1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

troj TDL3Mem-B removal assistance!!

Discussion in 'Virus & Other Malware Removal' started by minerprop, Jun 23, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. minerprop

    minerprop Thread Starter

    Joined:
    Jun 22, 2011
    Messages:
    18
    I am in dire need of assistance. I have a netbook Mini HP with an operaing system of Microsoft Windows XP Professional Version 2002. When I use the Internet I get bombarded with various spam pop-ups and the Internet works very slow when before it was rapid. I also get redirected from a webpage that I am working on to other sites that I don't request. I did a scan with my Sophos yet it doesn't finish the scan because it says, "Troj/TDL3Mem-B must be cleaned upo before scan can continue". It also says, "C:\WINDOWS\system32\ntdll.dll:pid:00000660" infected with Troj/TDL3Mem-B" and "C:\WINDOWS\system32\ntdll.dll:pid:000004d4" infected with Troj/TDL3Mem-B". Will anybody please help me resolve this issue? I will do the "Download TSG SysInfo" after I submitt this post as I had to leave this post from another computer because my infected computer is very slooowwwwww right now. Then I will post the log from that download. Thank you.
     
  2. minerprop

    minerprop Thread Starter

    Joined:
    Jun 22, 2011
    Messages:
    18
    This is what I got from the log report I ran...

    Tech Support Guy System Info Utility version 1.0.0.1
    OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
    Processor: Intel(R) Atom(TM) CPU N280 @ 1.66GHz, x86 Family 6 Model 28 Stepping 2
    Processor Count: 2
    RAM: 1015 Mb
    Graphics Card: Mobile Intel(R) 945 Express Chipset Family, 224 Mb
    Hard Drives: C: Total - 152625 MB, Free - 125479 MB;
    Motherboard: Hewlett-Packard, 3632, KBC Version 34.0F,
    Antivirus: Sophos Anti-Virus, Updated: Yes, On-Demand Scanner: Enabled
     
  3. minerprop

    minerprop Thread Starter

    Joined:
    Jun 22, 2011
    Messages:
    18
    P.S. those happy face icons are suppossed to be colons. I don't know why they came out as happy face icons.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,533
    First Name:
    Derek
    If you follow the advice in the sticky at the top of the forum, you get better help, without us having to repeat the instructions after you have been waiting & slow it down even more

    follow advice here and post the logs those programs make
     
  5. minerprop

    minerprop Thread Starter

    Joined:
    Jun 22, 2011
    Messages:
    18
    This hacker is blocking my ability to post the necessary logs.
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,533
    First Name:
    Derek
    what do you mean
    what happens when you try to post the logs

    attach them to your next reply, it sounds like they are too long & the software is timing out or rejecting them
     
  7. minerprop

    minerprop Thread Starter

    Joined:
    Jun 22, 2011
    Messages:
    18
    Right now I am on a clean computer. I sent my previous post on my infected computer. That message went through fine but when I attempt to reply with only the HijackThis log and I click reply, the nex screen says "Internet Explorer cannot display the webpage."
     
  8. minerprop

    minerprop Thread Starter

    Joined:
    Jun 22, 2011
    Messages:
    18
    I am trying this again...HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:55:25 PM, on 6/25/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Altiris\AClient\AClient.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\PDF Complete\pdfsvc.exe
    C:\WINDOWS\system32\rpcnet.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe
    C:\Program Files\SMART Technologies\SMART Product Drivers\UCService.exe
    C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
    C:\Program Files\Sophos\Remote Management System\RouterNT.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Altiris\AClient\AClntUsr.EXE
    C:\Program Files\Sophos\AutoUpdate\almon.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\WINDOWS\TEMP\sophos_autoupdate1.dir\alupdate.exe
    C:\Documents and Settings\Teacher\Desktop\HijackThis.exe
     
  9. minerprop

    minerprop Thread Starter

    Joined:
    Jun 22, 2011
    Messages:
    18
    Second part of the HijackThis log:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Download Energy Toolbar - {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\prxtbDown.dll
    O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Morpheus Music\RazaWebHook.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
    O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\SMART Notebook\NotebookPlugin.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Download Energy - {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\prxtbDown.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Download Energy Toolbar - {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\prxtbDown.dll
    O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [cleanddm] %APPDATA%\cleanddm.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: AutorunsDisabled
    O4 - Global Startup: AutorunsDisabled
    O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,533
    First Name:
    Derek
    until we see the dds report, there isn't much else we can do
     
  11. minerprop

    minerprop Thread Starter

    Joined:
    Jun 22, 2011
    Messages:
    18
    I am trying to send out the final part of the HijackThis log but encountering the same problem as earlier. I will work on this then send the other log reports.
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,533
    First Name:
    Derek
    zip them all together & attach them

    press the reply button & then use the manage attachments button there
     
  13. minerprop

    minerprop Thread Starter

    Joined:
    Jun 22, 2011
    Messages:
    18
    I hope this helps.
     

    Attached Files:

  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,533
    First Name:
    Derek
    OK I can see what is wrong now
    first step

    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully
    Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

    Download ComboFix from Here or Hereto your Desktop.
    As you download it rename it to iexplore.exe


    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on renamed combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Please tell us if it has cured the problems or if there are any outstanding issues
     
  15. minerprop

    minerprop Thread Starter

    Joined:
    Jun 22, 2011
    Messages:
    18
    C:\ComboFix.txt results

    ComboFix 11-06-26.01 - Teacher 06/26/2011 15:31:04.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.582 [GMT -6:00]
    Running from: c:\documents and settings\Teacher\Desktop\ComboFix.exe
    AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\NetworkService\Local Settings\Application Data\vxo.exe
    c:\documents and settings\NetworkService\Local Settings\Application Data\wvrvqeum.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-26 to 2011-06-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-22 02:27 . 2011-06-22 02:29 -------- d-----w- C:\username123
    2011-06-21 21:08 . 2011-06-21 21:08 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple
    2011-06-21 21:06 . 2011-06-21 21:07 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2011-06-21 21:06 . 2011-06-21 21:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2011-06-21 21:06 . 2011-06-21 21:06 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
    2011-06-21 20:55 . 2011-06-21 21:06 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
    2011-06-21 19:02 . 2011-06-21 19:02 215552 ----a-w- c:\windows\system32\bthsvw32.dll
    2011-06-21 19:02 . 2011-06-21 19:02 34816 ----a-w- c:\windows\system32\btwdiw32.dll
    2011-06-02 16:36 . 2011-06-02 16:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-30 18:09 . 2011-05-30 18:09 -------- d-----w- c:\program files\iPod
    2011-05-30 18:03 . 2011-05-30 18:03 -------- d-----w- c:\program files\Bonjour
    2011-05-30 17:53 . 2011-05-30 17:54 -------- d-----w- c:\program files\Safari
    2011-05-30 16:18 . 2011-05-30 16:18 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
    2011-05-30 16:17 . 2011-05-30 16:17 -------- d-----w- c:\program files\Common Files\xing shared
    2011-05-30 16:17 . 2011-05-30 16:17 150712 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
    2011-05-30 16:17 . 2011-05-30 16:17 105472 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
    2011-05-30 02:28 . 2011-05-30 02:28 -------- d-----w- c:\program files\Conduit
    2011-05-30 02:28 . 2011-06-21 04:07 -------- d-----w- c:\documents and settings\Teacher\Local Settings\Application Data\Download_Energy
    2011-05-30 02:28 . 2011-05-30 02:28 -------- d-----w- c:\documents and settings\Teacher\Local Settings\Application Data\Conduit
    2011-05-30 02:28 . 2011-05-30 02:28 -------- d-----w- c:\program files\Download_Energy
    2011-05-30 02:28 . 2011-05-30 02:28 -------- d-----w- c:\program files\Morpheus Music
    2011-05-29 03:49 . 2011-06-01 12:48 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-26 21:27 . 2009-12-15 09:29 17920 ----a-w- c:\windows\system32\rpcnetp.exe
    2011-06-26 21:27 . 2009-12-11 23:34 58288 ----a-w- c:\windows\system32\rpcnet.dll
    2011-06-16 03:25 . 2006-12-02 01:37 58288 ------w- c:\windows\system32\rpcnet.exe
    2011-05-30 16:17 . 2009-12-09 22:58 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-05-30 16:17 . 2009-12-09 22:58 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-05-24 18:37 . 2009-12-10 15:43 2401 ---ha-w- c:\windows\system32\drivers\AlKernel.sys
    2011-05-02 04:18 . 2009-12-15 09:30 17920 ---ha-w- c:\windows\system32\rpcnetp.dll
    2011-04-27 14:42 . 2009-12-09 21:16 153728 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
    2011-04-27 14:40 . 2009-12-09 21:16 24192 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
    2011-04-27 14:39 . 2011-04-04 16:36 30744 ----a-w- c:\windows\system32\SophosBootTasks.exe
    2011-04-27 14:35 . 2011-04-04 16:34 24312 ---ha-w- c:\windows\system32\drivers\sdcfilter.sys
    2011-04-27 14:33 . 2011-04-27 14:33 31736 ----a-w- c:\windows\system32\drivers\skmscan.sys
    2011-04-27 14:30 . 2011-04-04 16:37 131824 ---ha-w- c:\windows\system32\sdccoinstaller.dll
    2011-04-06 22:20 . 2011-04-06 22:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 22:20 . 2011-04-06 22:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 22:20 . 2011-04-06 22:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-07-27 07:57 203776 --sh--w- c:\windows\system32\unrar.exe
    .
    .
    ((((((((((((((((((((((((((((( [email protected]_03.31.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-06-26 21:28 . 2011-06-26 21:28 16384 c:\windows\Temp\Perflib_Perfdata_9a8.dat
    + 2011-06-26 21:27 . 2011-06-26 21:27 16384 c:\windows\Temp\Perflib_Perfdata_54c.dat
    + 2009-12-09 21:17 . 2011-06-26 20:38 65536 c:\windows\Installer\{15C418EB-7675-42be-B2B3-281952DA014D}\ARPPRODUCTICON.exe
    - 2009-12-09 21:17 . 2011-06-22 02:53 65536 c:\windows\Installer\{15C418EB-7675-42be-B2B3-281952DA014D}\ARPPRODUCTICON.exe
    + 2011-05-06 19:36 . 2011-05-06 19:36 1575940 c:\windows\Installer\da78b.msi
    + 2011-06-26 20:38 . 2011-06-26 20:38 1575936 c:\windows\Installer\cd194.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\prxtbDown.dll" [2011-01-17 175912]
    .
    [HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2011-01-17 22:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
    2011-01-17 22:54 175912 ----a-w- c:\program files\Download_Energy\prxtbDown.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\prxtbDown.dll" [2011-01-17 175912]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
    .
    [HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}"= "c:\program files\Download_Energy\prxtbDown.dll" [2011-01-17 175912]
    .
    [HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-07-27 288312]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-09 1434920]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-04-14 1044480]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-06-18 563736]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2009-12-10 184320]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
    "Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2011-04-27 494616]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-30 273544]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    .
    c:\documents and settings\Teacher\Start Menu\Programs\Startup\AutorunsDisabled
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe [2010-1-5 11154728]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
    SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\btwdiw32]
    2011-06-21 19:02 34816 ----a-w- c:\windows\system32\btwdiw32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\btwdlns]
    2011-06-21 19:02 34816 ----a-w- c:\windows\system32\btwdiw32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rpcnet]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
    @="service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
    "c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\UCGui.exe"=
    "c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\SMARTSNMPAgent.exe"=
    "c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\UCService.exe"=
    "c:\\Program Files\\SMART Technologies\\SMART Product Drivers\\WebServer.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Morpheus Music\\Morpheus Music.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 12:14 PM 24064]
    R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [12/9/2009 3:16 PM 153728]
    R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [12/9/2009 3:16 PM 24192]
    R1 SKMScan;SKMScan;c:\windows\system32\drivers\skmscan.sys [4/27/2011 8:33 AM 31736]
    R2 btwdlns;Bluetooth Services;c:\windows\System32\svchost.exe -k bthsvc [8/4/2004 1:56 AM 14336]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [12/9/2009 2:30 PM 635416]
    R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [4/27/2011 8:28 AM 167960]
    R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [4/27/2011 8:42 AM 99864]
    R2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\SMART Product Drivers\UCService.exe [1/5/2010 2:43 PM 779560]
    R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [4/27/2011 8:24 AM 1543192]
    R3 5U876UVC;HP Webcam [2 MP series];c:\windows\system32\drivers\5U876.sys [12/9/2009 1:05 PM 117248]
    S2 atizdm;Shell Driver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:56 AM 14336]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/9/2009 4:56 PM 133104]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [12/9/2009 1:06 PM 228408]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/9/2009 4:56 PM 133104]
    S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [4/4/2011 10:34 AM 24312]
    S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe [1/5/2010 2:44 PM 1053992]
    S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies\SMART Product Drivers\WebServer.exe [1/5/2010 2:44 PM 1262888]
    S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [12/9/2009 3:16 PM 14976]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvc REG_MULTI_SZ btwdlns
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
    .
    2011-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-09 22:56]
    .
    2011-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-09 22:56]
    .
    2011-06-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1144072016-71590982-4228859603-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 16:47]
    .
    2011-06-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1144072016-71590982-4228859603-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 16:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Download with &Shareaza - c:\program files\Morpheus Music\RazaWebHook.dll/3000
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Teacher\Application Data\Mozilla\Firefox\Profiles\42kd3k8t.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - BigSeekPro
    FF - prefs.js: browser.startup.homepage - hxxp://www.bigseekpro.com/hypercam/{60BADD31-5D3E-4528-24FE-D5AEC4D3BEE5}
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: SMART Notebook Extension: {D6D05E6F-D5C1-4e03-8E33-73F92B05E262} - c:\program files\Mozilla Firefox\extensions\{D6D05E6F-D5C1-4e03-8E33-73F92B05E262}
    FF - Ext: Conduit Engine : [email protected] - %profile%\extensions\[email protected]
    FF - Ext: Download Energy Community Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - %profile%\extensions\{ad708c09-d51b-45b3-9d28-4eba2681febf}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-cleanddm - c:\documents and settings\Teacher\Application Data\cleanddm.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-26 15:51
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: FUJITSU_MHZ2160BJ_G2 rev.891A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86C4551B
    user & kernel MBR OK
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    --
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
    "ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atizdm]
    "ServiceDll"="c:\windows\system32\wqtxm.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(876)
    c:\windows\system32\WININET.dll
    c:\windows\system32\btwdiw32.dll
    .
    - - - - - - - > 'lsass.exe'(936)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-06-26 15:57:22
    ComboFix-quarantined-files.txt 2011-06-26 21:57
    ComboFix2.txt 2011-06-22 03:38
    .
    - - End Of File - - 9D682D21632E7F9229E5E2A43FA495D4
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1003822

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice