Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Virus/spyware removed and now no internet

This is a discussion on Virus/spyware removed and now no internet within the Resolved HJT Threads forums, part of the Tech Support Forum category. I have windows XP media center edition SP3. The day before yesterday I removed some viruses with avast. Some of


 
 
Thread Tools Search this Thread
Old 04-12-2012, 10:05 AM   #1
Registered Member
 
Join Date: Dec 2011
Posts: 48
OS: windows XP SP3



I have windows XP media center edition SP3. The day before yesterday I removed some viruses with avast. Some of them it said it couldn't delete or more to the chest. Now I can't connect to the internet. It says it is searching for an IP address. My other electronics connect fine w/ no problem. This happend once before but I had the XP security 2012 virus. I don't believe that is what I have. Here is a link to the previous forum if you would like to see what needed to be done the last time: Windows Security 2012 Thank you for any help! Btw..I do have virus/malware/spyware protection but my husband had disabled it for one reason or another and now here we are.

__________________
Danigir1 is offline  
Old 04-13-2012, 05:34 PM   #2
Registered Member
 
Join Date: Dec 2011
Posts: 48
OS: windows XP SP3


Excuse the multiple posts...I've been trying to run the gmer and dds programs. Dds works fine and ill post that as soon as I can get to a computer. The gmer however scans for hours and then the screen goes blue and says something about driver_irql_not_less_or_equal and continues on with: technical information: stop: 0x000000d1 (0x088ff108, 0x00000005, 0x00000001, 0xb9f1489b). And then under that: atapi.sys - address b9f1489b base at b9f0b00, datestamp 4802539d. I've tried to do it 3 times and it has done it all 3 times.

__________________
Danigir1 is offline  
Old 04-14-2012, 04:50 PM   #3
TSF Enthusiast
 
Deleted 080713's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,672
OS: Windows 7 SP1 x64



Hi Danigir1,

We advise users not to multiple post, mainly because a thread with 2 or more posts in it can look like it's being handled and you're likely to receive no response.

You're getting a crash on running the GMER scan, if you can't get it to run don't worry about it for the moment. However, if you haven't already done so please try the alternative method for running GMER listed in the first steps.

Run the scan with ONLY the Sections and C drive boxes ticked.

Please post the DDS logs on your next reply.
__________________
Deleted 080713 is offline  
Old 04-15-2012, 02:01 PM   #4
Registered Member
 
Join Date: Dec 2011
Posts: 48
OS: windows XP SP3



Sorry for the delay...attached is the modified gmer/ark log and here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Ryan at 20:40:36 on 2012-04-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1448 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\DOCUME~1\Ryan\LOCALS~1\Temp\clclean.0001
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{1E9C1DE4-D4EC-448A-9FFF-7F525DAF10FC} : DhcpNameServer = 192.168.2.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ryan\application data\mozilla\firefox\profiles\mbl94ag5.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?l=dis&o=14196
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&apn_uid=1AF3AD51-53B4-4FCE-A4D6-605CF2508027&apn_ptnrs=FM&apn_sauid=DB3CDF8F-8F84-49E8-9A00-DE53910EF105&apn_dtid=TES002YYUS&&q=
FF - plugin: c:\documents and settings\ryan\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - dd1e8342-aab3-45dd-8f70-cbbbdf11f0f2
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,BestVideoDownloader,BestVideoDownloader,
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-15 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-15 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-15 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-12-15 44768]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-5 652360]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-5 20464]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-12-12 6609920]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-2-26 18560]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-4-13 40776]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
.
=============== Created Last 30 ================
.
2012-04-13 19:25:32 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-10 03:18:14 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-19 11:17:07 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-19 11:17:07 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-03-26 02:40:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2011-12-05 11:41:58 3552208 ----a-w- c:\program files\ccsetup313.exe
2011-12-02 18:22:59 6585536 ----a-w- c:\program files\yusetup7cnet.exe
2010-10-15 03:51:36 895256 ----a-w- c:\program files\DivXInstaller.exe
.
============= FINISH: 20:41:56.26 ===============
Attached Files
File Type: zip attach.zip (12.1 KB, 4 views)
__________________
Danigir1 is offline  
Old 04-15-2012, 02:17 PM   #5
TSF Enthusiast
 
Deleted 080713's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,672
OS: Windows 7 SP1 x64



Hi Danigir1,

Please could you post up the Avast log for the removed malware. You should see this as an option under Scan Computer > Scan Logs.

As Avast! was unable to remove some of the malware, we'll run Combofix to clear up anything remaining and help narrow down your internet issues.

Try to carry out the next set of instructions using Normal mode. If you cannot, be sure to boot into Safe Mode with Networking

**Read through these instructions in their entirety BEFORE executing them.** If you have any questions or are unsure about any of the following instructions PLEASE ASK for clarification before continuing. You may want to copy this page to notepad or print it as it will not be available while you run ComboFix.
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here

  3. Double click on combofix.exe & follow the prompts.

  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  5. When finished, it shall produce a log for you. Post that log in your next reply


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------

  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
__________________
Deleted 080713 is offline  
Old 04-15-2012, 03:54 PM   #6
Registered Member
 
Join Date: Dec 2011
Posts: 48
OS: windows XP SP3



Ran combofix and it found rootkit.zeroaccess and now the internet is working. YAY! :) here's the combofix log:
ComboFix 12-04-15.02 - Ryan 04/15/2012 17:08:57.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1614 [GMT -4:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
C:\ipconfig.txt
c:\windows\$NtUninstallKB13225$
c:\windows\$NtUninstallKB13225$\1459512663\@
c:\windows\$NtUninstallKB13225$\1459512663\cfg.ini
c:\windows\$NtUninstallKB13225$\1459512663\Desktop.ini
c:\windows\$NtUninstallKB13225$\1459512663\L\pdmzmplg
c:\windows\$NtUninstallKB13225$\1459512663\oemid
c:\windows\$NtUninstallKB13225$\1459512663\U\00000001.@
c:\windows\$NtUninstallKB13225$\1459512663\U\00000002.@
c:\windows\$NtUninstallKB13225$\1459512663\U\00000004.@
c:\windows\$NtUninstallKB13225$\1459512663\U\80000000.@
c:\windows\$NtUninstallKB13225$\1459512663\U\80000004.@
c:\windows\$NtUninstallKB13225$\1459512663\U\80000032.@
c:\windows\$NtUninstallKB13225$\1459512663\version
c:\windows\$NtUninstallKB13225$\2284098840
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\SET66.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-15 to 2012-04-15 )))))))))))))))))))))))))))))))
.
.
2012-04-13 19:25 . 2012-04-13 19:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-19 11:17 . 2012-03-19 11:17 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 11:17 . 2012-03-19 11:17 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-26 02:40 . 2011-12-02 20:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-06 23:15 . 2011-12-15 21:45 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:15 . 2011-12-15 21:45 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-06 23:03 . 2011-12-15 21:45 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:03 . 2011-12-15 21:45 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-06 23:02 . 2011-12-15 21:45 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-06 23:01 . 2011-12-15 21:45 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-06 23:01 . 2011-12-15 21:45 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-06 23:01 . 2011-12-15 21:45 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-06 23:01 . 2011-12-15 21:45 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-06 22:58 . 2011-12-15 21:45 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-02-03 09:22 . 2005-08-16 10:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2011-12-05 11:41 . 2011-12-05 11:41 3552208 ----a-w- c:\program files\ccsetup313.exe
2011-12-02 18:22 . 2011-12-02 18:21 6585536 ----a-w- c:\program files\yusetup7cnet.exe
2010-10-15 03:51 . 2010-10-15 03:45 895256 ----a-w- c:\program files\DivXInstaller.exe
2012-03-19 11:17 . 2011-12-02 19:18 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-11-18 00:29 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-11-18 901800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-17 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCFCATS]
2006-10-20 22:48 73728 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\dlcftime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\NeverwinterNights\\NWN\\nwmain.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/15/2011 5:45 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/15/2011 5:45 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/15/2011 5:45 PM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/5/2011 2:14 AM 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/5/2011 2:14 AM 20464]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [12/12/2011 12:01 PM 6609920]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2/26/2008 8:33 PM 18560]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/13/2012 3:25 PM 40776]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sonicatheaterinstallerservice
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-16 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-11-18 00:29]
.
2012-04-15 c:\windows\Tasks\User_Feed_Synchronization-{FEB093ED-48D7-470E-9DA9-F91BFBB21E21}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\mbl94ag5.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?l=dis&o=14196
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&apn_uid=1AF3AD51-53B4-4FCE-A4D6-605CF2508027&apn_ptnrs=FM&apn_sauid=DB3CDF8F-8F84-49E8-9A00-DE53910EF105&apn_dtid=TES002YYUS&&q=
FF - user.js: extentions.y2layers.installId - dd1e8342-aab3-45dd-8f70-cbbbdf11f0f2
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,BestVideoDownloader,BestVideoDownloader,
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ESPNMotion - c:\progra~1\ESPNMO~1\UNWISE.EXE
AddRemove-Money2006b - c:\program files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe
AddRemove-Movin' and Groovin' - c:\program files\Common Files\Polka Dot\Uninstall\BoohBahMMUn.exe
AddRemove-StreetPlugin - c:\program files\Learn2.com\StRunner\stuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-04-15 17:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3680)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\dlcfcoms.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\docume~1\Ryan\LOCALS~1\Temp\clclean.0001
.
**************************************************************************
.
Completion time: 2012-04-15 17:41:01 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-15 21:40
.
Pre-Run: 121,706,811,392 bytes free
Post-Run: 122,033,364,992 bytes free
.
- - End Of File - - 8D32D3BD9E3490D57FBFF9C7DFC9C0FA

For some reason there is no logs for Avast or malwarebytes...sorry.
__________________
Danigir1 is offline  
Old 04-15-2012, 04:25 PM   #7
TSF Enthusiast
 
Deleted 080713's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,672
OS: Windows 7 SP1 x64



Hi Danigir1,

That's great . How is the computer behaving now?

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000000
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

Combofix may request an update, click Yes to allow it.

When finished, please post the C:\ComboFix.txt for further review.
__________________
Deleted 080713 is offline  
Old 04-16-2012, 06:38 AM   #8
Registered Member
 
Join Date: Dec 2011
Posts: 48
OS: windows XP SP3



It's doing very well. Internet is working fine and I'm not having any redirects.

ComboFix 12-04-15.02 - Ryan 04/16/2012 8:15.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1273 [GMT -4:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Ryan\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Ryan\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp
c:\windows\isRS-000.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
.
.
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-03-19 11:17 . 2012-03-19 11:17 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 11:17 . 2012-03-19 11:17 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 19:56 . 2011-12-05 06:14 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-26 02:40 . 2011-12-02 20:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-06 23:15 . 2011-12-15 21:45 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:15 . 2011-12-15 21:45 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-06 23:03 . 2011-12-15 21:45 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:03 . 2011-12-15 21:45 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-06 23:02 . 2011-12-15 21:45 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-06 23:01 . 2011-12-15 21:45 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-06 23:01 . 2011-12-15 21:45 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-06 23:01 . 2011-12-15 21:45 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-06 23:01 . 2011-12-15 21:45 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-06 22:58 . 2011-12-15 21:45 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-01 11:01 . 2005-08-16 10:18 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2005-08-16 10:18 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2005-08-16 10:18 148480 ------w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2005-08-16 10:18 385024 ------w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2005-08-16 10:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2011-12-05 11:41 . 2011-12-05 11:41 3552208 ----a-w- c:\program files\ccsetup313.exe
2011-12-02 18:22 . 2011-12-02 18:21 6585536 ----a-w- c:\program files\yusetup7cnet.exe
2010-10-15 03:51 . 2010-10-15 03:45 895256 ----a-w- c:\program files\DivXInstaller.exe
2012-03-19 11:17 . 2011-12-02 19:18 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-15_21.31.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-16 10:18 . 2012-03-01 11:01 66560 c:\windows\system32\mshtmled.dll
- 2005-08-16 10:18 . 2011-12-17 19:46 66560 c:\windows\system32\mshtmled.dll
+ 2009-03-08 08:31 . 2012-03-01 11:01 55296 c:\windows\system32\msfeedsbs.dll
- 2009-03-08 08:31 . 2011-12-17 19:46 55296 c:\windows\system32\msfeedsbs.dll
- 2005-08-16 10:18 . 2011-12-17 19:46 25600 c:\windows\system32\jsproxy.dll
+ 2005-08-16 10:18 . 2012-03-01 11:01 25600 c:\windows\system32\jsproxy.dll
- 2011-03-21 20:25 . 2011-12-17 19:46 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2011-03-21 20:25 . 2012-03-01 11:01 12800 c:\windows\system32\dllcache\xpshims.dll
- 2010-09-09 14:16 . 2011-12-17 19:46 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2010-09-09 14:16 . 2012-03-01 11:01 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2011-03-21 20:25 . 2011-12-17 19:46 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2011-03-21 20:25 . 2012-03-01 11:01 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-03-08 08:34 . 2012-03-01 11:01 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 08:34 . 2011-12-17 19:46 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 08:33 . 2011-12-17 19:46 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 08:33 . 2012-03-01 11:01 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2012-01-03 14:45 . 2012-01-03 14:45 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\ViewerPS.dll
+ 2012-01-04 03:51 . 2012-01-04 03:51 37296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\reader_sl.exe
+ 2012-01-03 14:44 . 2012-01-03 14:44 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\PDFPrevHndlr.dll
+ 2012-01-04 03:15 . 2012-01-04 03:15 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\eula.exe
+ 2012-01-04 02:52 . 2012-01-04 02:52 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\acrotextextractor.exe
+ 2012-01-03 13:19 . 2012-01-03 13:19 16824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\AcroRd32Info.exe
+ 2012-01-03 13:16 . 2012-01-03 13:16 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\acroiehelpershim.dll
+ 2012-01-03 13:16 . 2012-01-03 13:16 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\AcroIEHelper.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 12800 c:\windows\ie8updates\KB2675157-IE8\xpshims.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 66560 c:\windows\ie8updates\KB2675157-IE8\mshtmled.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 55296 c:\windows\ie8updates\KB2675157-IE8\msfeedsbs.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 43520 c:\windows\ie8updates\KB2675157-IE8\licmgr10.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 25600 c:\windows\ie8updates\KB2675157-IE8\jsproxy.dll
+ 2005-08-16 10:18 . 2012-03-01 11:01 105984 c:\windows\system32\url.dll
- 2005-08-16 10:18 . 2011-12-17 19:46 105984 c:\windows\system32\url.dll
+ 2005-08-16 10:18 . 2012-03-01 11:01 206848 c:\windows\system32\occache.dll
- 2005-08-16 10:18 . 2011-12-17 19:46 206848 c:\windows\system32\occache.dll
+ 2005-08-16 10:18 . 2012-03-01 11:01 611840 c:\windows\system32\mstime.dll
- 2005-08-16 10:18 . 2011-12-17 19:46 611840 c:\windows\system32\mstime.dll
+ 2009-03-08 08:32 . 2012-03-01 11:01 602112 c:\windows\system32\msfeeds.dll
- 2009-03-08 08:32 . 2011-12-17 19:46 602112 c:\windows\system32\msfeeds.dll
+ 2005-08-16 10:18 . 2012-03-01 11:01 184320 c:\windows\system32\iepeers.dll
- 2005-08-16 10:18 . 2011-12-17 19:46 184320 c:\windows\system32\iepeers.dll
- 2005-08-16 10:18 . 2011-12-17 19:46 387584 c:\windows\system32\iedkcs32.dll
+ 2005-08-16 10:18 . 2012-03-01 11:01 387584 c:\windows\system32\iedkcs32.dll
- 2005-08-16 10:18 . 2011-12-16 12:23 174080 c:\windows\system32\ie4uinit.exe
+ 2005-08-16 10:18 . 2012-02-29 12:17 174080 c:\windows\system32\ie4uinit.exe
- 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2009-12-24 06:59 . 2012-02-29 14:10 177664 c:\windows\system32\dllcache\wintrust.dll
- 2009-02-20 08:10 . 2011-12-17 19:46 916992 c:\windows\system32\dllcache\wininet.dll
+ 2009-02-20 08:10 . 2012-03-01 11:01 916992 c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 08:34 . 2012-03-01 11:01 105984 c:\windows\system32\dllcache\url.dll
- 2009-03-08 08:34 . 2011-12-17 19:46 105984 c:\windows\system32\dllcache\url.dll
+ 2009-03-08 08:34 . 2012-03-01 11:01 206848 c:\windows\system32\dllcache\occache.dll
- 2009-03-08 08:34 . 2011-12-17 19:46 206848 c:\windows\system32\dllcache\occache.dll
- 2010-12-20 22:15 . 2011-12-17 19:46 611840 c:\windows\system32\dllcache\mstime.dll
+ 2010-12-20 22:15 . 2012-03-01 11:01 611840 c:\windows\system32\dllcache\mstime.dll
+ 2011-03-21 20:25 . 2012-03-01 11:01 602112 c:\windows\system32\dllcache\msfeeds.dll
- 2011-03-21 20:25 . 2011-12-17 19:46 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2012-02-29 14:10 . 2012-02-29 14:10 148480 c:\windows\system32\dllcache\imagehlp.dll
+ 2011-03-21 20:25 . 2012-03-01 11:01 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2011-03-21 20:25 . 2011-12-17 19:46 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2010-02-26 05:43 . 2011-12-17 19:46 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-02-26 05:43 . 2012-03-01 11:01 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2011-03-21 20:25 . 2012-03-01 11:01 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2011-03-21 20:25 . 2011-12-17 19:46 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2009-03-08 18:09 . 2012-03-01 11:01 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 18:09 . 2011-12-17 19:46 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 08:32 . 2012-02-29 12:17 174080 c:\windows\system32\dllcache\ie4uinit.exe
- 2009-03-08 08:32 . 2011-12-16 12:23 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2012-01-03 13:23 . 2012-01-03 13:23 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\pdfshell.dll
+ 2012-01-03 14:44 . 2012-01-03 14:44 116168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\PDFPrevHndlrShim.exe
+ 2012-01-03 13:22 . 2012-01-03 13:22 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\nppdf32.dll
+ 2012-01-03 14:43 . 2012-01-03 14:43 550360 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\AdobeCollabSync.exe
+ 2012-01-03 13:40 . 2012-01-03 13:40 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\AcroRdIF.dll
+ 2012-01-04 03:50 . 2012-01-04 03:50 357808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\AcroRd32.exe
+ 2012-01-03 13:16 . 2012-01-03 13:16 665008 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\AcroPDF.dll
+ 2012-01-03 14:38 . 2012-01-03 14:38 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\acrobroker.exe
+ 2012-01-03 14:08 . 2012-01-03 14:08 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\a3dutility.exe
+ 2012-04-16 07:06 . 2011-12-17 19:46 916992 c:\windows\ie8updates\KB2675157-IE8\wininet.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 105984 c:\windows\ie8updates\KB2675157-IE8\url.dll
+ 2012-04-16 07:06 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2675157-IE8\spuninst\updspapi.dll
+ 2012-04-16 07:06 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2675157-IE8\spuninst\spuninst.exe
+ 2012-04-16 07:06 . 2011-12-17 19:46 206848 c:\windows\ie8updates\KB2675157-IE8\occache.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 611840 c:\windows\ie8updates\KB2675157-IE8\mstime.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 602112 c:\windows\ie8updates\KB2675157-IE8\msfeeds.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 247808 c:\windows\ie8updates\KB2675157-IE8\ieproxy.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 184320 c:\windows\ie8updates\KB2675157-IE8\iepeers.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 743424 c:\windows\ie8updates\KB2675157-IE8\iedvtool.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 387584 c:\windows\ie8updates\KB2675157-IE8\iedkcs32.dll
+ 2012-04-16 07:06 . 2011-12-16 12:23 174080 c:\windows\ie8updates\KB2675157-IE8\ie4uinit.exe
- 2005-08-16 10:18 . 2011-12-17 19:46 1212416 c:\windows\system32\urlmon.dll
+ 2005-08-16 10:18 . 2012-03-01 11:01 1212416 c:\windows\system32\urlmon.dll
+ 2005-08-16 10:18 . 2012-03-01 11:01 5978624 c:\windows\system32\mshtml.dll
- 2009-03-08 08:32 . 2011-12-17 19:46 2000384 c:\windows\system32\iertutil.dll
+ 2009-03-08 08:32 . 2012-03-01 11:01 2000384 c:\windows\system32\iertutil.dll
- 2009-02-20 08:10 . 2011-12-17 19:46 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2009-02-20 08:10 . 2012-03-01 11:01 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2009-02-20 08:11 . 2012-03-01 11:01 5978624 c:\windows\system32\dllcache\mshtml.dll
+ 2011-03-21 20:25 . 2012-03-01 11:01 2000384 c:\windows\system32\dllcache\iertutil.dll
- 2011-03-21 20:25 . 2011-12-17 19:46 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2012-03-27 15:47 . 2012-03-27 15:47 4959232 c:\windows\Installer\bbe4aa.msp
+ 2012-01-03 13:18 . 2012-01-03 13:18 2405784 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\rt3d.dll
+ 2011-11-17 21:50 . 2011-11-17 21:50 6543872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\authplay.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 1212416 c:\windows\ie8updates\KB2675157-IE8\urlmon.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 5979136 c:\windows\ie8updates\KB2675157-IE8\mshtml.dll
+ 2012-04-16 07:06 . 2011-12-17 19:46 2000384 c:\windows\ie8updates\KB2675157-IE8\iertutil.dll
+ 2009-06-29 02:43 . 2012-04-16 07:01 55154568 c:\windows\system32\MRT.exe
+ 2009-03-08 08:39 . 2012-03-02 10:01 11082752 c:\windows\system32\ieframe.dll
+ 2011-03-21 20:25 . 2012-03-02 10:01 11082752 c:\windows\system32\dllcache\ieframe.dll
+ 2012-01-04 03:15 . 2012-01-04 03:15 20559288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\AcroRd32.dll
+ 2012-04-16 07:06 . 2011-12-18 19:46 11082240 c:\windows\ie8updates\KB2675157-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-11-18 00:29 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-11-18 901800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-17 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCFCATS]
2006-10-20 22:48 73728 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\dlcftime.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\NeverwinterNights\\NWN\\nwmain.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/15/2011 5:45 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/15/2011 5:45 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/15/2011 5:45 PM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/5/2011 2:14 AM 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/5/2011 2:14 AM 22344]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [12/12/2011 12:01 PM 6609920]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2/26/2008 8:33 PM 18560]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sonicatheaterinstallerservice
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-16 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-11-18 00:29]
.
2012-04-16 c:\windows\Tasks\User_Feed_Synchronization-{FEB093ED-48D7-470E-9DA9-F91BFBB21E21}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\mbl94ag5.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?l=dis&o=14196
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&apn_uid=1AF3AD51-53B4-4FCE-A4D6-605CF2508027&apn_ptnrs=FM&apn_sauid=DB3CDF8F-8F84-49E8-9A00-DE53910EF105&apn_dtid=TES002YYUS&&q=
FF - user.js: extentions.y2layers.installId - dd1e8342-aab3-45dd-8f70-cbbbdf11f0f2
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,BestVideoDownloader,BestVideoDownloader,
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-04-16 08:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-04-16 08:34:24
ComboFix-quarantined-files.txt 2012-04-16 12:34
ComboFix2.txt 2012-04-15 21:41
.
Pre-Run: 121,605,459,968 bytes free
Post-Run: 121,680,408,576 bytes free
.
- - End Of File - - F6886AEEE2B7E866D10E4D3AC10BD10B
__________________
Danigir1 is offline  
Old 04-16-2012, 10:14 AM   #9
TSF Enthusiast
 
Deleted 080713's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,672
OS: Windows 7 SP1 x64



Hi Danigir1,

I see you have Frostwire installed. We advise against using P2P programs at TSF, as these are an easy way to get infected. I would advise you to uninstall this. Please see here for more information: Perils of P2P File Sharing

You have this program installed, Malwarebytes Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
--------------------------------------

It's important to run an online scan to search for any remnants that may be lurking. Please go to here to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
------------------------------------------------------
__________________
Deleted 080713 is offline  
Old 04-17-2012, 10:16 AM   #10
Registered Member
 
Join Date: Dec 2011
Posts: 48
OS: windows XP SP3



Here ya' go....

Malwarebytes Log:

Malwarebytes Anti-Malware 1.61.0.1400
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2012.04.16.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ryan :: LAPPY [administrator]

4/16/2012 4:30:26 PM
mbam-log-2012-04-16 (16-30-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231162
Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Eset log:

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Documents and Settings\Ryan\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.7.windows.exe Win32/OpenCandy application
C:\Documents and Settings\Ryan\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\46\2fd1b4ee-183913bb a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\53\43508bf5-61b2f291 Java/Exploit.Agent.NAT trojan
C:\Documents and Settings\Ryan\My Documents\Downloads\GoogleBar.exe MSIL/Solimba application
C:\Program Files\yusetup7cnet.exe Win32/Toolbar.Zugo application
C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP572\A0194549.dll a variant of Win32/Adware.Yontoo.A application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP572\A0194550.dll a variant of Win32/Adware.Yontoo.B application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP572\A0194554.dll a variant of Win32/Adware.Yontoo.B application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP616\A0205431.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP616\A0205452.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP616\A0205464.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP618\A0205489.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP618\A0205497.new Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP619\A0205516.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP619\A0205524.new Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP620\A0205543.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP620\A0205551.new Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP620\A0205560.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP622\A0205599.new Win32/Sirefef.DA trojan
__________________
Danigir1 is offline  
Old 04-17-2012, 10:30 AM   #11
TSF Enthusiast
 
Deleted 080713's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,672
OS: Windows 7 SP1 x64



Hi Danigir1,

The following Combofix script will take care of the results found by ESET. Several of the detections are harmless, and don't need action taken. The rest that are not deleted in the following steps will be deleted when we uninstall Combofix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code:
File::
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\46\2fd1b4ee-183913bb
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\53\43508bf5-61b2f291
C:\Documents and Settings\Ryan\My Documents\Downloads\GoogleBar.exe
C:\Program Files\yusetup7cnet.exe
ClearJavaCache::
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

Combofix may request an update, click Yes to allow it.

When finished, please post the C:\ComboFix.txt for further review.
__________________
Deleted 080713 is offline  
Old 04-17-2012, 12:09 PM   #12
Registered Member
 
Join Date: Dec 2011
Posts: 48
OS: windows XP SP3



ComboFix 12-04-15.02 - Ryan 04/17/2012 13:46:16.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1217 [GMT -4:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan\Desktop\CFscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\documents and settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\46\2fd1b4ee-183913bb"
"c:\documents and settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\53\43508bf5-61b2f291"
"c:\documents and settings\Ryan\My Documents\Downloads\GoogleBar.exe"
"c:\program files\yusetup7cnet.exe"
.
.
((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
.
.
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-03-19 11:17 . 2012-03-19 11:17 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 11:17 . 2012-03-19 11:17 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 19:56 . 2011-12-05 06:14 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-26 02:40 . 2011-12-02 20:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-06 23:15 . 2011-12-15 21:45 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:15 . 2011-12-15 21:45 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-06 23:03 . 2011-12-15 21:45 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:03 . 2011-12-15 21:45 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-06 23:02 . 2011-12-15 21:45 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-06 23:01 . 2011-12-15 21:45 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-06 23:01 . 2011-12-15 21:45 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-06 23:01 . 2011-12-15 21:45 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-06 23:01 . 2011-12-15 21:45 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-06 22:58 . 2011-12-15 21:45 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-01 11:01 . 2005-08-16 10:18 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2005-08-16 10:18 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2005-08-16 10:18 148480 ------w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2005-08-16 10:18 385024 ------w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2005-08-16 10:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2011-12-05 11:41 . 2011-12-05 11:41 3552208 ----a-w- c:\program files\ccsetup313.exe
2011-12-02 18:22 . 2011-12-02 18:21 6585536 ----a-w- c:\program files\yusetup7cnet.exe
2010-10-15 03:51 . 2010-10-15 03:45 895256 ----a-w- c:\program files\DivXInstaller.exe
2012-03-19 11:17 . 2011-12-02 19:18 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-11-18 00:29 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-11-18 901800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-17 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCFCATS]
2006-10-20 22:48 73728 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\dlcftime.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\NeverwinterNights\\NWN\\nwmain.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/15/2011 5:45 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/15/2011 5:45 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/15/2011 5:45 PM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/5/2011 2:14 AM 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/5/2011 2:14 AM 22344]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [12/12/2011 12:01 PM 6609920]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2/26/2008 8:33 PM 18560]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sonicatheaterinstallerservice
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-16 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-11-18 00:29]
.
2012-04-17 c:\windows\Tasks\User_Feed_Synchronization-{FEB093ED-48D7-470E-9DA9-F91BFBB21E21}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\mbl94ag5.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?l=dis&o=14196
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&apn_uid=1AF3AD51-53B4-4FCE-A4D6-605CF2508027&apn_ptnrs=FM&apn_sauid=DB3CDF8F-8F84-49E8-9A00-DE53910EF105&apn_dtid=TES002YYUS&&q=
FF - user.js: extentions.y2layers.installId - dd1e8342-aab3-45dd-8f70-cbbbdf11f0f2
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,BestVideoDownloader,BestVideoDownloader,
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-04-17 13:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(4024)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-17 14:03:55
ComboFix-quarantined-files.txt 2012-04-17 18:03
ComboFix2.txt 2012-04-16 12:34
ComboFix3.txt 2012-04-15 21:41
.
Pre-Run: 121,536,950,272 bytes free
Post-Run: 121,526,284,288 bytes free
.
- - End Of File - - 6B86208D969B4C31569107742EB922F5
__________________
Danigir1 is offline  
Old 04-17-2012, 12:31 PM   #13
TSF Enthusiast
 
Deleted 080713's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,672
OS: Windows 7 SP1 x64



Great, the logs are looking clean now.

Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

ComboFix /Uninstall
This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.
------------------------------------------------------

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SOFTWARE
You need an antivirus that is continually updated and a good firewall. In Windows Vista and 7, the Windows inbuilt firewall is usually sufficient, but XP users are recommended to have a good 3rd party firewall. However, be very wary with any security software that is advertised in popups. They are not only usually of no use, but often have malware in them. If you ever have doubts about the legitimacy of an anti-spyware or anti-virus program, it is best to post your question in our General Security forum.

Remember never to install more than one AntiVirus program as they will conflict with each other.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam, and helps to protect your computer against online threats when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT and has an add-on available for all major browsers.

  • Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. The Plus Version has more features, and you can read Winpatrol's FAQ if you run into any problems.

  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Windows Vista users see here, and Windows 7 users see here. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

  • ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

    Vista/Windows 7 users - see this link for proper setup of Erunt Automatically Backup your Windows Vista Registry daily using ERUNT - The Winhelponline Blog

SPYWARE PREVENTION

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?
Think Prevention

Have a look here if your PC is still running a bit slow
Is your PC running slow...?

Please respond to this thread one more time so we can mark this issue as resolved.
__________________
Deleted 080713 is offline  
Old 04-17-2012, 04:47 PM   #14
Registered Member
 
Join Date: Dec 2011
Posts: 48
OS: windows XP SP3



Well I had a little scare when I disabled the network connection to uninstall combofix....it kept saying it failed to enable when I tried to turn it back on. But FINALLY it connected...whew!
__________________
Danigir1 is offline  
Old 04-17-2012, 04:49 PM   #15
TSF Enthusiast
 
Deleted 080713's Avatar
 
Join Date: Jun 2008
Location: London UK
Posts: 4,672
OS: Windows 7 SP1 x64



Generally a restart is all that's needed to fix any errors that might occur after using Combofix. If there are no remaining problems, we'll mark this thread as solved.

__________________
Deleted 080713 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 03:20 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts