Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Odd Processes/SCODEF-CREDAT/possible vir ...
Go to first new post Network, good; Internet, bad
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Trojan:dos/alureon.E still here!
Go to first new post Cannot access any google sites - youtube ...
Go to first new post "Congratulations, you won" &am ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: Help!!

Page 1 of 2 1 2
Reply  
Thread Tools
Dantana21's Avatar
Member with 61 posts.
  
Join Date: Nov 2009
18-Nov-2009, 07:55 PM #1
Help!!
Have had various problems in the last few weeks ranging from DCOM service launcher failure to google redirects and believe I have now gotten system defender. Just ran malwarebytes anti-malware full scan that found over 700 infected files (WOW!!). I properly deleted them and am ready for the next step.

Here is my logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:09 PM, on 11/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\All Users\89ee9b1\WS89ee.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dan Gentner\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MBBalloon] C:\Program Files\HOTALBUMMyBOX\MBBalloon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [System Defender] "C:\Documents and Settings\All Users\Application Data\89368\WS72c.exe" /s /d
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O6 "USB001" /M "Stylus C80"
O4 - Global Startup: MediaChecker.lnk = C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: gjyktd.dll xumylh.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7517 bytes
Register for free to hide this ad!
Dantana21's Avatar
Member with 61 posts.
  
Join Date: Nov 2009
18-Nov-2009, 09:20 PM #2
I ran malwarebytes and deleted the infected files, then rebooted per request. After reboot, firefox wont work now. Ran quick scan malwarebytes and it found over 700 infected files again.
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
19-Nov-2009, 03:13 AM #3
Hello there Welcome to the TSG Forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.


Please note the following:
  • The fixes are specific to your problem and should only be used on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
  • It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.




Step 1

Download OTS to your Desktop

  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Desktop Components
    • Reg - Disabled MS Config Items
    • Reg - NetSvcs
    • Reg - Shell Spawning
    • Reg - Uninstall List
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)

  • Please copy the following into the Custom Scans box at the bottom

Code:
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\si3112.sys /s /md5
%SYSTEMDRIVE%\viadsk.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

  • Click on the Log tab.
  • In the Write to log box select All items.
  • Place a checkmark next to Hidden Objects Only
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
    (Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.
__________________
Please post the final results, good or bad. Let me know if you won't be responding any longer.
Please don't send me requests for help. Use the forums instead.
Dantana21's Avatar
Member with 61 posts.
  
Join Date: Nov 2009
19-Nov-2009, 02:47 PM #4
Thanks for helping NeonFx!

OTS log is attached.
Here is the SysProtlog:

SysProt AntiRootkit v1.0.1.0
by swatkat

*************************************************************************** ***************
*************************************************************************** ***************

No Hidden Processes found

*************************************************************************** ***************
*************************************************************************** ***************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iastor.sys
Service Name: ---
Module Base: B1FC9000
Module End: B2089000
Hidden: Yes

*************************************************************************** ***************
*************************************************************************** ***************
No SSDT Hooks found

*************************************************************************** ***************
*************************************************************************** ***************
No Kernel Hooks found

*************************************************************************** ***************
*************************************************************************** ***************
No IRP Hooks found

*************************************************************************** ***************
*************************************************************************** ***************
Ports:
Local Address: DAN.BELKIN:1689
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1688
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1687
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1686
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1685
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1684
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1683
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1682
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1681
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1680
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1679
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1678
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1677
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1675
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1674
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1673
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1672
Remote Address: 4-OPEN-DAVINCI.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAN.BELKIN:1325
Remote Address: 86-63-82-215.STA.ASTA-NET.COM.PL:20152
Type: TCP
Process: C:\Program Files\Ares\Ares.exe
State: ESTABLISHED

Local Address: DAN.BELKIN:1323
Remote Address: 8.18.95.187:HTTP
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jucheck.exe
State: CLOSE_WAIT

Local Address: DAN.BELKIN:1273
Remote Address: IP-212-117-174-176.SERVER.LU:HTTPS
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT

Local Address: DAN.BELKIN:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: DAN:27015
Remote Address: LOCALHOST:1026
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: DAN:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: DAN:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: DAN:5152
Remote Address: LOCALHOST:1294
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: DAN:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: DAN:1050
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: DAN:1026
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: DAN:46691
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Ares\Ares.exe
State: LISTENING

Local Address: DAN:27777
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Documents and Settings\All Users\Application Data\89368\WS72c.exe
State: LISTENING

Local Address: DAN:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: DAN:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: DAN.BELKIN:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: DAN.BELKIN:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAN.BELKIN:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: DAN.BELKIN:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: DAN.BELKIN:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAN:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAN:1098
Remote Address: NA
Type: UDP
Process: C:\Program Files\Ares\Ares.exe
State: NA

Local Address: DAN:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAN:64896
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: DAN:46692
Remote Address: NA
Type: UDP
Process: C:\Program Files\Ares\Ares.exe
State: NA

Local Address: DAN:46691
Remote Address: NA
Type: UDP
Process: C:\Program Files\Ares\Ares.exe
State: NA

Local Address: DAN:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: DAN:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: DAN:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: DAN:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

*************************************************************************** ***************
*************************************************************************** ***************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{4AD8C139-0DCB-42D0-872B-BAC3F3D0F173}
Status: Access denied
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
19-Nov-2009, 04:09 PM #5
Good Job. I can see the cause of the problems now. Let's do the following:


NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop



  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
  • Double click on ComboFix.exe & follow the prompts.

    Note: Combofix will run without the Recovery Console installed.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.



**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
__________________
Please post the final results, good or bad. Let me know if you won't be responding any longer.
Please don't send me requests for help. Use the forums instead.
Dantana21's Avatar
Member with 61 posts.
  
Join Date: Nov 2009
19-Nov-2009, 05:16 PM #6
ComboFix 09-11-19.03 - Dan Gentner 11/19/2009 15:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.629 [GMT -5:00]
Running from: c:\documents and settings\Dan Gentner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\89368
c:\documents and settings\All Users\Application Data\89368\BackUp\MediaChecker.lnk
c:\documents and settings\All Users\Application Data\89368\mozcrt19.dll
c:\documents and settings\All Users\Application Data\89368\sqlite3.dll
c:\documents and settings\All Users\Application Data\89368\WS72c.exe
c:\documents and settings\All Users\Application Data\89368\WSD_A.ico
c:\documents and settings\All Users\Application Data\89368\WSDDSys\vd952342.bd
c:\documents and settings\Dan Gentner\Application Data\inst.exe
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-19 00:15 . 2009-11-19 00:15 57 ----a-w- C:\PE.sys
2009-11-19 00:00 . 2009-11-19 00:00 55 ----a-w- C:\sld.dll
2009-11-18 23:58 . 2009-11-19 00:30 -------- d-sh--w- c:\documents and settings\Dan Gentner\Application Data\System Defender
2009-11-18 23:50 . 2009-11-18 23:50 44 ----a-w- C:\CLSV.drv
2009-11-18 23:29 . 2009-11-18 23:29 -------- d-----w- c:\documents and settings\Dan Gentner\Application Data\AVG8
2009-11-18 23:28 . 2009-11-18 23:28 13 ----a-w- C:\tjd.sys
2009-11-18 23:07 . 2009-11-18 23:07 73 ----a-w- C:\kernel32.drv
2009-11-18 22:37 . 2009-11-18 22:37 71 ----a-w- C:\cid.sys
2009-11-18 22:37 . 2009-11-18 22:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\Application Data\System Defender
2009-11-18 22:37 . 2009-11-18 22:37 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSDDSys
2009-11-18 22:36 . 2009-11-18 22:37 -------- d-sh--w- c:\documents and settings\All Users\89ee9b1
2009-11-18 20:45 . 2009-11-19 18:20 79488 ----a-w- c:\documents and settings\Dan Gentner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 18:39 . 2009-11-10 14:33 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 18:39 . 2009-11-10 14:33 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 18:39 . 2009-11-10 14:33 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 18:39 . 2009-11-10 14:33 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 18:39 . 2009-11-02 04:01 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 18:39 . 2009-11-02 04:01 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-10 14:33 . 2009-11-02 04:01 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 14:31 . 2009-11-02 04:01 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-10 14:31 . 2009-11-02 04:01 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-02 19:30 . 2009-10-16 17:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-02 04:04 . 2009-11-02 04:04 -------- d-----w- c:\documents and settings\Dan Gentner\Local Settings\Application Data\AVG Security Toolbar
2009-11-02 04:02 . 2009-11-02 04:02 -------- d-----w- C:\$AVG
2009-11-02 04:01 . 2009-11-10 14:33 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-02 04:01 . 2009-11-02 04:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-02 04:01 . 2009-11-02 04:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-02 04:01 . 2009-11-02 04:01 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-02 04:01 . 2009-11-19 02:53 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-02 04:01 . 2009-11-02 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-02 04:01 . 2009-11-19 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-02 02:50 . 2009-11-02 02:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-02 02:05 . 2005-04-21 00:22 32768 ----a-w- c:\windows\system32\instlsp.exe
2009-11-02 02:05 . 2005-04-21 00:22 11264 ----a-w- c:\windows\system32\sporder.dll
2009-11-02 01:22 . 2009-11-02 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-22 07:01 . 2009-02-07 23:02 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-10-22 07:01 . 2009-02-06 11:08 2189056 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-22 07:01 . 2009-02-06 11:06 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-22 07:01 . 2009-02-06 11:06 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-22 07:01 . 2009-02-06 10:32 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-22 07:01 . 2009-02-06 10:32 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 20:45 . 2008-06-10 16:24 -------- d-----w- c:\documents and settings\Dan Gentner\Application Data\U3
2009-11-02 04:01 . 2008-06-06 00:26 -------- d-----w- c:\program files\AVG
2009-11-02 01:38 . 2008-07-08 21:21 -------- d-----w- c:\program files\Symantec
2009-11-02 01:38 . 2008-07-08 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-02 01:09 . 2008-07-08 21:21 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-02 00:00 . 2008-12-07 20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 00:00 . 2009-03-23 19:36 4045527 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-28 20:28 . 2008-09-04 17:24 -------- d-----w- c:\documents and settings\Dan Gentner\Application Data\uTorrent
2009-10-10 18:51 . 2009-10-10 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-10 18:51 . 2009-10-10 18:51 -------- d-----w- c:\documents and settings\Dan Gentner\Application Data\Office Genuine Advantage
2009-10-03 17:14 . 2008-06-05 23:54 -------- d-----w- c:\documents and settings\Dan Gentner\Application Data\Apple Computer
2009-10-03 16:01 . 2008-06-05 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-24 04:28 . 2009-09-24 04:27 -------- d-----w- c:\program files\iTunes
2009-09-24 04:27 . 2009-09-24 04:27 -------- d-----w- c:\program files\iPod
2009-09-24 04:27 . 2008-06-05 23:52 -------- d-----w- c:\program files\Common Files\Apple
2009-09-24 04:12 . 2009-09-24 04:12 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-11 14:18 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\SET28D.tmp
2009-09-11 14:18 . 2009-09-11 14:18 136192 ------w- c:\windows\system32\SET4A3.tmp
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-12-07 20:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-07 20:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2009-09-04 21:03 58880 ----a-w- c:\windows\system32\SET2E5.tmp
2009-09-04 21:03 . 2009-09-04 21:03 58880 ------w- c:\windows\system32\SET4B9.tmp
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 23:42 . 2009-09-18 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-09-18 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-04-07 06:59 . 2009-11-19 02:56 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2009-11-19 02:56 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2009-11-19 02:56 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2009-11-19 02:56 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2009-11-19 02:56 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="c:\program files\Ares\Ares.exe" [2008-02-20 963072]
"EPSON Stylus C80 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE" [2001-10-04 69632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-01 344064]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2006-12-15 787096]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2006-12-15 913560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-02 04:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\All Users\\89ee9b1\\WS89ee.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [6/5/2008 8:00 PM 15172]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/1/2009 11:01 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/1/2009 11:01 PM 360584]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/5/2008 8:13 PM 24652]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/1/2009 11:01 PM 285392]
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dan Gentner\Application Data\Mozilla\Firefox\Profiles\cobodq9j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.espn.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\documents and settings\Dan Gentner\Application Data\Mozilla\Firefox\Profiles\cobodq9j.default\extensions\moveplayer@movene tworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-System Defender - c:\documents and settings\All Users\Application Data\89368\WS72c.exe
AddRemove-dvdSanta 4.50 - Make your own DVD movies!_is1 - c:\program files\dvdSanta\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 16:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsdatant]
"ImagePath"="a"
.
Completion time: 2009-11-19 16:08
ComboFix-quarantined-files.txt 2009-11-19 21:08

Pre-Run: 49,086,001,152 bytes free
Post-Run: 50,572,869,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1B215E10588B80693E5ACF0903F4B211
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
19-Nov-2009, 10:17 PM #7
Good Job. Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:
KillAll::

File::
C:\PE.sys
C:\sld.dll
C:\CLSV.drv
C:\tjd.sys
C:\kernel32.drv
C:\cid.sys
c:\windows\system32\SET28D.tmp
c:\windows\system32\SET4A3.tmp
c:\windows\system32\SET2E5.tmp
c:\windows\system32\SET4B9.tmp

Folder::
c:\documents and settings\Dan Gentner\Application Data\System Defender
c:\windows\system32\config\systemprofile\Application Data\System Defender
c:\documents and settings\All Users\Application Data\WSDDSys
c:\documents and settings\All Users\89ee9b1

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Documents and Settings\\All Users\\89ee9b1\\WS89ee.exe"=-
NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Also, please run OTS.exe if you still have it and click on the Quick Scan button. Attach the results of this scan to your next reply for me.
__________________
Please post the final results, good or bad. Let me know if you won't be responding any longer.
Please don't send me requests for help. Use the forums instead.
Dantana21's Avatar
Member with 61 posts.
  
Join Date: Nov 2009
20-Nov-2009, 01:01 AM #8
ComboFix 09-11-19.05 - Dan Gentner 11/19/2009 23:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.554 [GMT -5:00]
Running from: c:\documents and settings\Dan Gentner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan Gentner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FILE ::
"C:\cid.sys"
"C:\CLSV.drv"
"C:\kernel32.drv"
"C:\PE.sys"
"C:\sld.dll"
"C:\tjd.sys"
"c:\windows\system32\SET28D.tmp"
"c:\windows\system32\SET2E5.tmp"
"c:\windows\system32\SET4A3.tmp"
"c:\windows\system32\SET4B9.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\cid.sys
C:\CLSV.drv
c:\documents and settings\All Users\89ee9b1
c:\documents and settings\All Users\89ee9b1\7765.mof
c:\documents and settings\All Users\89ee9b1\BackUp\MediaChecker.lnk
c:\documents and settings\All Users\89ee9b1\mozcrt19.dll
c:\documents and settings\All Users\89ee9b1\sqlite3.dll
c:\documents and settings\All Users\89ee9b1\WS89ee.exe
c:\documents and settings\All Users\89ee9b1\WSDDSys\vd952342.bd
c:\documents and settings\All Users\Application Data\WSDDSys
c:\documents and settings\All Users\Application Data\WSDDSys\wsd.cfg
c:\documents and settings\Dan Gentner\Application Data\System Defender
c:\documents and settings\Dan Gentner\Application Data\System Defender\cookies.sqlite
C:\kernel32.drv
C:\PE.sys
C:\sld.dll
C:\tjd.sys
c:\windows\system32\config\systemprofile\Application Data\System Defender
c:\windows\system32\config\systemprofile\Application Data\System Defender\Instructions.ini
c:\windows\system32\SET28D.tmp
c:\windows\system32\SET2E5.tmp
c:\windows\system32\SET4A3.tmp
c:\windows\system32\SET4B9.tmp
.
((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))
.
2009-11-18 23:29 . 2009-11-18 23:29 -------- d-----w- c:\documents and settings\Dan Gentner\Application Data\AVG8
2009-11-18 20:45 . 2009-11-20 04:46 79488 ----a-w- c:\documents and settings\Dan Gentner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 18:39 . 2009-11-10 14:33 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 18:39 . 2009-11-10 14:33 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 18:39 . 2009-11-10 14:33 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 18:39 . 2009-11-10 14:33 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 18:39 . 2009-11-02 04:01 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 18:39 . 2009-11-02 04:01 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-10 14:33 . 2009-11-02 04:01 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 14:31 . 2009-11-02 04:01 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-10 14:31 . 2009-11-02 04:01 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-02 19:30 . 2009-10-16 17:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-02 04:04 . 2009-11-02 04:04 -------- d-----w- c:\documents and settings\Dan Gentner\Local Settings\Application Data\AVG Security Toolbar
2009-11-02 04:02 . 2009-11-02 04:02 -------- d-----w- C:\$AVG
2009-11-02 04:01 . 2009-11-10 14:33 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-02 04:01 . 2009-11-02 04:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-02 04:01 . 2009-11-02 04:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-02 04:01 . 2009-11-02 04:01 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-02 04:01 . 2009-11-19 02:53 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-02 04:01 . 2009-11-02 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-02 04:01 . 2009-11-19 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-02 02:50 . 2009-11-02 02:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-02 02:05 . 2005-04-21 00:22 32768 ----a-w- c:\windows\system32\instlsp.exe
2009-11-02 02:05 . 2005-04-21 00:22 11264 ----a-w- c:\windows\system32\sporder.dll
2009-11-02 01:22 . 2009-11-02 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-22 07:01 . 2009-02-07 23:02 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-10-22 07:01 . 2009-02-06 11:08 2189056 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-22 07:01 . 2009-02-06 11:06 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-22 07:01 . 2009-02-06 11:06 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-10-22 07:01 . 2009-02-06 10:32 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-22 07:01 . 2009-02-06 10:32 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 04:17 . 2008-06-10 16:24 -------- d-----w- c:\documents and settings\Dan Gentner\Application Data\U3
2009-11-02 04:01 . 2008-06-06 00:26 -------- d-----w- c:\program files\AVG
2009-11-02 01:38 . 2008-07-08 21:21 -------- d-----w- c:\program files\Symantec
2009-11-02 01:38 . 2008-07-08 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-02 01:09 . 2008-07-08 21:21 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-02 00:00 . 2008-12-07 20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 00:00 . 2009-03-23 19:36 4045527 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-28 20:28 . 2008-09-04 17:24 -------- d-----w- c:\documents and settings\Dan Gentner\Application Data\uTorrent
2009-10-10 18:51 . 2009-10-10 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-10 18:51 . 2009-10-10 18:51 -------- d-----w- c:\documents and settings\Dan Gentner\Application Data\Office Genuine Advantage
2009-10-03 17:14 . 2008-06-05 23:54 -------- d-----w- c:\documents and settings\Dan Gentner\Application Data\Apple Computer
2009-10-03 16:01 . 2008-06-05 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-24 04:28 . 2009-09-24 04:27 -------- d-----w- c:\program files\iTunes
2009-09-24 04:27 . 2009-09-24 04:27 -------- d-----w- c:\program files\iPod
2009-09-24 04:27 . 2008-06-05 23:52 -------- d-----w- c:\program files\Common Files\Apple
2009-09-24 04:12 . 2009-09-24 04:12 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-12-07 20:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-07 20:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 23:42 . 2009-09-18 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-09-18 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-04-07 06:59 . 2009-11-19 02:56 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2009-11-19 02:56 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2009-11-19 02:56 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2009-11-19 02:56 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2009-11-19 02:56 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-19_21.06.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-20 04:39 . 2009-11-20 04:39 16384 c:\windows\temp\Perflib_Perfdata_7c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="c:\program files\Ares\Ares.exe" [2008-02-20 963072]
"EPSON Stylus C80 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE" [2001-10-04 69632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-01 344064]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2006-12-15 787096]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2006-12-15 913560]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-02 04:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [6/5/2008 8:00 PM 15172]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/1/2009 11:01 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/1/2009 11:01 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/1/2009 11:01 PM 285392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/5/2008 8:13 PM 24652]
.
Contents of the 'Scheduled Tasks' folder
2009-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dan Gentner\Application Data\Mozilla\Firefox\Profiles\cobodq9j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.espn.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\documents and settings\Dan Gentner\Application Data\Mozilla\Firefox\Profiles\cobodq9j.default\extensions\moveplayer@movene tworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 23:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(5948)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
.
**************************************************************************
.
Completion time: 2009-11-19 23:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-20 04:49
ComboFix2.txt 2009-11-19 21:08
Pre-Run: 50,574,266,368 bytes free
Post-Run: 50,530,627,584 bytes free
- - End Of File - - 064990E3E03C22B8BD2EAE6B5D2A3178
Dantana21's Avatar
Member with 61 posts.
  
Join Date: Nov 2009
20-Nov-2009, 01:08 AM #9
OTS log attachment
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
20-Nov-2009, 01:13 AM #10
Good job Let's do the following:

STEP 1

Run OTS

  • Under the Paste Fix Here box on the right, paste in the contents of following code box


Code:
[Unregister Dlls]
[Empty Temp Folders]
[ClearAllRestorePoints]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.


Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
If it seems to get stuck, give it some time. It's probably still working.


STEP 2

Run MalwareBytes AntiMalware

  • Update it by clicking on the Update tab and then on the button.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


STEP 3

I also want to run an online scanner. This will take a while but it's worth it as it can often find things all other scans will miss.

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

Reboot your machine when that's done.


STEP 4


Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.



2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.


The program will then begin downloading and installing and will also update the database.


Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
__________________
Please post the final results, good or bad. Let me know if you won't be responding any longer.
Please don't send me requests for help. Use the forums instead.
Dantana21's Avatar
Member with 61 posts.
  
Join Date: Nov 2009
20-Nov-2009, 02:44 PM #11
All Processes Killed
[Empty Temp Folders]


User: All Users

User: Dan Gentner
->Temp folder emptied: 847072 bytes
->Temporary Internet Files folder emptied: 6098719 bytes
->Java cache emptied: 13841229 bytes
->FireFox cache emptied: 42993846 bytes
->Apple Safari cache emptied: 1151441 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 48284177 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 110.13 mb


Restorepoints cleared and new one set!
< End of fix log >
OTS by OldTimer - Version 3.1.6.0 fix logfile created on 11202009_123119

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/20/2009 1:23:51 PM
mbam-log-2009-11-20 (13-23-51).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 142220
Time elapsed: 32 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-19\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Dantana21's Avatar
Member with 61 posts.
  
Join Date: Nov 2009
20-Nov-2009, 02:49 PM #12
Unfortunately due to prior engagements I will be out of town this weekend and wont be able to be near my computer. I wont be leaving until around 6 pm tonight and will be back sunday afternoon. I will check this site as soon as I get home and do any other tasks you require. Please dont give up on me!!! You've been a such great help!

Kapersky scan is installing/running right now, I will post results as soon as it is complete.
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
20-Nov-2009, 02:57 PM #13
Unless Kaspersky finds anything serious we'll be done. I'll give you cleanup instructions and some advice after that.
Dantana21's Avatar
Member with 61 posts.
  
Join Date: Nov 2009
20-Nov-2009, 05:23 PM #14
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, November 20, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, November 20, 2009 19:04:39
Records in database: 3251628
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 52797
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 01:31:34


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\89ee9b1\WS89ee.exe.vir Infected: Backdoor.Win32.Small.zx 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\89368\WS72c.exe.vir Infected: Backdoor.Win32.Small.zx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Infected: Rootkit.Win32.TDSS.u 1

Selected area has been scanned.
NeonFx's Avatar
Senior Member with 4,817 posts.
  
Join Date: Oct 2008
Location: California, USA
20-Nov-2009, 06:30 PM #15
Excellent. Those are already in our Quarantine. How's the computer running?
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 2 1 2

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 10:46 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.