WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Wife's computer will not connect to any ant-virus site

Started by RetiredChief , Aug 01 2010 11:54 AM

This topic is locked

74 replies to this topic

#46 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 14 August 2010 - 02:01 AM

Hello RetiredChief

P.S. The Missus says: Thank you, Thank you, Thank you!!!!!

Your Missus is Very Welcome. Glad we could help

(Now I can stop sleeping on the couch)

I would also like to pass on my thanks to two very special people (ken545 and CatByte for their help with one of the scripts we used :notworthy:

As for my LapTop, YES!

Okay. Lets take a look at it:

If you have any trouble running the following scans come back and let me know.

IMPORTANT: Please try to keep your laptop completely isolated from your Wife's machine to minimise the chances of re-infecting it. If you need to use her machine to download and transfer tools please let me know BEFORE doing so.

Please perform the following scan
- Please download DDS from here and save it to your desktop.
- Disable any script blocking protection (How to Disable your Security Programs)
- Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
- When done, DDS.txt will open.
- After a few moments, attach.txt will open in a second window.
- Save both reports to your desktop.
- Please post the contents of the DDS.txt and Attach.txt logs in your next reply.
Please scan your system with GMER

Download GMER Rootkit Scanner from here or here.
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please post the DDS logs and the GMER log in your next reply.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

Advertisements

Register to Remove

#47 RetiredChief

Authentic Member

Authentic Member
111 posts

Posted 14 August 2010 - 12:16 PM

JonTom, I am using a wireless router, my wife's computer is connected directly to it, but I use the wireless function for my lap top because I use it in the dining room, away from the noise so I can do homework. I can download to a thumb drive and work that way if you think that would be better. Also, should I go ahead and completely remove the AVG from my laptop? I am not really impressed with it anyway. Chief

#48 RetiredChief

Authentic Member

Authentic Member
111 posts

Posted 14 August 2010 - 09:50 PM

JonTom, Here is the first set of logs from the DDS scan: DDS (Ver_10-03-17.01) - NTFSx86 Run by Lauren A. Blakley at 20:44:15.33 on Sat 08/14/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.108 [GMT -7:00] AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Dell\AccessDirect\DadTray.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\Dell\QuickSet\quickset.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe svchost.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgfws8.exe C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe D:\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com uDefault_Page_URL = hxxp://www.dell4me.com/myway uWindow Title = Microsoft Internet Explorer uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyServer = dormproxy:80 uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com uURLSearchHooks: H - No File uURLSearchHooks: H - No File uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [BCMSMMSG] BCMSMMSG.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [<NO NAME>] mRun: [DadApp] c:\program files\dell\accessdirect\dadapp.exe mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe" mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [Dell QuickSet] c:\progra~1\dell\quickset\quickset.exe mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe" mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe" mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\icatch~1.lnk - c:\windows\twain_32\ca561a\SnapDetect.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - hxxp://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277606813733 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129138513588 DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxsrvc.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\lauren~1.bla\applic~1\mozilla\firefox\profiles\q6fuhlgz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - Yahoo! Search FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p= FF - prefs.js: network.proxy.type - 4 FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- FF - user.js: google.toolbar.linkdoctor.enabled - false FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-7-22 25608] R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-5-29 12552] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-29 335240] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-29 27784] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-29 108552] R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-5-29 29208] R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-7-22 121352] R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-7-22 30216] R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-7-22 27232] S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-5-29 29208] S3 idrmkl;idrmkl;\??\c:\docume~1\lauren~1.bla\locals~1\temp\idrmkl.sys --> c:\docume~1\lauren~1.bla\locals~1\temp\idrmkl.sys [?] =============== Created Last 30 ================ 2010-07-31 05:27:28 0 dc----w- c:\program files\Microsoft Games 2010-07-31 05:20:16 38160 -c--a-w- c:\windows\system32\LMRTREND.dll 2010-07-31 05:20:07 140800 -c--a-w- c:\windows\system32\tm20dec.ax 2010-07-31 05:20:04 182032 -c--a-w- c:\windows\system32\dxtmsft3.dll 2010-07-31 05:19:41 63488 -c--a-w- c:\windows\system32\unam4ie.exe 2010-07-31 05:19:26 5672 -c--a-w- c:\windows\system32\quartz.vxd 2010-07-31 05:19:26 11776 -c--a-w- c:\windows\system32\mciqtz.drv 2010-07-31 05:19:26 10240 -c--a-w- c:\windows\system32\vidx16.dll 2010-07-31 05:19:25 194320 -c--a-w- c:\windows\system32\qcut.dll 2010-07-31 05:19:21 4608 -c--a-w- c:\windows\system32\w95inf32.dll 2010-07-31 05:19:21 2272 -c--a-w- c:\windows\system32\w95inf16.dll 2010-07-30 05:10:34 0 dc----w- c:\windows\system32\wbem\Repository 2010-07-29 04:45:44 0 dc----w- c:\program files\Secunia 2010-07-27 02:49:02 0 dc----w- C:\d48e9072f60859d7631ab5080b 2010-07-23 00:46:02 0 dc----w- c:\program files\MSECache 2010-07-19 02:59:35 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat 2010-07-18 06:07:17 0 dc----w- c:\windows\system32\XPSViewer 2010-07-18 05:50:10 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2010-07-18 05:50:10 117760 -c----w- c:\windows\system32\prntvpt.dll 2010-07-18 05:50:07 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2010-07-18 05:50:04 575488 -c----w- c:\windows\system32\xpsshhdr.dll 2010-07-18 05:50:04 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2010-07-18 05:49:56 1676288 -c----w- c:\windows\system32\xpssvcs.dll 2010-07-18 05:49:56 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2010-07-18 04:25:16 221568 -c----w- c:\windows\system32\MpSigStub.exe ==================== Find3M ==================== 2010-06-30 12:31:35 149504 -c--a-w- c:\windows\system32\schannel.dll 2010-06-24 12:15:28 832512 -c--a-w- c:\windows\system32\wininet.dll 2010-06-24 12:15:26 78336 -c--a-w- c:\windows\system32\ieencode.dll 2010-06-24 12:15:26 17408 -c--a-w- c:\windows\system32\corpol.dll 2010-06-23 13:44:04 1851904 -c--a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27:11 354304 -c--a-w- c:\windows\system32\drivers\srv.sys 2010-06-17 14:03:00 80384 -c--a-w- c:\windows\system32\iccvid.dll 2010-06-14 07:41:45 1172480 -c--a-w- c:\windows\system32\msxml3.dll 2010-05-30 04:38:01 11952 -c--a-w- c:\windows\system32\avgrsstx.dll 2010-05-30 04:35:30 50968 -c--a-w- c:\windows\system32\avgfwdx.dll 2009-08-23 06:20:21 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082220090823\index.dat ============= FINISH: 20:45:46.00 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 12/11/2005 11:37:28 PM System Uptime: 8/14/2010 7:32:12 PM (1 hours ago) Motherboard: Dell Computer Corporation | | 0F3553 Processor: Mobile Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2797/133mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 53 GiB total, 41.707 GiB free. D: is CDROM (CDFS) ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1: 8/13/2010 9:52:58 PM - System Checkpoint RP2: 8/13/2010 10:47:01 PM - Software Distribution Service 3.0 ==== Installed Programs ====================== AccessDirect Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 8.1.4 Adobe Shockwave Player 11 Adobe® Photoshop® Album Starter Edition 3.2 AT&T Connection Services Manager AVG 8.5 AVG Identity Protection BCM V.92 56K Modem Broadcom Management Programs Canon CanoScan Toolbox 4.1 CCleaner (remove only) Clear Cache feature for Internet Explorer Critical Update for Windows Media Player 11 (KB959772) Dell Digital Jukebox Driver Dell Driver Reset Tool Dell Media Experience Dell Media Experience Update Dell System Restore Dell Wireless WLAN Utility DellSupport Google Toolbar for Internet Explorer HijackThis 1.99.1 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB981793) ICatch (VI) PC Camera Intel® Extreme Graphics 2 Driver Internet Explorer Default Page Jasc Paint Shop Pro Studio, Dell Editon Java 2 Runtime Environment, SE v1.4.2_03 Leisure Suit Larry - Magna Cum Laude Macromedia Shockwave Player Malwarebytes' Anti-Malware Manual CanoScan LiDE 50 Marine Aquarium 2.5, Goldfish, Sharks & Carousel Bundle Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Close Combat III Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2000 Professional Microsoft Office PowerPoint Viewer 2007 (English) Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual J# .NET Redistributable Package 1.1 Modem Helper Mozilla Firefox (3.6.8) MSN MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Musicmatch® Jukebox My Way Search Assistant PowerDVD 5.1 Presto! PageManager 6.03 QuickSet RealPlayer Basic Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB2183461) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB972260) Security Update for Windows Internet Explorer 7 (KB982381) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953155) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371-v2) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981349) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Sonic DLA Sonic RecordNow! Plus Sonic Update Manager Symantec Client Security Synaptics Pointing Device Driver Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) WarBirds III WebFldrs XP Windows Defender Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Player 10 Windows Media Player 11 Windows XP Service Pack 3 WinZip Yahoo! extras Yahoo! Install Manager Yahoo! Internet Mail Yahoo! Messenger Yahoo! Toolbar ==== Event Viewer Messages From Past Week ======== 8/13/2010 9:53:20 PM, error: Service Control Manager [7023] - The Update Security service terminated with the following error: The specified module could not be found. 8/11/2010 9:13:47 PM, error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 8/11/2010 9:13:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect. 8/11/2010 8:44:36 PM, error: Service Control Manager [7023] - The Windows System service terminated with the following error: The specified module could not be found. 8/10/2010 9:20:37 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 8/10/2010 9:20:37 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.timefreq.bldrdoc.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) ==== End Of File ===========================

#49 RetiredChief

Authentic Member

Authentic Member
111 posts

Posted 14 August 2010 - 10:05 PM

JonTom,

Here is the Gmer Scan file:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-14 21:02:12
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\LAUREN~1.BLA\LOCALS~1\Temp\kxloapow.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwClose [0xF89D08A0]
SSDT sptd.sys ZwCreateKey [0xF85400B0]
SSDT sptd.sys ZwEnumerateKey [0xF854584C]
SSDT sptd.sys ZwEnumerateValueKey [0xF8545BEC]
SSDT sptd.sys ZwOpenKey [0xF8540090]
SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xF89D08D0]
SSDT sptd.sys ZwQueryKey [0xF8545CC4]
SSDT sptd.sys ZwQueryValueKey [0xF8545B44]
SSDT sptd.sys ZwSetValueKey [0xF8545D56]
SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xF89D0980]
SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xF89D0A20]
SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xF89D0AC0]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F72598AC 5 Bytes JMP 82CD81B8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3284] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3500] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1044721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82F4A1D8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 82C1A1D8
Device \Driver\usbuhci \Device\USBPDO-1 82C1A1D8
Device \Driver\usbuhci \Device\USBPDO-2 82C1A1D8
Device \Driver\usbehci \Device\USBPDO-3 82CD41D8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 82F641D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82F641D8
Device \Driver\Cdrom \Device\CdRom0 82BCE1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F849CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F849CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F849CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F849CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 82F641D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{950892E5-F7A0-4AE9-B5CC-2595C40A05A5} 82AA31D8
Device \Driver\NetBT \Device\NetBt_Wins_Export 82AA31D8
Device \Driver\NetBT \Device\NetbiosSmb 82AA31D8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 82C1A1D8
Device \Driver\usbuhci \Device\USBFDO-1 82C1A1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 828191D8
Device \Driver\usbuhci \Device\USBFDO-2 82C1A1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 828191D8
Device \Driver\usbehci \Device\USBFDO-3 82CD41D8
Device \Driver\Ftdisk \Device\FtControl 82F641D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CA0699DD-BBB0-450A-B85F-A32A1015D81E} 82AA31D8
Device \FileSystem\Fastfat \Fat 82C291D8
Device \FileSystem\Fastfat \Fat AFFCC297

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs 82CBA1D8
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] fnvmp <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] jgvexq <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\fnvmp@DisplayName Update Security
Reg HKLM\SYSTEM\ControlSet002\Services\fnvmp@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\fnvmp@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\fnvmp@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\fnvmp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\fnvmp@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\fnvmp@Description Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Reg HKLM\SYSTEM\ControlSet002\Services\fnvmp\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\fnvmp\Parameters@ServiceDll C:\WINDOWS\system32\xlumniv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\jgvexq@DisplayName Windows System
Reg HKLM\SYSTEM\ControlSet002\Services\jgvexq@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\jgvexq@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\jgvexq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\jgvexq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\jgvexq@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\jgvexq@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Reg HKLM\SYSTEM\ControlSet002\Services\jgvexq\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\jgvexq\Parameters@ServiceDll C:\WINDOWS\system32\xlumniv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnvmp@DisplayName Update Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnvmp@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnvmp@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnvmp@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnvmp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnvmp@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnvmp@Description Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnvmp\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnvmp\Parameters@ServiceDll C:\WINDOWS\system32\xlumniv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\jgvexq@DisplayName Windows System
Reg HKLM\SYSTEM\CurrentControlSet\Services\jgvexq@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\jgvexq@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\jgvexq@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\jgvexq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\jgvexq@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\jgvexq@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Reg HKLM\SYSTEM\CurrentControlSet\Services\jgvexq\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\jgvexq\Parameters@ServiceDll C:\WINDOWS\system32\xlumniv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -434439830
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1345337657

---- EOF - GMER 1.0.15 ----

#50 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 15 August 2010 - 10:01 AM

Hello RetiredChief

Thank you for the logs.

I can download to a thumb drive and work that way if you think that would be better.

Probably better to disconnect it for the time being.

Please use the following tool to treat your flash drives before using them to transfer tools from one machine to the other:

Please download Flash Disinfector
- Click here to download Flash Disinfector and save the file (called Flash_Disinfector.exe) to your desktop.
- Double click on the Flash_Disinfector.exe icon to run the program and follow any prompts that may appear.
- The program may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so if prompted.
- Wait until Flash disinfector has finished scanning and then exit the program.
- Reboot your computer.
Also, should I go ahead and completely remove the AVG from my laptop? I am not really impressed with it anyway.
Leave AVG where it is for the moment. We will take care of it once you system has been cleaned as installing security software onto an infected system is best avoided if at all possible.

I can also see evidence of Norton on your machine. If you no longer use Norton (Symantec) products let me know and I can provide a clean up tool later.

uInternet Settings,ProxyServer = dormproxy:80
Did you set this proxy on your machine? Please let me know.
DeFogger
- Please download DeFogger to your desktop.
- Click on DeFogger to run the tool.
- The application window will appear.
- Click the Disable button to disable your CD Emulation drivers.
- Click Yes to continue.
- A 'Finished!' message will appear.
- Click OK.
- DeFogger will now ask to reboot the machine - click OK.
  IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
  Do not re-enable these drivers until otherwise instructed.
Download Combofix and RE-NAME it BEFORE saving
- Download Combofix from either of the links below. You must rename it to retiredchief.exe before saving it.
- Save it to your desktop. Change the "save as file type" to "all files".
- Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
Link 1
Link 2
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.
- Double click on the renamed ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#51 RetiredChief

Authentic Member

Authentic Member
111 posts

Posted 15 August 2010 - 11:58 AM

JonTom, **I can also see evidence of Norton on your machine. If you no longer use Norton (Symantec) products let me know and I can provide a clean up tool later.** Yes please provide me a way to get rid of it once and for all. I have tried but cannot remove everythijng. **QUOTE uInternet Settings,ProxyServer = dormproxy:80 Did you set this proxy on your machine? Please let me know.** I do not know how to do this part. Chief

#52 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 15 August 2010 - 01:42 PM

Hello RetiredChief

please provide me a way to get rid of it once and for all

We will remove the Norton remnants once you machine is clean.

I do not know how to do this part

Sorry for not being clear. You do not need to do anything, I was just wondering if you recognised the dormproxy:80 on your machine. Proxies can be set manually by people for specific purposes - but they can also be set by malware.

Go ahead and run ComboFix and post the log created

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#53 RetiredChief

Authentic Member

Authentic Member
111 posts

Posted 15 August 2010 - 02:33 PM

JonTom,

Here's the Combofix Log:

ComboFix 10-08-14.06 - Lauren A. Blakley 08/15/2010 13:05:39.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.105 [GMT -7:00]
Running from: E:\retiredchief.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Toolbar4
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\basis.xml
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\bg.bmp
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\bing_logo.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\celebrity.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_images.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_maps.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_news.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_videos.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_web.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\facebook.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\favicon.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\games.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\hotmail.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\images.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\include.xml
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\info.txt
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\lifestyle.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\maps.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\messenger.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\msn.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\news.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\twitter.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\version.txt
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\video.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\videos.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\weather.png
c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\web.png
c:\documents and settings\Lauren A. Blakley\Recent\Thumbs.db
c:\program files\Search Toolbar
c:\program files\Search Toolbar\basis.xml
c:\program files\Search Toolbar\bg.bmp
c:\program files\Search Toolbar\bing_logo.png
c:\program files\Search Toolbar\celebrity.png
c:\program files\Search Toolbar\drop_images.png
c:\program files\Search Toolbar\drop_maps.png
c:\program files\Search Toolbar\drop_news.png
c:\program files\Search Toolbar\drop_videos.png
c:\program files\Search Toolbar\drop_web.png
c:\program files\Search Toolbar\facebook.png
c:\program files\Search Toolbar\favicon.png
c:\program files\Search Toolbar\games.png
c:\program files\Search Toolbar\hotmail.png
c:\program files\Search Toolbar\images.png
c:\program files\Search Toolbar\include.xml
c:\program files\Search Toolbar\info.txt
c:\program files\Search Toolbar\lifestyle.png
c:\program files\Search Toolbar\maps.png
c:\program files\Search Toolbar\messenger.png
c:\program files\Search Toolbar\msn.png
c:\program files\Search Toolbar\news.png
c:\program files\Search Toolbar\twitter.png
c:\program files\Search Toolbar\version.txt
c:\program files\Search Toolbar\video.png
c:\program files\Search Toolbar\videos.png
c:\program files\Search Toolbar\weather.png
c:\program files\Search Toolbar\web.png
C:\Thumbs.db
c:\windows\system\oeminfo.ini

.
((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-07-31 05:27 . 2010-07-31 05:27 -------- dc----w- c:\program files\Microsoft Games
2010-07-31 05:20 . 1998-09-02 08:28 38160 -c--a-w- c:\windows\system32\LMRTREND.dll
2010-07-31 05:20 . 1998-08-27 04:51 182032 -c--a-w- c:\windows\system32\dxtmsft3.dll
2010-07-31 05:19 . 1998-09-02 08:28 63488 -c--a-w- c:\windows\system32\unam4ie.exe
2010-07-31 05:19 . 1998-08-17 09:21 10240 -c--a-w- c:\windows\system32\vidx16.dll
2010-07-31 05:19 . 1998-08-17 09:21 11776 -c--a-w- c:\windows\system32\mciqtz.drv
2010-07-31 05:19 . 1998-09-02 08:02 194320 -c--a-w- c:\windows\system32\qcut.dll
2010-07-31 05:19 . 2010-07-31 05:19 4608 -c--a-w- c:\windows\system32\w95inf32.dll
2010-07-31 05:19 . 2010-07-31 05:19 2272 -c--a-w- c:\windows\system32\w95inf16.dll
2010-07-30 05:10 . 2010-07-30 05:10 -------- dc----w- c:\windows\system32\wbem\Repository
2010-07-29 05:19 . 2010-07-30 05:09 -------- dc----w- c:\documents and settings\Lauren A. Blakley\Local Settings\Application Data\Yahoo
2010-07-29 05:16 . 2010-07-29 05:16 -------- dc----w- c:\documents and settings\Lauren A. Blakley\Local Settings\Application Data\Yahoo!
2010-07-29 05:15 . 2010-07-30 04:45 -------- dc----w- c:\documents and settings\Lauren A. Blakley\Application Data\Yahoo!
2010-07-29 04:45 . 2010-07-29 04:45 -------- dc----w- c:\program files\Secunia
2010-07-27 02:49 . 2010-07-27 02:49 -------- dc----w- C:\d48e9072f60859d7631ab5080b
2010-07-23 00:46 . 2010-07-23 00:46 -------- dc----w- c:\program files\MSECache
2010-07-18 06:07 . 2010-07-27 02:49 -------- dc----w- c:\windows\system32\XPSViewer
2010-07-18 06:06 . 2010-07-18 06:06 -------- dc----w- c:\program files\MSBuild
2010-07-18 06:05 . 2010-07-18 06:05 -------- dc----w- c:\program files\Reference Assemblies
2010-07-18 06:00 . 2008-07-06 12:06 89088 -c--a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-18 05:50 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-18 05:50 . 2008-07-06 12:06 117760 -c----w- c:\windows\system32\prntvpt.dll
2010-07-18 05:50 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-18 05:50 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-18 05:50 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\xpsshhdr.dll
2010-07-18 05:50 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-18 05:49 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\xpssvcs.dll
2010-07-18 05:49 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-18 04:25 . 2010-05-21 21:14 221568 -c----w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 14:47 . 2005-02-27 05:05 30632 -c--a-w- c:\documents and settings\Lauren A. Blakley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-30 05:09 . 2005-12-23 11:19 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-29 05:17 . 2006-02-26 04:28 -------- dc----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-07-29 05:17 . 2005-12-23 11:19 -------- dc----w- c:\program files\Yahoo!
2010-07-27 02:48 . 2006-02-19 19:37 -------- dc----w- c:\program files\Windows Defender
2010-07-27 02:47 . 2006-02-20 02:32 -------- dc----w- c:\program files\Microsoft AntiSpyware
2010-06-30 12:31 . 2004-08-12 14:04 149504 -c--a-w- c:\windows\system32\schannel.dll
2010-06-27 05:35 . 2010-06-27 05:35 -------- dc----w- c:\program files\MSXML 4.0
2010-06-24 12:15 . 2004-08-12 14:09 832512 -c--a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-12 13:58 78336 -c--a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-12 13:56 17408 -c--a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-12 14:09 1851904 -c--a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-12 14:06 354304 -c--a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-12 13:57 80384 -c--a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 11:00 744448 -c--a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-14 07:41 . 2004-08-12 14:01 1172480 -c--a-w- c:\windows\system32\msxml3.dll
2010-05-30 04:38 . 2010-05-30 04:38 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2010-05-30 04:38 . 2010-05-30 04:38 12552 -c--a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-05-30 04:37 . 2010-05-30 04:37 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-30 04:37 . 2010-05-30 04:37 335240 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-30 04:37 . 2010-05-30 04:37 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-30 04:35 . 2010-05-30 04:35 50968 -c--a-w- c:\windows\system32\avgfwdx.dll
2010-05-30 04:35 . 2010-05-30 04:35 29208 -c--a-w- c:\windows\system32\drivers\avgfwdx.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 16:56 1062144 -c--a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-12-08 3096576]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-19 26112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"Dell QuickSet"="c:\progra~1\Dell\QuickSet\quickset.exe" [2004-10-08 610304]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-15 2048352]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-07-23 1600008]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - c:\windows\Twain_32\CA561A\SnapDetect.exe [2005-4-2 65536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-30 04:38 11952 -c--a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1475:TCP"= 1475:TCP:uygpw

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\SYSTEM32\DRIVERS\AVGIDSErHr.sys [7/22/2009 5:23 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [5/29/2010 9:38 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/29/2010 9:37 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/29/2010 9:37 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/29/2010 9:37 PM 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [5/29/2010 9:37 PM 1370488]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [7/22/2009 5:23 PM 5641736]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [7/22/2009 5:23 PM 571912]
R3 Avgfwdx;Avgfwdx;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [5/29/2010 9:35 PM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [7/22/2009 5:23 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [7/22/2009 5:23 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [7/22/2009 5:23 PM 27232]
S2 fnvmp;Update Security;c:\windows\system32\svchost.exe -k netsvcs [8/12/2004 7:06 AM 14336]
S2 jgvexq;Windows System;c:\windows\system32\svchost.exe -k netsvcs [8/12/2004 7:06 AM 14336]
S3 Avgfwfd;AVG network filter service;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [5/29/2010 9:35 PM 29208]
S3 idrmkl;idrmkl;\??\c:\docume~1\LAUREN~1.BLA\LOCALS~1\Temp\idrmkl.sys --> c:\docume~1\LAUREN~1.BLA\LOCALS~1\Temp\idrmkl.sys [?]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [5/30/2007 10:52 PM 639224]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jgvexq
fnvmp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = dormproxy:80
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Lauren A. Blakley\Application Data\Mozilla\Firefox\Profiles\q6fuhlgz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-CCleaner - c:\program files\CCleaner\uninst.exe
AddRemove-HijackThis - d:\new folder\HIJACK\HijackThis.exe
AddRemove-Marine Aquarium 2.5, Goldfish, Sharks & Carousel Bundle - c:\program files\Prolific Publishing

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-15 13:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\ad106d77-e527-4f5d-b7eb-359a92623892.tmp 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\fnvmp]
"ServiceDll"="c:\windows\system32\xlumniv.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jgvexq]
"ServiceDll"="c:\windows\system32\xlumniv.dll"
.
Completion time: 2010-08-15 13:23:10
ComboFix-quarantined-files.txt 2010-08-15 20:23

Pre-Run: 44,602,355,712 bytes free
Post-Run: 44,851,740,672 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - EF5784A04C27F152BAB103C99C39FCE3

#54 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 16 August 2010 - 01:29 AM

Hello RetiredChief

Thank you for the log.

Are you running ComboFix off your flash drive?

It is very important that you copy the tools we need to use directly onto the desktop of the infected machine, otherwise backups of our changes may not be saved.

Please work through the following steps
- Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
- NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
- Copy and Paste the text in the codebox below (including the link) into the open Notepad window:
```
http://forums.whatthetech.com/index.php?showtopic=113665&st=45&start=45

collect::
c:\windows\system32\xlumniv.dll

File::
c:\docume~1\LAUREN~1.BLA\LOCALS~1\Temp\idrmkl.sys

Rootkit::
c:\windows\TEMP\ad106d77-e527-4f5d-b7eb-359a92623892.tmp

Driver::
jgvexq
fnvmp
idrmkl

NetSvc::
jgvexq
fnvmp

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\fnvmp]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jgvexq]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1475:TCP"=-
```
- Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
- Close any open browsers.
- Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Refering to the picture below, drag CFScript.txt into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Once the log is produced, re-engage your resident anti virus.
- Note: When ComboFix finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Clean out your temporary files
- Please download ATF Cleaner by Atribune by clicking here and save the file (called ATF-Cleaner.exe) to your desktop.
- Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
- Check the boxes to the left of the following:
- Windows Temp
- Current User Temp
- All Users Temp
- Temporary Internet Files
- Java Cache
- The rest are optional. If you want to remove everything check the "Select All" box.
- Click on "Empty Selected" to begin cleaning.
- Once the "Done Cleaning" message appears, click OK.
- If you use Firefox, Click on the Firefox tab and repeat the above process.
- When you have finished cleaning, click on the "Exit" button in the main menu.
Please perform the following scan:
- Please download MalwareBytes AntiMalware by clicking here and save the file (called mbam-setup.exe) to your desktop.
- Double click on the mbam-setup.exe icon to install the program.
- Follow the prompts during installation and have the Installation Wizzard create a desktop icon.
- Once installed, double click on the MalwareBytes AntiMalware icon to launch the program.
- Click on the "Update" tab and then on "Check for Updates".
- The program will now install the latest Malware definition files.
- Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
- Once the program has scanned your computer, a log file will be created in Notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
- The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
- Come back here to this thread and Paste the log in your next reply.
Please post the ComboFix log and the MBAM log in your next reply.

How is it running now?

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#55 RetiredChief

Authentic Member

Authentic Member
111 posts

Posted 17 August 2010 - 12:48 AM

JonTom,

I performed the Combofix scan after I loaded it to my desktop. I thought it was but it was only a shortcut, sorry.

I did not re-engage my anti-virus or see a message box and I was not connected to the internet because I thought I was supposed to remain clear of using the wireless browser. If this is an issue, let me know and I will re-do it tomorrow. Here's the log:

ComboFix 10-08-14.06 - Lauren A. Blakley 08/16/2010 23:06:00.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.148 [GMT -7:00]
Running from: c:\documents and settings\Lauren A. Blakley\Desktop\retiredchief.exe
Command switches used :: c:\documents and settings\Lauren A. Blakley\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FILE ::
"c:\docume~1\LAUREN~1.BLA\LOCALS~1\Temp\idrmkl.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FNVMP
-------\Legacy_IDRMKL
-------\Legacy_JGVEXQ
-------\Service_fnvmp
-------\Service_idrmkl
-------\Service_jgvexq

((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-07-31 05:27 . 2010-07-31 05:27 -------- dc----w- c:\program files\Microsoft Games
2010-07-31 05:20 . 1998-09-02 08:28 38160 -c--a-w- c:\windows\system32\LMRTREND.dll
2010-07-31 05:20 . 1998-08-27 04:51 182032 -c--a-w- c:\windows\system32\dxtmsft3.dll
2010-07-31 05:19 . 1998-09-02 08:28 63488 -c--a-w- c:\windows\system32\unam4ie.exe
2010-07-31 05:19 . 1998-08-17 09:21 10240 -c--a-w- c:\windows\system32\vidx16.dll
2010-07-31 05:19 . 1998-08-17 09:21 11776 -c--a-w- c:\windows\system32\mciqtz.drv
2010-07-31 05:19 . 1998-09-02 08:02 194320 -c--a-w- c:\windows\system32\qcut.dll
2010-07-31 05:19 . 2010-07-31 05:19 4608 -c--a-w- c:\windows\system32\w95inf32.dll
2010-07-31 05:19 . 2010-07-31 05:19 2272 -c--a-w- c:\windows\system32\w95inf16.dll
2010-07-30 05:10 . 2010-07-30 05:10 -------- dc----w- c:\windows\system32\wbem\Repository
2010-07-29 05:19 . 2010-07-30 05:09 -------- dc----w- c:\documents and settings\Lauren A. Blakley\Local Settings\Application Data\Yahoo
2010-07-29 05:16 . 2010-07-29 05:16 -------- dc----w- c:\documents and settings\Lauren A. Blakley\Local Settings\Application Data\Yahoo!
2010-07-29 05:15 . 2010-07-30 04:45 -------- dc----w- c:\documents and settings\Lauren A. Blakley\Application Data\Yahoo!
2010-07-29 04:45 . 2010-07-29 04:45 -------- dc----w- c:\program files\Secunia
2010-07-27 02:49 . 2010-07-27 02:49 -------- dc----w- C:\d48e9072f60859d7631ab5080b
2010-07-23 00:46 . 2010-07-23 00:46 -------- dc----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 14:47 . 2005-02-27 05:05 30632 -c--a-w- c:\documents and settings\Lauren A. Blakley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-30 05:09 . 2005-12-23 11:19 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-29 05:17 . 2006-02-26 04:28 -------- dc----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-07-29 05:17 . 2005-12-23 11:19 -------- dc----w- c:\program files\Yahoo!
2010-07-27 02:48 . 2006-02-19 19:37 -------- dc----w- c:\program files\Windows Defender
2010-07-27 02:47 . 2006-02-20 02:32 -------- dc----w- c:\program files\Microsoft AntiSpyware
2010-07-18 06:06 . 2010-07-18 06:06 -------- dc----w- c:\program files\MSBuild
2010-07-18 06:05 . 2010-07-18 06:05 -------- dc----w- c:\program files\Reference Assemblies
2010-06-30 12:31 . 2004-08-12 14:04 149504 -c--a-w- c:\windows\system32\schannel.dll
2010-06-27 05:35 . 2010-06-27 05:35 -------- dc----w- c:\program files\MSXML 4.0
2010-06-24 12:15 . 2004-08-12 14:09 832512 -c--a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-12 13:58 78336 -c--a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-12 13:56 17408 -c--a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-12 14:09 1851904 -c--a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-12 14:06 354304 -c--a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-12 13:57 80384 -c--a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 11:00 744448 -c--a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-14 07:41 . 2004-08-12 14:01 1172480 -c--a-w- c:\windows\system32\msxml3.dll
2010-05-30 04:38 . 2010-05-30 04:38 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2010-05-30 04:38 . 2010-05-30 04:38 12552 -c--a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-05-30 04:37 . 2010-05-30 04:37 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-30 04:37 . 2010-05-30 04:37 335240 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-30 04:37 . 2010-05-30 04:37 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-30 04:35 . 2010-05-30 04:35 50968 -c--a-w- c:\windows\system32\avgfwdx.dll
2010-05-30 04:35 . 2010-05-30 04:35 29208 -c--a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-05-21 21:14 . 2010-07-18 04:25 221568 -c----w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 16:56 1062144 -c--a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-12-08 3096576]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-19 26112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"Dell QuickSet"="c:\progra~1\Dell\QuickSet\quickset.exe" [2004-10-08 610304]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-15 2048352]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-07-23 1600008]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - c:\windows\Twain_32\CA561A\SnapDetect.exe [2005-4-2 65536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-30 04:38 11952 -c--a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\SYSTEM32\DRIVERS\AVGIDSErHr.sys [7/22/2009 5:23 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [5/29/2010 9:38 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/29/2010 9:37 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/29/2010 9:37 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/29/2010 9:37 PM 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [5/29/2010 9:37 PM 1370488]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [7/22/2009 5:23 PM 5641736]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [7/22/2009 5:23 PM 571912]
R3 Avgfwdx;Avgfwdx;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [5/29/2010 9:35 PM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [7/22/2009 5:23 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [7/22/2009 5:23 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [7/22/2009 5:23 PM 27232]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Avgfwfd;AVG network filter service;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [5/29/2010 9:35 PM 29208]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [5/30/2007 10:52 PM 639224]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = dormproxy:80
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Lauren A. Blakley\Application Data\Mozilla\Firefox\Profiles\q6fuhlgz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 23:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3248)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\BCMSMMSG.exe
c:\program files\Dell\AccessDirect\DadTray.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
.
**************************************************************************
.
Completion time: 2010-08-16 23:30:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 06:30
ComboFix2.txt 2010-08-15 20:23

Pre-Run: 44,815,745,024 bytes free
Post-Run: 44,751,077,376 bytes free

- - End Of File - - 8B92AB77CCEB96EF7A5246DE2839DC97

Advertisements

Register to Remove

#56 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 17 August 2010 - 01:30 PM

Hello RetiredChief

Thank you for the log.

Please run ATF Cleaner and follow with MBAM - then post the MBAM log in your next reply

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#57 RetiredChief

Authentic Member

Authentic Member
111 posts

Posted 17 August 2010 - 10:39 PM

JonTom, Ran ATF and here is the MBam Log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4442 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 8/17/2010 8:39:55 PM mbam-log-2010-08-17 (20-39-55).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 175474 Time elapsed: 52 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000210.sys (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000311.sys (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000434.sys (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

#58 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 18 August 2010 - 01:00 AM

Hello RetiredChief

Thank you for the logs.

Lets get your Java updated and run an online scan to check for anything that may have beed missed:

Please update your Java
- Click on "Start", then on "Control Panel".
- Go to "Add or Remove Programs" and uninstall any previous versions of Java that you find (Java 2 Runtime Environment, SE v1.4.2_03).
- Reboot your computer.
- Next, download the latest version of Java by clicking here
- Scroll down the page until you reach "Java Platform Standard Edition".
- Beneath this and to the right, you will see a red button marked "Download JRE".
- Click the "Download JRE" button.
- Select the platform (Windows, in your case), multi language.
- Accept the license agreement and click on "Continue".
- You do not have to register if you do not want to (the registration step is optional).
- Scroll down and click on the file called jre-6u21-windows-i586.exe located under "Windows Offline Installation".
- Save the file to your desktop.
- Do not select Run.
- Double click on the saved file (jre-6u21-windows-i586.exe) to install the update.
- Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.
Please perform the following scan:
- This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.
- It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
- DO NOT surf the net while your resident protection is disabled!
- Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.
- Please perform a Kaspersky Online Scan of your computer by clicking here or here.
- Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run (at times it may appear to stall).
- Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Once the scan is complete, click on View scan report. To obtain the report:
- Click on: Save Report As
- Next, in the Save as prompt, Save in area, select: Desktop
- In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
- Then, click: Save
- Please post the Kaspersky Online Scanner Report in your reply.
- If you need help performing the above steps, an animated tutorial can be found here.
I seem to remember you having trouble with Kaspersky before. If it refuses to run please try ESET:
Please run the following scan
- Note: You will need to use Internet Explorer for this scan.
- Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
- Please disable your real time security programs before performing the scan.
- Scan your system with Eset Online Scanner
- Place a check mark in the box YES, I accept the Terms Of Use.
- Click the button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
- Check
- Click the button.
- Accept any security warnings from your browser.
- Check
- Push the "Start" button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push
- Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
- Push the button.
- Push
Please post the Kaspersky (or ESET) log in your next reply.

Also, please describe how your machine is running now.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#59 RetiredChief

Authentic Member

Authentic Member
111 posts

Posted 19 August 2010 - 05:36 PM

JonTom, I tried to run the Kasperisky but it locked up at 94% and stayed there for 2 hours. I tried it again and let it run overnight but when I got up this morning it was stuck on 22% and my screensaver was locked up. I disabled my screensaver and set my monitor only to sleep after 30 minutes and will run it again. Chief

#60 RetiredChief

Authentic Member

Authentic Member
111 posts

Posted 19 August 2010 - 09:57 PM

JonTom, Here is the Kscan: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Thursday, August 19, 2010 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Thursday, August 19, 2010 12:05:32 Records in database: 4135377 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Objects scanned: 60192 Threats found: 0 Infected objects found: 0 Suspicious objects found: 0 Scan duration: 02:38:05 No threats found. Scanned area is clean. Selected area has been scanned.

Body Background

skin color theme