spy Blocker don't forget to disable that as well.

Double click on ComboFix.exe & follow the prompts.






  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.




  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.











 

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.

60 Posts

November 23rd, 2009 07:00

HI Bugbatter,  Here are the combofix.log and hijackthis.log after following your instructions.

ComboFix 09-11-22.06 - Paul 11/23/2009  9:57.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1918.1568 [GMT -5:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\system32\drivers\1028_DELL_XPS_Vostro   1000 .MRK
c:\windows\system32\drivers\DELL_XPS_Vostro   1000 .MRK
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
(((((((((((((((((((((((((   Files Created from 2009-10-23 to 2009-11-23  )))))))))))))))))))))))))))))))
.

2009-11-23 14:37 . 2009-11-23 14:37    --------    d-----w-    c:\documents and settings\All Users\Application Data\88f32
2009-11-23 14:37 . 2009-11-23 14:37    1944576    ----a-w-    c:\documents and settings\All Users\Application Data\88f32\WSeae.exe
2009-11-23 14:37 . 2009-11-23 14:37    --------    d-sh--w-    c:\windows\system32\config\systemprofile\Application Data\System Defender
2009-11-23 14:37 . 2009-11-23 14:37    --------    d-sh--w-    c:\documents and settings\All Users\Application Data\WSDDSys
2009-11-23 14:37 . 2009-11-23 14:37    --------    d-sh--w-    c:\documents and settings\All Users\a82dc26
2009-11-20 14:54 . 2009-11-20 15:32    --------    d-----w-    C:\ARK2
2009-11-20 14:40 . 2009-11-20 14:43    --------    d-----w-    C:\ARK
2009-11-19 05:02 . 2009-11-19 05:03    --------    d-----w-    c:\documents and settings\Paul\Application Data\QuickScan
2009-11-19 05:02 . 2009-10-29 20:39    679936    ----a-w-    c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\gyydsbit.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2009-11-19 05:02 . 2009-10-29 20:39    614400    ----a-w-    c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\gyydsbit.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2009-11-18 01:59 . 2009-07-28 21:33    55656    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2009-11-18 01:59 . 2009-03-30 15:33    96104    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2009-11-18 01:59 . 2009-02-13 17:29    22360    ----a-w-    c:\windows\system32\drivers\avgntmgr.sys
2009-11-18 01:59 . 2009-02-13 17:17    45416    ----a-w-    c:\windows\system32\drivers\avgntdd.sys
2009-11-18 01:58 . 2009-11-18 01:58    --------    d-----w-    c:\program files\Avira
2009-11-18 01:58 . 2009-11-18 01:58    --------    d-----w-    c:\documents and settings\All Users\Application Data\Avira
2009-11-17 02:21 . 2009-11-17 02:21    --------    d-----w-    c:\program files\Common Files\Logitech
2009-11-17 02:21 . 2009-11-17 02:21    --------    d-----w-    c:\documents and settings\Paul\Local Settings\Application Data\Downloaded Installations
2009-11-14 07:12 . 2009-11-14 07:12    --------    d-----w-    c:\documents and settings\All Users\Application Data\TEMP
2009-11-14 07:11 . 2009-11-14 07:13    --------    d-----w-    c:\program files\SpywareBlaster
2009-11-14 07:11 . 2005-08-26 00:18    118784    ----a-w-    c:\windows\system32\MSSTDFMT.DLL
2009-11-13 23:12 . 2009-11-13 23:12    --------    d-----w-    c:\program files\Trend Micro
2009-11-13 23:00 . 2009-11-13 22:49    15880    ----a-w-    c:\windows\system32\lsdelete.exe
2009-11-13 22:48 . 2009-11-13 22:48    242984    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-13 22:48 . 2009-11-13 22:48    5908024    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-13 22:48 . 2009-11-13 22:48    327000    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-13 22:48 . 2009-11-13 22:48    87496    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-13 22:48 . 2009-11-13 22:48    933120    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-13 22:48 . 2009-11-13 22:48    640608    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-13 22:47 . 2009-11-13 22:47    815760    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-13 22:47 . 2009-11-13 22:47    822904    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-13 22:47 . 2009-11-13 22:47    1638104    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-13 22:47 . 2009-11-13 22:47    788368    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-13 22:47 . 2009-11-13 22:47    1179232    ----a-w-    c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-13 22:45 . 2009-11-13 22:45    --------    dc-h--w-    c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-13 22:45 . 2009-10-03 08:15    2924848    -c--a-w-    c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-13 22:45 . 2009-11-13 22:49    --------    d-----w-    c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-13 22:45 . 2009-11-13 22:45    --------    d-----w-    c:\program files\Lavasoft
2009-11-13 20:35 . 2009-11-17 17:03    --------    d-----w-    c:\program files\Windows Live Safety Center
2009-11-13 00:21 . 2009-11-13 00:21    117760    ----a-w-    c:\documents and settings\Paul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-13 00:21 . 2009-11-13 00:21    --------    d-----w-    c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-13 00:21 . 2009-11-13 00:21    --------    d-----w-    c:\program files\SUPERAntiSpyware
2009-11-13 00:21 . 2009-11-13 00:21    --------    d-----w-    c:\documents and settings\Paul\Application Data\SUPERAntiSpyware.com
2009-11-13 00:20 . 2009-11-13 00:20    --------    d-----w-    c:\program files\Common Files\Wise Installation Wizard
2009-11-12 14:33 . 2009-11-10 14:08    4026136    ----a-w-    c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 14:33 . 2009-11-10 14:08    2016536    ----a-w-    c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 14:33 . 2009-11-10 14:08    1257240    ----a-w-    c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 14:33 . 2009-11-10 14:08    3963672    ----a-w-    c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 14:33 . 2009-11-08 05:28    496920    ----a-w-    c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-12 14:33 . 2009-11-08 05:28    600344    ----a-w-    c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-11 04:45 . 2009-11-11 04:45    1885464    ----a-w-    c:\windows\system32\AutoPartNt.exe
2009-11-11 04:20 . 2009-11-11 04:31    --------    d-----w-    c:\windows\system32\NtmsData
2009-11-10 14:08 . 2009-11-08 05:28    360584    ----a-w-    c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 14:07 . 2009-11-08 05:28    1657112    ----a-w-    c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-10 14:07 . 2009-11-08 05:28    610072    ----a-w-    c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-08 18:06 . 2009-11-08 18:06    --------    d-----w-    c:\documents and settings\Paul\Application Data\Malwarebytes
2009-11-08 18:05 . 2009-09-10 19:54    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 18:05 . 2009-11-08 18:05    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 18:05 . 2009-09-10 19:53    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-11-08 18:05 . 2009-11-08 18:06    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2009-11-08 05:31 . 2009-11-18 00:50    --------    d-----w-    C:\$AVG
2009-11-08 05:28 . 2009-11-18 01:49    --------    d-----w-    c:\documents and settings\All Users\Application Data\avg9
2009-11-07 14:45 . 2009-11-07 14:45    --------    d-sh--w-    c:\windows\system32\config\systemprofile\IETldCache
2009-11-07 05:25 . 2009-11-07 05:25    --------    d-sh--w-    c:\documents and settings\LocalService\IETldCache
2009-11-02 21:59 . 2009-11-02 21:59    66    ----a-w-    C:\browserclean.bat
2009-11-02 21:48 . 2009-11-02 21:48    --------    d-----w-    c:\program files\CCleaner
2009-11-02 14:55 . 2009-11-02 14:55    --------    d-----w-    c:\program files\WinDirStat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 14:21 . 2009-05-29 18:39    5089782    ----a-w-    c:\windows\Internet Logs\tvDebug.Zip
2009-11-19 16:21 . 2009-05-05 15:51    --------    d-----w-    c:\documents and settings\All Users\Application Data\Skype
2009-11-18 01:50 . 2008-10-30 12:24    --------    d-----w-    c:\program files\AVG
2009-11-17 15:36 . 2009-05-05 15:22    0    ----a-w-    c:\windows\system32\drivers\lvuvc.hs
2009-11-17 15:36 . 2009-05-05 15:21    0    ----a-w-    c:\windows\system32\drivers\logiflt.iad
2009-11-13 18:59 . 2009-08-12 17:24    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2009-10-28 13:45 . 2009-05-05 15:55    --------    d-----w-    c:\documents and settings\Paul\Application Data\skypePM
2009-10-14 14:09 . 2008-12-05 19:43    --------    d-----w-    c:\program files\AnVir Task Manager
2009-10-07 14:23 . 2009-07-24 14:35    --------    d-----w-    c:\documents and settings\All Users\Application Data\WinZip
2009-09-24 16:34 . 2009-09-24 16:33    --------    d-----w-    c:\documents and settings\All Users\Application Data\NOS
2009-09-24 16:33 . 2009-09-24 16:33    --------    d-----w-    c:\program files\NOS
2009-09-23 12:55 . 2009-11-13 22:49    64288    ----a-w-    c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18 . 2004-08-04 10:00    136192    ----a-w-    c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00    58880    ----a-w-    c:\windows\system32\msasn1.dll
2009-09-03 15:53 . 2009-09-24 16:33    30912    ----a-w-    c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\gyydsbit.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-09-03 15:53 . 2009-09-24 16:33    22848    ----a-w-    c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\gyydsbit.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-09-03 15:53 . 2009-09-24 16:33    19792    ----a-w-    c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\gyydsbit.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-08-29 08:08 . 2006-03-04 03:33    916480    ----a-w-    c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 10:00    247326    ----a-w-    c:\windows\system32\strmdll.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnVir Task Manager"="c:\program files\AnVir Task Manager\AnVir.exe" [2009-10-13 3102944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"PMX Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2007-03-08 49152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21    548352    ----a-w-    c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Amazon Download Agent"=2 (0x2)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\a82dc26\\WSa82d.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/13/2009 5:49 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [8/12/2009 9:37 AM 12672]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 5:00 AM 14336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
S4 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [5/9/2009 9:37 AM 319488]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/17/2009 8:59 PM 108289]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\gyydsbit.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\gyydsbit.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\gyydsbit.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\gyydsbit.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 10:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(1016)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-11-23 10:09
ComboFix-quarantined-files.txt  2009-11-23 15:09

Pre-Run: 90,291,306,496 bytes free
Post-Run: 90,898,735,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E452C77BF2220B4BE344B8EE6FC6EDAA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:19 AM, on 11/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AnVir Task Manager\AnVir.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AnVir Task Manager] "C:\Program Files\AnVir Task Manager\AnVir.exe" Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201636395109
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5305 bytes

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

60 Posts

November 24th, 2009 21:00

Hi Bugbatter,  Is my computer now clean? I'm afraid to surf or do anything else with it until you say that the malware is gone. Thanks, Paul

60 Posts

November 24th, 2009 21:00

Hi Bugbatter, Is my computer clean and safe to use now? I just wanted to make sure before I start surfing and using the computer again. Thanks, Paul

60 Posts

December 1st, 2009 07:00

Hi Bugbatter, Thought you might have been gone for long holiday weekend. Is my computer clean and ready to use now? Or are there more steps? Thx - Paul

20.5K Posts

December 1st, 2009 07:00

Sorry I did not get back to you. I had a family emergency.

We have just a bit more to do.

Please run your CCleaner.

** Because CCleaner removes everything in temp folders, if you have anything saved in a temp folder, back it up or move it to a permanent folder prior to running CCleaner.

** We will be cleaning cookies as well. Make a note of any passwords, etc. that you want to save. If you do not want to delete cookies, simply uncheck that option.

1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

2. Then select the items you wish to clean up. In the Windows Tab:

  • Clean all entries in the "Internet Explorer" section.
  • Clean all the entries in the "Windows Explorer" section
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose. In the Applications Tab:
  • Clean all in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.

3. Click the "Analyze" button. When the list of files comes up, click the "Run Cleaner" button.

4. A pop up box will appear advising this process will permanently delete files from your system.

5. Click "OK" and it will scan and clean your system.

6. Click "exit" when done. REBOOT.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says Java SE Runtime Environment (JRE) 6 Update 17 .
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • NOTE: As always during installations, beware of any pre-checked option to install a toolbar. If you do not want it, UNcheck it.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each of the Java versions.
    Close Add/Remove.

  • * In Windows Explorer, navigate to C:\Program Files\Java =this folder. Delete any subfolders.
    * Do NOT delete C:\Program Files\ JavaVM =this folder, if found!
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

After all that, let me know how things are running. If all is well, we'll flush System Restore and remove ComboFix.

No Events found!

Top