1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Adverts, Music and Clicking in background

Discussion in 'Virus & Other Malware Removal' started by Scottalie, Aug 6, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Scottalie

    Scottalie Thread Starter

    Joined:
    Aug 6, 2010
    Messages:
    9
    Hello,

    Sorry, I know there are several similar posts regarding this problem, but as I only know the very basics in computers, i'm having trouble following the responses and actions required.

    We keep experiencing adverts (e.g. for Vanish) music and clicking playing in the background when no other applications are running.

    I would really appreciate some help in resolving this!

    let me know if you need any more information,

    thanks
    Scottalie
     
  2. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi

    Please do the following:



    Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A window will open on your desktop
    • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
    • Please post the contents of that file.



    NEXT



    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.
    • Disable any script blocking protection
    • Double click dds.pif to run the tool.
    • When done, two DDS.txt's will open.
    • Save both reports to your desktop.
    ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt
    Attach.txt.



    NEXT


    Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

      [​IMG]
      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and attach it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
     
  3. Scottalie

    Scottalie Thread Starter

    Joined:
    Aug 6, 2010
    Messages:
    9
    Hi CatByte,

    thanks for responding so quickly.

    The text file for the MBRCheck.exe is as follows:

    MBRCheck, version 1.2.3
    (c) 2010, AD
    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000001c
    Kernel Drivers (total 131):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF74D6000 spxp.sys
    0xF7989000 \WINDOWS\System32\Drivers\WMILIB.SYS
    0xF74BE000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xF7490000 ACPI.sys
    0xF747F000 pci.sys
    0xF75F7000 ohci1394.sys
    0xF7607000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
    0xF7617000 isapnp.sys
    0xF789B000 compbatt.sys
    0xF789F000 \WINDOWS\System32\DRIVERS\BATTC.SYS
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF7859000 pcmcia.sys
    0xF7627000 MountMgr.sys
    0xF783A000 ftdisk.sys
    0xF78A3000 ACPIEC.sys
    0xF7A50000 \WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
    0xF770F000 PartMgr.sys
    0xF7637000 VolSnap.sys
    0xF796F000 atapi.sys
    0xF7647000 disk.sys
    0xF7657000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xBA7E0000 fltmgr.sys
    0xBA7CE000 sr.sys
    0xF7667000 PxHelp20.sys
    0xBA717000 KSecDD.sys
    0xBA68A000 Ntfs.sys
    0xBA65D000 NDIS.sys
    0xBA643000 Mup.sys
    0xF7717000 BMLoad.sys
    0xF744F000 \SystemRoot\System32\DRIVERS\intelppm.sys
    0xBA5BB000 \SystemRoot\System32\DRIVERS\CmBatt.sys
    0xB987D000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
    0xB9869000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB9841000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF7757000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xB96DD000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF775F000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xB96B5000 \SystemRoot\system32\drivers\tifm21.sys
    0xB96A1000 \SystemRoot\System32\DRIVERS\sdbus.sys
    0xB967A000 \SystemRoot\system32\DRIVERS\e100b325.sys
    0xF743F000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF7767000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xB9641000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF79BF000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF776F000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF742F000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xF741F000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF740F000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xB961E000 \SystemRoot\System32\DRIVERS\ks.sys
    0xF7777000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xB9FC4000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF7887000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xBA5B3000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xB9607000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF7877000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xBA7BE000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF777F000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xB95F6000 \SystemRoot\System32\DRIVERS\psched.sys
    0xBA7AE000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF7787000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xB99E2000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xBA79E000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF79C1000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xB9598000 \SystemRoot\System32\DRIVERS\update.sys
    0xF792F000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF79C3000 \SystemRoot\system32\DRIVERS\NBSMI.sys
    0xBA78E000 \SystemRoot\System32\DRIVERS\wsimd.sys
    0xBA75E000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xA8EBD000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xA8E99000 \SystemRoot\system32\drivers\portcls.sys
    0xBA73E000 \SystemRoot\system32\drivers\drmk.sys
    0xA8D86000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xB99D2000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF7697000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF79CF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA05E000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79D1000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB99AA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xB99A2000 \SystemRoot\System32\drivers\vga.sys
    0xF79D3000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79D5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB999A000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF778F000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA5CF000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xA7FCF000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xA7F76000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xF7797000 \SystemRoot\System32\Drivers\tcpipBM.SYS
    0xA7F3C000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xA7F16000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xBA18F000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xA7EC6000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xA7EA4000 \SystemRoot\System32\drivers\afd.sys
    0xBA15F000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xA8D7E000 \SystemRoot\System32\Drivers\stltrack.SYS
    0xA7E79000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xA7E09000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xBA13F000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF77AF000 \SystemRoot\System32\Drivers\avgmfx86.sys
    0xA7DD5000 \SystemRoot\System32\Drivers\avgldx86.sys
    0xA7DB1000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xA7D99000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF799B000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB954C000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF781F000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA0F9000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF021000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF043000 \SystemRoot\System32\ialmdev5.DLL
    0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA7C7D000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xA79AC000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xA7775000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA72B0000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA7A71000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA6EE0000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA7435000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA7C4D000 \SystemRoot\System32\DRIVERS\asyncmac.sys
    0x9BFD1000 \SystemRoot\System32\DRIVERS\arp1394.sys
    0x9A9E6000 \SystemRoot\System32\DRIVERS\athw.sys
    0xA6BBC000 \SystemRoot\system32\DRIVERS\sffp_sd.sys
    0x9CBE1000 \SystemRoot\system32\DRIVERS\sffdisk.sys
    0x9A916000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll
    Processes (total 50):
    0 System Idle Process
    4 System
    984 C:\WINDOWS\system32\smss.exe
    1032 csrss.exe
    1056 C:\WINDOWS\system32\winlogon.exe
    1100 C:\WINDOWS\system32\services.exe
    1112 C:\WINDOWS\system32\lsass.exe
    1276 C:\WINDOWS\system32\svchost.exe
    1324 svchost.exe
    1364 C:\WINDOWS\system32\svchost.exe
    1500 svchost.exe
    1528 svchost.exe
    1576 C:\Program Files\AVG\AVG9\avgchsvx.exe
    1584 C:\Program Files\AVG\AVG9\avgrsx.exe
    1784 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    1952 C:\WINDOWS\system32\svchost.exe
    1956 C:\WINDOWS\system32\spoolsv.exe
    164 svchost.exe
    572 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    684 C:\Program Files\AVG\AVG9\avgwdsvc.exe
    744 C:\Program Files\Bonjour\mDNSResponder.exe
    760 C:\WINDOWS\system32\svchost.exe
    832 C:\Program Files\Java\jre6\bin\jqs.exe
    888 C:\Program Files\BurnAware Free\nmsaccessu.exe
    1444 C:\WINDOWS\system32\svchost.exe
    1672 C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    1828 C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe
    1836 C:\Program Files\AVG\AVG9\avgnsx.exe
    2140 alg.exe
    2756 C:\WINDOWS\explorer.exe
    2896 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    1260 C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    3212 C:\WINDOWS\RTHDCPL.exe
    3400 C:\WINDOWS\system32\hkcmd.exe
    3384 C:\WINDOWS\system32\igfxpers.exe
    3416 C:\WINDOWS\agrsmmsg.exe
    3444 C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe
    3460 C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    3488 C:\WINDOWS\system32\TDispVol.exe
    3512 C:\PROGRA~1\AVG\AVG9\avgtray.exe
    3092 C:\Program Files\iTunes\iTunesHelper.exe
    364 C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe
    3268 C:\WINDOWS\system32\ctfmon.exe
    3700 C:\Program Files\iPod\bin\iPodService.exe
    3648 C:\WINDOWS\system32\svchost.exe
    3252 C:\Program Files\Skype\Phone\Skype.exe
    4244 C:\Program Files\Skype\Plugin Manager\skypePM.exe
    3768 C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
    2892 C:\Program Files\Internet Explorer\iexplore.exe
    5032 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe
    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    PhysicalDrive0 Model Number: HitachiHTS542512K9SA00, Rev: BB2OC31P
    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
    SHA1: 287535F18AD8F166339B3C3269333828F8587E3F
     
  4. Scottalie

    Scottalie Thread Starter

    Joined:
    Aug 6, 2010
    Messages:
    9
    Results from DDS are: DDS

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 13:03:17.17 on 07/08/2010
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1019 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    svchost.exe 4
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe 4
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\BurnAware Free\nmsaccessu.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TDispVol.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AVG\AVG9\avgscanx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Documents and Settings\Owner\Desktop\dds.com

    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://freeola.com
    mDefault_Page_URL = hxxp://freeola.com
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>;*.local
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SkyTel] SkyTel.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [UIExec] "c:\program files\t-mobile mobile broadband manager\UIExec.exe"
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    mRun: [TFncKy] TFncKy.exe
    mRun: [TDispVol] TDispVol.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: DirectAnimation Java Classes -
    file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab
    DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225623874203
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================
    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\8tw4n1ju.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\[email protected]\components\xpavgtbapi.dll
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\8tw4n1ju.default\extensions\[email protected]\plugins\NP2020Player.dll
    FF - plugin: c:\documents and settings\owner\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "
    http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-2 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-2 29584]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-2 243024]
    R1 stltrack;stltrack;c:\windows\system32\drivers\STLTRACK.SYS [2008-11-2 13536]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
    R2 UI Assistant Service;UI Assistant Service;c:\program files\t-mobile mobile broadband manager\AssistantServices.exe [2010-7-17 241664]
    S3 Asp960n5;Asp960n5;c:\windows\system32\drivers\mrxdav.sys [2002-8-29 180608]
    S3 epcfw2k;SCM Parallel Port CF Driver;c:\windows\system32\drivers\epcfw2k.sys [2008-11-1 144896]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-7-17 9728]

    =============== Created Last 30 ================
    2010-08-06 19:30:57 0 d-----r- c:\program files\Skype
    2010-08-05 21:18:55 3245 ----a-w- c:\windows\system32\wbem\Outlook_01cb34e3cf79dae2.mof
    2010-08-02 10:35:56 32 ----a-w- c:\windows\system32\thxcfg.ini
    2010-07-24 09:21:07 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
    2010-07-23 19:51:02 0 d-----w- C:\Netgear
    2010-07-17 23:44:51 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-17 18:46:22 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-17 18:41:05 7070 ----a-w- C:\NetworkCfg.xml
    2010-07-17 18:35:17 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2010-07-17 18:35:17 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2010-07-17 18:33:33 0 d-----w- c:\docume~1\owner\applic~1\Program Files
    2010-07-17 18:33:14 0 d-----w- c:\program files\T-Mobile Mobile Broadband Manager

    ==================== Find3M ====================
    2010-07-17 18:46:32 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-17 18:45:50 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

    ============= FINISH: 13:04:01.62 ===============
     

    Attached Files:

  5. Scottalie

    Scottalie Thread Starter

    Joined:
    Aug 6, 2010
    Messages:
    9
    RE the GMER Rootkit Scanner, I'm having real difficulties. I've launched the scanner 3 times now and every time I do, at some point during the search (the last search has been going from at least an hour and a half), the computer restarts. When i log back in, i get an error log report saying there was a serious error and do i want to report it.

    Not quite sure if i'm doing something wrong? Please advise....

    many thanks for all your help,
    Scottalie
     
  6. Scottalie

    Scottalie Thread Starter

    Joined:
    Aug 6, 2010
    Messages:
    9
    Ok, finally managed to save a version of the scan before the computer restarted inself. Hopefully it will have enough information, (it highlighted one of the files in red) but let me know if you need me to re-run the scan.

    thanks again,
    Scottalie
     
  7. Scottalie

    Scottalie Thread Starter

    Joined:
    Aug 6, 2010
    Messages:
    9
    oops!
     

    Attached Files:

  8. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    Download ComboFix from one of the following locations:
    Link 1
    Link 2

    VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    • Double click on ComboFix.exe & follow the prompts.
    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    • Click on Yes, to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
     
  9. Scottalie

    Scottalie Thread Starter

    Joined:
    Aug 6, 2010
    Messages:
    9
    Hi CatByte,

    Here is the log from Combofix.


    Many thanks!
    Scottalie

    ComboFix 10-08-07.02 - Owner 08/08/2010 14:29:08.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1562 [GMT 1:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\Owner\System
    c:\documents and settings\Owner\System\win_qs8.jqx
    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
    .
    2010-08-06 19:32 . 2010-08-08 12:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
    2010-08-06 19:31 . 2010-08-06 19:31 -------- d-----w- c:\program files\Common Files\Skype
    2010-08-06 19:30 . 2010-08-06 19:31 -------- d-----r- c:\program files\Skype
    2010-08-04 08:32 . 2010-08-04 09:05 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
    2010-07-24 09:21 . 2009-05-20 21:32 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
    2010-07-23 19:51 . 2010-07-24 11:01 -------- d-----w- C:\Netgear
    2010-07-20 16:17 . 2010-07-20 16:17 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-07-20 16:17 . 2010-07-20 16:17 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
    2010-07-20 16:17 . 2010-07-20 16:17 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
    2010-07-20 16:17 . 2010-07-20 16:17 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-07-17 23:44 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-17 18:46 . 2010-07-17 18:46 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
    2010-07-17 18:46 . 2010-07-17 18:46 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
    2010-07-17 18:46 . 2010-07-17 18:46 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-17 18:43 . 2010-07-17 18:43 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
    2010-07-17 18:43 . 2010-07-17 18:43 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
    2010-07-17 18:43 . 2010-07-17 18:43 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
    2010-07-17 18:43 . 2010-07-17 18:43 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
    2010-07-17 18:35 . 2008-04-13 17:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2010-07-17 18:35 . 2008-04-13 17:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-08 12:04 . 2009-08-20 15:54 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
    2010-08-08 11:13 . 2009-10-23 20:27 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
    2010-08-08 08:35 . 2008-11-08 17:47 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
    2010-08-06 19:30 . 2008-11-08 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-08-02 10:44 . 2010-05-24 13:14 -------- d-----w- c:\program files\TrojanHunter 5.3
    2010-07-17 18:46 . 2008-11-02 13:24 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-17 18:45 . 2008-11-02 13:24 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-17 18:36 . 2010-07-17 18:33 -------- d-----w- c:\program files\T-Mobile Mobile Broadband Manager
    2010-07-17 18:33 . 2010-07-17 18:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Program Files
    2010-07-17 18:33 . 2008-11-01 23:14 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-07-06 17:12 . 2009-06-05 17:07 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
    2010-07-05 15:46 . 2008-11-02 16:40 -------- d-----w- c:\program files\Opera
    2010-06-18 16:39 . 2009-01-26 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-06-14 14:31 . 2008-11-01 19:32 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-05 18:30 . 2008-11-02 13:24 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
    "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-03-20 1312256]
    "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2009-03-12 1347584]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
    "RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464]
    "SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
    "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
    "UIExec"="c:\program files\T-Mobile Mobile Broadband Manager\UIExec.exe" [2009-07-17 132608]
    "TFncKy"="TFncKy.exe" [BU]
    "TDispVol"="TDispVol.exe" [2005-09-16 73728]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-2 113664]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-17 18:46 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
    "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    "26109:TCP"= 26109:TCP:BitComet 26109 TCP
    "26109:UDP"= 26109:UDP:BitComet 26109 UDP
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/11/2008 14:24 216400]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/11/2008 14:24 243024]
    R1 stltrack;stltrack;c:\windows\system32\drivers\STLTRACK.SYS [02/11/2008 14:57 13536]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 19:46 308136]
    S2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe [17/07/2010 19:33 241664]
    S3 Asp960n5;Asp960n5;c:\windows\system32\drivers\mrxdav.sys [29/08/2002 13:00 180608]
    S3 epcfw2k;SCM Parallel Port CF Driver;c:\windows\system32\drivers\epcfw2k.sys [01/11/2008 21:39 144896]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17/07/2010 19:33 9728]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [07/12/2008 22:13 717296]
    --- Other Services/Drivers In Memory ---
    *Deregistered* - BMLoad
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8tw4n1ju.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\xpavgtbapi.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8tw4n1ju.default\extensions\[email protected]\plugins\NP2020Player.dll
    FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -
    HKCU-Run-wefi - c:\program files\WeFi\WeFi.exe
    HKCU-Run-BitComet - c:\program files\BitComet\BitComet.exe
    HKLM-Run-iTunesHelper - e:\apfel\iTunesHelper.exe
    HKLM-Run-snp2std - c:\windows\vsnp2std.exe
    HKLM-Run-FixCamera - c:\windows\FixCamera.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-08 14:38
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    Completion time: 2010-08-08 14:40:33
    ComboFix-quarantined-files.txt 2010-08-08 13:40
    Pre-Run: 7,973,498,880 bytes free
    Post-Run: 12,567,547,904 bytes free
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
    - - End Of File - - 513395B22E74D762F5033248080A87A5
     
  10. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi

    Please do the following:

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
    • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Copy/paste the text inside the Codebox below into notepad:

    Here's how to do that:
    Click Start > Run type Notepad click OK.
    This will open an empty notepad file:

    Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

    Code:
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>;*.local
    
    Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

    Save this file to your desktop, Save this as "CFScript"


    Here's how to do that:

    1.Click File;
    2.Click Save As... Change the directory to your desktop;
    3.Change the Save as type to "All Files";
    4.Type in the file name: CFScript
    5.Click Save ...

    [​IMG]
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you.
    • Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    NEXT


    • Please open your MalwareBytes AntiMalware Program
    • Click the Update Tab and search for updates
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected. <-- very important
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



    NEXT


    Run an on-line scan with Kaspersky

    Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

    1. Click Accept, when prompted to download and install the program files and database of malware definitions.
    2. To optimize scanning time and produce a more sensible report for review:
    • Close any open programs
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    3. Click Run at the Security prompt.
    The program will then begin downloading and installing and will also update the database.
    Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
    • Click View scan report at the bottom.

      [​IMG]
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
     
  11. Scottalie

    Scottalie Thread Starter

    Joined:
    Aug 6, 2010
    Messages:
    9
    Hey CatByte,

    Here are the items you asked for.

    Combofix:
    ComboFix 10-08-07.02 - Owner 08/08/2010 19:35:53.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1547 [GMT 1:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
    .
    2010-08-08 14:25 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-08 14:25 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-06 19:32 . 2010-08-08 18:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
    2010-08-06 19:31 . 2010-08-06 19:31 -------- d-----w- c:\program files\Common Files\Skype
    2010-08-06 19:30 . 2010-08-06 19:31 -------- d-----r- c:\program files\Skype
    2010-08-04 08:32 . 2010-08-04 09:05 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
    2010-07-24 09:21 . 2009-05-20 21:32 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
    2010-07-23 19:51 . 2010-07-24 11:01 -------- d-----w- C:\Netgear
    2010-07-20 16:17 . 2010-07-20 16:17 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-07-20 16:17 . 2010-07-20 16:17 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
    2010-07-20 16:17 . 2010-07-20 16:17 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
    2010-07-20 16:17 . 2010-07-20 16:17 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-07-17 23:44 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-17 18:46 . 2010-07-17 18:46 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
    2010-07-17 18:46 . 2010-07-17 18:46 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
    2010-07-17 18:46 . 2010-07-17 18:46 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-17 18:43 . 2010-07-17 18:43 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
    2010-07-17 18:43 . 2010-07-17 18:43 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
    2010-07-17 18:43 . 2010-07-17 18:43 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
    2010-07-17 18:43 . 2010-07-17 18:43 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
    2010-07-17 18:35 . 2008-04-13 17:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2010-07-17 18:35 . 2008-04-13 17:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-08 15:03 . 2008-11-08 17:47 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
    2010-08-08 14:33 . 2009-08-20 15:54 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
    2010-08-08 14:25 . 2010-03-28 09:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-08 11:13 . 2009-10-23 20:27 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
    2010-08-06 19:30 . 2008-11-08 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-08-02 10:44 . 2010-05-24 13:14 -------- d-----w- c:\program files\TrojanHunter 5.3
    2010-07-17 18:46 . 2008-11-02 13:24 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-17 18:45 . 2008-11-02 13:24 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-17 18:36 . 2010-07-17 18:33 -------- d-----w- c:\program files\T-Mobile Mobile Broadband Manager
    2010-07-17 18:33 . 2010-07-17 18:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Program Files
    2010-07-17 18:33 . 2008-11-01 23:14 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-07-06 17:12 . 2009-06-05 17:07 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
    2010-07-05 15:46 . 2008-11-02 16:40 -------- d-----w- c:\program files\Opera
    2010-06-18 16:39 . 2009-01-26 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-06-14 14:31 . 2008-11-01 19:32 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-05 18:30 . 2008-11-02 13:24 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    .
    ((((((((((((((((((((((((((((( [email protected]_13.38.40 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-08-08 18:34 . 2010-08-08 18:34 16384 c:\windows\Temp\Perflib_Perfdata_160.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
    "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-03-20 1312256]
    "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2009-03-12 1347584]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
    "RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464]
    "SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
    "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
    "UIExec"="c:\program files\T-Mobile Mobile Broadband Manager\UIExec.exe" [2009-07-17 132608]
    "TFncKy"="TFncKy.exe" [BU]
    "TDispVol"="TDispVol.exe" [2005-09-16 73728]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-2 113664]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-17 18:46 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
    "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    "26109:TCP"= 26109:TCP:BitComet 26109 TCP
    "26109:UDP"= 26109:UDP:BitComet 26109 UDP
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/11/2008 14:24 216400]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/11/2008 14:24 243024]
    R1 stltrack;stltrack;c:\windows\system32\drivers\STLTRACK.SYS [02/11/2008 14:57 13536]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 19:46 308136]
    S2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe [17/07/2010 19:33 241664]
    S3 Asp960n5;Asp960n5;c:\windows\system32\drivers\mrxdav.sys [29/08/2002 13:00 180608]
    S3 epcfw2k;SCM Parallel Port CF Driver;c:\windows\system32\drivers\epcfw2k.sys [01/11/2008 21:39 144896]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17/07/2010 19:33 9728]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [07/12/2008 22:13 717296]
    --- Other Services/Drivers In Memory ---
    *Deregistered* - BMLoad
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8tw4n1ju.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\[email protected]\components\xpavgtbapi.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8tw4n1ju.default\extensions\[email protected]\plugins\NP2020Player.dll
    FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-08 19:43
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    Completion time: 2010-08-08 19:45:02
    ComboFix-quarantined-files.txt 2010-08-08 18:45
    ComboFix2.txt 2010-08-08 14:04
    ComboFix3.txt 2010-08-08 13:40
    Pre-Run: 12,440,170,496 bytes free
    Post-Run: 12,539,768,832 bytes free
    - - End Of File - - 1E43D0795601C4E21D04054F80194234


    MBAM:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org
    Database version: 4406
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13
    08/08/2010 15:33:29
    mbam-log-2010-08-08 (15-33-29).txt
    Scan type: Quick scan
    Objects scanned: 153775
    Time elapsed: 7 minute(s), 34 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)


    Kaspersky:
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, August 8, 2010
    Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Sunday, August 08, 2010 07:34:14
    Records in database: 4131733
    --------------------------------------------------------------------------------
    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes
    Scan area - My Computer:
    C:\
    D:\
    Scan statistics:
    Objects scanned: 148574
    Threats found: 1
    Infected objects found: 1
    Suspicious objects found: 0
    Scan duration: 03:15:57

    File name / Threat / Threats count
    C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Infected: Trojan-Clicker.Win32.Wistler.a 1
    Selected area has been scanned.


    Many thanks

    Scottalie
     
  12. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi

    Just some housekeeping to do now

    please do the following:


    [​IMG]
    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    • Download the latest version of Java Runtime Environment (JRE) 21 and save it to your desktop.
    • Scroll down to where it says JDK 6 Update 21 (JDK or JRE)
    • Click the Download JRE button to the right
    • Select the Windows platform from the dropdown menu.
    • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u21 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.
    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button.
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked

        • Applications and Applets
          Trace and Log Files
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.


    NEXT



    You can delete the MBRCheck, DDS and GMER logs and programs from your desktop.


    NEXT


    Follow these steps to uninstall Combofix

    • Make sure your security programs are totally disabled.
    • Click START then RUN
    • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

    [​IMG]


    If there are any logs/tools remaining > right click and delete them.


    NEXT


    Below I have included a number of recommendations for how to protect your computer against malware infections.

    • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
      Strong passwords: How to create and use them
      Then consider a password keeper, to keep all your passwords safe.

    • Keep Windows updated by regularly checking their website at :
      http://windowsupdate.microsoft.com/
      This will ensure your computer has always the latest security updates available installed on your computer.

    • Make Internet Explorer more secure
      • Click Start > Run
      • Type Inetcpl.cpl & click OK
      • Click on the Security tab
      • Click Reset all zones to default level
      • Make sure the Internet Zone is selected & Click Custom level
      • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
      • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    • Download TFC to your desktop
      • Close any open windows.
      • Double click the TFC icon to run the program
      • TFC will close all open programs itself in order to run,
      • Click the Start button to begin the process.
      • Allow TFC to run uninterrupted.
      • The program should not take long to finish it's job
      • Once its finished it should automatically reboot your machine,
      • if it doesn't, manually reboot to ensure a complete clean
      It's normal after running TFC cleaner that the PC will be slower to boot the first time.

    • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
      • Green to go
      • Yellow for caution
      • Red to stop
      WOT has an addon available for both Firefox and IE

    • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

    • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

    • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
      Think Prevention.
      PC Safety and Security--What Do I Need?.


    **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


    Thank you for your patience, and performing all of the procedures requested.

    Please respond one last time so we can consider the thread resolved and close it, thank-you.
     
  13. Scottalie

    Scottalie Thread Starter

    Joined:
    Aug 6, 2010
    Messages:
    9
    Hi CatByte,
    All done! Thank you so much for helping us!

    All the best

    Scottalie
     
  14. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    you are welcome

    stay safe

    ~CB
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/941239

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice