weird virus

This is a discussion on weird virus within the Resolved HJT Threads forums, part of the Tech Support Forum category. Once again, I come to you folks for help. Thanks in advance. At midnight, my computer starts to play random


 
 
Thread Tools Search this Thread
Old 04-04-2010, 08:24 AM   #1
Registered Member
 
Join Date: Feb 2005
Posts: 91
OS: Win 7



Once again, I come to you folks for help. Thanks in advance.

At midnight, my computer starts to play random audio files, the content I do not recognize.

Then at other times, IE will pop up with the "results" of a search that I never initiated. In fact I never use IE... I only use Firefox.

And finally, I did an scan with adaware and it got stuck on a file titled wmvdmod.dl_ on my D: drive in a path like this:

D:\microsft\New Folder\I386

I don't know what is the purpose of this whole directory... I have no need of these files. Can I delete them?

And finally, I do have an XP install disk which I assume is bootable.

Here is the C&P of the DDS.TXT and that attach.zip is attached.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Desk at 7:12:12.21 on Sun 04/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.349 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Desk\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: hotrevenue browser enhancer: {127cc22d-0f25-d6fe-5c8a-4b97b0303f8c} - c:\windows\system32\ovniqhedrcrubhmwh.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: adShotHlpr Object: {a1f59a29-be2f-4cd4-8cd5-f1e7ca78c394} - c:\windows\system32\uhamsilr.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [<NO NAME>]
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ezLife] rundll32 "uhamsilr.dll",,Run
mRun: [svuxullejqyfsnb] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\ovniqhedrcrubhmwh.dll"
dRun: [<NO NAME>]
dRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek rtl8187 wireless lan driver and utility\RtWLan.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241226928281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\desk\applic~1\mozilla\firefox\profiles\n34sq2g5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en
FF - component: c:\documents and settings\desk\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-1 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-1 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-1 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-1 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-17 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
S2 gupdate1c9f080a8e81252;Google Update Service (gupdate1c9f080a8e81252);c:\program files\google\update\GoogleUpdate.exe [2009-6-18 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-7-12 269824]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2009-7-12 13532]

=============== Created Last 30 ================

2010-04-03 00:52:24 0 d-----w- c:\docume~1\desk\applic~1\ezLife
2010-04-03 00:52:22 0 d-----w- c:\docume~1\desk\applic~1\Smart-Ads-Solutions
2010-04-03 00:52:19 0 d-----w- c:\program files\Smart-Ads-Solutions
2010-04-03 00:52:15 48272 ----a-w- c:\windows\system32\dhhuljpsjtqnnnefd.exe
2010-04-03 00:52:10 0 d-----w- c:\program files\ezLife
2010-04-01 23:50:32 136 ----a-w- c:\windows\picklist.ini
2010-04-01 23:49:57 98 ----a-w- c:\windows\mrid32
2010-04-01 23:49:57 92 ----a-w- c:\windows\crw.ini
2010-04-01 23:49:49 0 d-----w- c:\program files\MSXML 4.0
2010-04-01 23:49:31 1322 ----a-w- c:\windows\SKSM10Demo.ini
2010-04-01 23:46:54 10 ----a-w- c:\windows\Widgets.ini
2010-04-01 23:46:53 254 ----a-w- c:\windows\MIREPAIR.INI
2010-04-01 23:46:41 0 d-----w- c:\program files\common files\Mric
2010-04-01 23:46:29 278528 ----a-w- c:\windows\system32\MRID32.dll
2010-04-01 23:46:28 99840 ----a-w- c:\windows\system32\dunzip32.dll
2010-04-01 23:46:28 557328 ----a-w- c:\windows\system32\DAO360.DLL
2010-04-01 23:46:28 125440 ----a-w- c:\windows\system32\DZIP32.DLL
2010-03-31 21:35:21 0 d-----w- c:\program files\owl_sb
2010-03-30 22:20:41 104768 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-03-30 21:14:59 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-25 10:38:10 38 ----a-w- c:\windows\AviSplitter.INI
2010-03-24 07:19:35 45056 ---ha-w- C:\SZKGFS.dat
2010-03-24 07:18:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-03-24 07:17:05 0 d-----w- c:\program files\common files\iS3
2010-03-24 07:17:04 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-03-21 0124 0 d-----w- c:\documents and settings\desk\.spamassassin
2010-03-21 0124 0 d-----w- c:\documents and settings\desk\.razor
2010-03-21 00:44:21 0 d-----w- c:\docume~1\desk\applic~1\SendBlaster2
2010-03-21 00:42:58 0 d-----w- c:\program files\SendBlaster
2010-03-20 00:34:36 0 d-----w- c:\program files\Microsoft
2010-03-19 15:27:32 0 d-----w- c:\program files\common files\Canon
2010-03-19 13:31:57 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2010-03-18 23:19:08 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-18 01:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-03-18 01:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-03-17 19:10:35 0 d-----w- C:\oldfilestrobe sorted
2010-03-17 18:37:28 0 d-----w- C:\Picstobe sorted
2010-03-17 13:08:08 523264 ----a-w- c:\windows\system32\ovniqhedrcrubhmwh.dll
2010-03-17 12:36:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 20:16:46 0 d-----w- c:\program files\UIU
2010-03-16 19:08:53 0 d-----w- c:\program files\FreeCommander
2010-03-14 09:29:42 297984 ----a-w- c:\windows\system32\qruulwed.dll
2010-03-14 09:29:14 315392 ----a-w- c:\windows\system32\uhamsilr.dll
2010-03-08 18:53:18 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-03-08 18:53:03 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-03-07 22:51:33 327168 ----a-w- c:\windows\system32\cutil32.dll
2010-03-07 22:51:32 285696 ----a-w- c:\windows\system32\cudart.dll
2010-03-07 21:39:46 0 d-----w- c:\docume~1\desk\applic~1\Blitware
2010-03-07 21:39:43 0 d-----w- c:\program files\PC Medkit

==================== Find3M ====================

2010-03-25 00:50:58 15579 ----a-w- c:\windows\DIIUnin.dat
2010-03-18 23:21:33 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-18 23:21:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-17 12:36:48 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 12:35:56 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 23:42:49 129315 ----a-w- c:\windows\fonts\AdobeFnt07.lst
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-04 15:53:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-02 22:22:49 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-02-02 22:22:49 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-02-02 22:22:49 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-02-01 13:50:37 94208 ----a-w- c:\windows\DIIUnin.exe
2010-02-01 13:50:37 2829 ----a-w- c:\windows\DIIUnin.pif
2002-08-01 00:55:12 108 --sh--w- c:\windows\WSYS049.SYS
2009-07-15 03:37:01 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-07-15 03:37:01 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-07-15 03:37:01 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 7:12:58.95 ===============
Attached Files
File Type: zip attach.zip (4.5 KB, 4 views)

__________________
PeterL is offline  
Old 04-05-2010, 07:38 AM   #2
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,958
OS: XP Pro; XP Home; Win7 x86 & x64



Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

To answer your question about the D drive item, I'd need to know what your D drive is used for. Also, is this a typo? D:\microsft


---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------


  1. As mentioned in our preposting topic:

    http://www.techsupportforum.com/f50/...lp-305963.html

    Quote:
    3. Uninstall the following via Add or Remove Programs in Control Panel:

    • p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

    P2P - I see you have P2P software ( FrostWire 4.18.6 ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    Please see this topic for more information:

    http://www.techsupportforum.com/f50/...ng-305923.html

    I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

    ---------------------------------------------------------------------------------------------
  2. Uninstall the following via the Add/Remove Panel (Start ->Control Panel->Add or Remove Programs)

    ezLife browser enhancer
    SmartAds browser enhancer


    ---------------------------------------------------------------------------------------------

  3. Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place combofix.exe on your Desktop
  4. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  5. Double click on combofix.exe & follow the prompts.
  6. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  7. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  8. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  9. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 04-05-2010, 09:08 AM   #3
Registered Member
 
Join Date: Feb 2005
Posts: 91
OS: Win 7



Hello tetonbob..

Thanks for your prompt reply.

---------------------------------------------------------------------------------------------

To answer your question about the D drive item, I'd need to know what your D drive is used for. Also, is this a typo? D:\microsft


---------------------------------------------------------------------------------------------

My D: drive is simply a file storage place...

Nope not a typo... I have attached a dir listing of the drive and its subfolders. Is it possible this was set up by the chap who installed XP pro on my system as some sort of installation tool?

In any event, do I need these files? Can I simplely delete them?


I followed all the steps carefully and also attached is the combofix log.

I will patiently await the next step.

Thanks

Peter


ComboFix 10-04-04.01 - Desk 04/05/2010 11:40:30.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.512 [GMT -4:00]
Running from: c:\documents and settings\Desk\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Desk\Application Data\ezLife
c:\documents and settings\Desk\Application Data\ezLife\ezLife\log.xml
c:\documents and settings\Desk\Application Data\inst.exe
c:\documents and settings\Desk\Application Data\Smart-Ads-Solutions
c:\program files\ezLife
c:\program files\Smart-Ads-Solutions
c:\windows\MS_notepad.exe
c:\windows\system32\dhhuljpsjtqnnnefd.exe
c:\windows\system32\MS_notepad.exe
c:\windows\system32\ovniqhedrcrubhmwh.dll
c:\windows\system32\SIntf16.dll
c:\windows\system32\uhamsilr.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 01:32 . 2010-04-05 01:32 -------- d-----w- C:\$AVG
2010-04-05 01:14 . 2010-04-05 01:14 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-05 01:14 . 2010-04-05 01:14 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-04-05 01:14 . 2010-04-05 01:14 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-04-05 01:14 . 2010-04-05 01:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-05 01:13 . 2010-04-05 01:10 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-04-05 01:13 . 2010-04-05 01:10 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-04-05 01:11 . 2010-04-05 01:14 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-05 01:11 . 2010-04-05 01:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-05 01:10 . 2010-04-05 01:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-05 01:10 . 2010-04-05 15:19 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-01 23:49 . 2010-04-01 23:49 -------- d-----w- c:\program files\MSXML 4.0
2010-04-01 23:46 . 2010-04-01 23:46 -------- d-----w- c:\program files\Common Files\Mric
2010-04-01 23:46 . 2005-05-13 16:16 278528 ----a-w- c:\windows\system32\MRID32.dll
2010-04-01 23:46 . 2004-09-07 14:13 99840 ----a-w- c:\windows\system32\dunzip32.dll
2010-04-01 23:46 . 2004-09-07 14:13 557328 ----a-w- c:\windows\system32\DAO360.DLL
2010-04-01 23:46 . 2004-09-07 14:13 125440 ----a-w- c:\windows\system32\DZIP32.DLL
2010-04-01 22:23 . 2010-04-01 22:23 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-01 22:23 . 2010-04-01 22:23 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-01 22:23 . 2010-04-01 22:23 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-01 22:23 . 2010-04-01 22:23 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-01 22:23 . 2010-04-01 22:23 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-01 22:23 . 2010-04-01 22:23 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-01 22:22 . 2010-04-01 22:22 4250976 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-01 22:22 . 2010-04-01 22:22 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-01 22:22 . 2010-04-01 22:22 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-01 22:22 . 2010-04-01 22:22 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-01 22:22 . 2010-04-01 22:22 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-01 22:22 . 2010-04-01 22:22 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-01 22:21 . 2010-04-05 01:10 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-01 22:21 . 2010-04-05 01:10 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-31 21:35 . 2010-03-31 21:35 -------- d-----w- c:\program files\owl_sb
2010-03-31 03:52 . 2010-03-31 03:53 -------- d-----w- c:\program files\QuickTime
2010-03-31 03:52 . 2010-03-31 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-30 22:20 . 2010-03-30 22:20 104768 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-03-30 21:25 . 2010-03-30 21:25 516480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll
2010-03-30 20:18 . 2010-03-30 20:18 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 20:18 . 2010-03-30 20:18 503808 ----a-w- c:\documents and settings\Desk\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-239c3916-n\msvcp71.dll
2010-03-30 20:18 . 2010-03-30 20:18 499712 ----a-w- c:\documents and settings\Desk\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-239c3916-n\jmc.dll
2010-03-30 20:18 . 2010-03-30 20:18 348160 ----a-w- c:\documents and settings\Desk\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-239c3916-n\msvcr71.dll
2010-03-30 20:18 . 2010-03-30 20:18 61440 ----a-w- c:\documents and settings\Desk\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-127047ec-n\decora-sse.dll
2010-03-30 20:18 . 2010-03-30 20:18 12800 ----a-w- c:\documents and settings\Desk\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-127047ec-n\decora-d3d.dll
2010-03-25 00:27 . 2010-03-25 00:28 7186464 ----a-w- c:\documents and settings\Desk\Application Data\Blitware\PCMedkit\updates\2.3.0.6\pcmedkit_setup.exe
2010-03-24 07:19 . 2010-03-24 07:19 45056 ---ha-w- C:\SZKGFS.dat
2010-03-24 07:18 . 2010-03-24 07:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-24 07:17 . 2010-03-24 07:17 -------- d-----w- c:\program files\Common Files\iS3
2010-03-24 07:17 . 2010-03-30 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-21 01:06 . 2010-03-21 01:06 -------- d-----w- c:\documents and settings\Desk\.spamassassin
2010-03-21 01:06 . 2010-03-21 01:06 -------- d-----w- c:\documents and settings\Desk\.razor
2010-03-21 00:44 . 2010-03-21 01:45 -------- d-----w- c:\documents and settings\Desk\Application Data\SendBlaster2
2010-03-21 00:42 . 2010-03-21 00:43 -------- d-----w- c:\program files\SendBlaster
2010-03-20 14:11 . 2010-03-20 14:11 339048 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-20 00:53 . 2010-03-20 00:53 7184376 ----a-w- c:\documents and settings\Desk\Application Data\Blitware\PCMedkit\updates\2.3.0.2\pcmedkit_setup.exe
2010-03-20 00:35 . 2010-03-20 00:35 -------- d-----w- c:\documents and settings\Desk\Local Settings\Application Data\IsolatedStorage
2010-03-20 00:34 . 2010-03-20 00:34 -------- d-----w- c:\program files\Microsoft
2010-03-19 15:27 . 2010-03-19 15:27 -------- d-----w- c:\program files\Common Files\Canon
2010-03-19 13:31 . 2010-03-19 13:31 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2010-03-18 23:21 . 2010-03-18 23:21 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-03-18 23:21 . 2010-03-18 23:21 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-18 23:19 . 2010-03-18 23:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-18 23:19 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-17 19:10 . 2010-03-18 20:24 -------- d-----w- C:\oldfilestrobe sorted
2010-03-17 18:37 . 2010-03-24 01:13 -------- d-----w- C:\Picstobe sorted
2010-03-17 18:26 . 2010-03-17 18:26 7090648 ----a-w- c:\documents and settings\Desk\Application Data\Blitware\PCMedkit\updates\2.2.0.4\pcmedkit_setup.exe
2010-03-16 20:16 . 2010-03-16 20:16 -------- d-----w- c:\program files\UIU
2010-03-16 19:08 . 2010-03-16 19:08 -------- d-----w- c:\program files\FreeCommander
2010-03-08 18:53 . 2010-03-08 22:17 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-03-08 18:53 . 2010-03-08 22:17 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-03-07 22:51 . 2009-10-06 23:32 327168 ----a-w- c:\windows\system32\cutil32.dll
2010-03-07 22:51 . 2009-08-04 01:25 285696 ----a-w- c:\windows\system32\cudart.dll
2010-03-07 21:39 . 2010-03-07 21:39 -------- d-----w- c:\documents and settings\Desk\Application Data\Blitware
2010-03-07 21:39 . 2010-03-29 14:41 -------- d-----w- c:\program files\PC Medkit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 15:22 . 2009-05-02 02:40 -------- d-----w- c:\documents and settings\Desk\Application Data\DMCache
2010-04-05 15:17 . 2009-05-02 06:52 -------- d-----w- c:\documents and settings\Desk\Application Data\GoodSync
2010-04-05 01:10 . 2009-11-03 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-03 06:23 . 2010-02-14 07:24 -------- d-----w- c:\documents and settings\Desk\Application Data\FrostWire
2010-04-02 00:08 . 2009-06-23 10:33 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-01 23:33 . 2009-05-02 06:53 -------- d-----w- c:\program files\NoteTab Light
2010-03-31 14:16 . 2009-05-02 03:22 1 ----a-w- c:\documents and settings\Desk\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-30 21:14 . 2010-03-30 21:14 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-30 20:17 . 2009-05-02 03:05 -------- d-----w- c:\program files\Java
2010-03-30 13:41 . 2010-02-24 16:37 -------- d-----w- c:\documents and settings\Desk\Application Data\FileZilla
2010-03-29 10:47 . 2009-07-05 03:02 -------- d-----w- c:\documents and settings\Desk\Application Data\Vso
2010-03-25 00:50 . 2010-02-01 13:50 15579 ----a-w- c:\windows\DIIUnin.dat
2010-03-19 00:41 . 2009-06-04 12:32 -------- d-----w- c:\program files\Alarm
2010-03-18 23:21 . 2009-10-28 03:52 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-18 23:21 . 2009-10-28 03:52 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-18 23:21 . 2009-10-28 03:52 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-18 23:21 . 2009-05-27 14:33 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-18 23:21 . 2009-05-03 00:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-18 23:21 . 2009-10-28 03:51 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-18 23:21 . 2009-10-28 03:51 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-18 23:21 . 2009-06-19 16:08 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-18 23:19 . 2009-05-02 01:53 -------- d-----w- c:\program files\Lavasoft
2010-03-10 01:46 . 2009-06-23 10:07 -------- d-----w- c:\documents and settings\Desk\Application Data\SecondLife
2010-03-09 08:28 . 2009-05-02 06:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-01 23:18 . 2009-05-05 04:29 68664 ----a-w- c:\documents and settings\Desk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-01 10:51 . 2009-09-21 12:24 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-25 06:24 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:00 . 2009-05-02 03:01 -------- d-----w- c:\program files\AZZ Cardfile
2010-02-24 16:37 . 2010-02-24 16:37 -------- d-----w- c:\program files\FileZilla FTP Client
2010-02-24 14:58 . 2010-02-24 14:49 -------- d-----w- c:\program files\Evrsoft First Page 2006
2010-02-21 01:00 . 2009-05-02 00:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-16 21:05 . 2009-05-02 23:46 198064 ----a-w- c:\documents and settings\Desk\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2010-02-16 20:56 . 2009-05-02 02:40 -------- d-----w- c:\program files\Internet Download Manager
2010-02-16 20:54 . 2010-02-16 20:53 3153784 ----a-w- c:\documents and settings\Desk\Application Data\IDM\idmupdt.exe
2010-02-16 20:54 . 2009-05-02 02:40 -------- d-----w- c:\documents and settings\Desk\Application Data\IDM
2010-02-14 07:39 . 2010-02-14 07:39 0 ----a-w- c:\documents and settings\Desk\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-02-11 09:01 . 2009-05-02 03:17 -------- d-----w- c:\program files\Siber Systems
2010-02-10 03:24 . 2009-11-27 23:33 -------- d-----w- c:\documents and settings\Desk\Application Data\vlc
2010-02-10 03:20 . 2010-02-10 03:20 5430 ----a-r- c:\documents and settings\Desk\Application Data\Microsoft\Installer\{E723FBDD-0417-4546-8EB9-49A3CD443D3D}\_BAE679132049E609CA660D.exe
2010-02-10 03:20 . 2010-02-10 03:20 5430 ----a-r- c:\documents and settings\Desk\Application Data\Microsoft\Installer\{E723FBDD-0417-4546-8EB9-49A3CD443D3D}\_97F339F77684D76427C633.exe
2010-02-10 03:20 . 2010-02-10 03:20 5430 ----a-r- c:\documents and settings\Desk\Application Data\Microsoft\Installer\{E723FBDD-0417-4546-8EB9-49A3CD443D3D}\_6FEFF9B68218417F98F549.exe
2010-02-10 03:20 . 2010-02-10 03:20 -------- d-----w- c:\program files\Readon Technology
2010-02-09 20:01 . 2009-06-27 04:11 -------- d-----w- c:\documents and settings\Desk\Application Data\Skype
2010-02-09 19:06 . 2009-06-27 04:10 -------- d-----r- c:\program files\Skype
2010-02-09 19:06 . 2010-02-09 19:06 -------- d-----w- c:\program files\Common Files\Skype
2010-02-09 19:06 . 2009-06-27 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-09 19:03 . 2009-06-27 04:13 -------- d-----w- c:\documents and settings\Desk\Application Data\skypePM
2010-02-06 10:16 . 2009-05-03 02:32 -------- d-----w- c:\program files\Google
2010-02-04 15:53 . 2009-05-02 01:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-02 22:22 . 2009-05-23 02:37 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-02-02 22:22 . 2009-05-23 02:37 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-02-01 13:50 . 2010-02-01 13:50 94208 ----a-w- c:\windows\DIIUnin.exe
2010-02-01 13:50 . 2010-02-01 13:50 2829 ----a-w- c:\windows\DIIUnin.pif
2010-02-01 04:52 . 2009-06-19 16:08 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2002-08-01 00:55 . 2010-02-24 11:50 108 --sh--w- c:\windows\WSYS049.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-11 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-30 818256]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-25 344064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-25 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 32768]
REALTEK RTL8187 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8187 Wireless LAN Driver and Utility\RtWLan.exe [2009-7-12 675840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-05 01:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/1/2009 9:57 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/4/2010 9:11 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/4/2010 9:11 PM 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/4/2010 9:14 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/4/2010 9:14 PM 308064]
S2 gupdate1c9f080a8e81252;Google Update Service (gupdate1c9f080a8e81252);c:\program files\Google\Update\GoogleUpdate.exe [6/18/2009 9:52 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [7/12/2009 11:11 AM 269824]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [7/12/2009 11:11 AM 13532]
.
Contents of the 'Scheduled Tasks' folder

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:25]

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-19 01:52]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-19 01:52]
.
.
------- Supplementary Scan -------
.
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\Desk\Application Data\Mozilla\Firefox\Profiles\n34sq2g5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en
FF - component: c:\documents and settings\Desk\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{127CC22D-0F25-D6FE-5C8A-4B97B0303F8C} - c:\windows\system32\ovniqhedrcrubhmwh.dll
HKLM-Run-svuxullejqyfsnb - c:\windows\system32\ovniqhedrcrubhmwh.dll
AddRemove-CXT10B6 - c:\uiu\CXT10B6\HXFSETUP.EXE
AddRemove-dhhuljpsjtqnnnefd - c:\windows\system32\dhhuljpsjtqnnnefd.exe
AddRemove-HaaliMkx - c:\program files\Matroska Pack\haali\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 11:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1afc1d8c-965b-4c37-bcf2-bdb6adf83fc6}]
@Denied: (Full) (Everyone)
"Model"=dword:000000c1
"Therad"=dword:0000000f
"MData"=hex(0):10,06,7d,7e,a7,2e,ff,8f,7a,48,b1,16,f6,26,6b,52,25,6a,1d,2c,0e,
aa,f4,69,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):71,ae,ec,7c,2b,e9,35,58,43,79,e9,e9,7a,d2,61,d5,e1,df,e7,03,01,
28,65,af,57,68,8b,3b,37,f4,62,10,b6,a1,c9,84,bb,53,46,d2,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-04-05 11:49:47
ComboFix-quarantined-files.txt 2010-04-05 15:49

Pre-Run: 385,485,082,624 bytes free
Post-Run: 386,060,484,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9037E84843A4C1798F48A65E012B7C8C
Attached Files
File Type: txt deefiles.txt (412.0 KB, 2 views)
File Type: txt log.txt (27.0 KB, 5 views)
__________________
PeterL is offline  
Old 04-05-2010, 09:30 AM   #4
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,958
OS: XP Pro; XP Home; Win7 x86 & x64



Hi Peter. Thanks for the info on D drive. I'll get back to that shortly, let's make sure the malware is taken care of. Looks like ComboFix has removed the culprits, as I'd expected. Let me know how the machine is behaving.

Next steps...

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 04-05-2010, 10:23 AM   #5
Registered Member
 
Join Date: Feb 2005
Posts: 91
OS: Win 7



Ok, done that! Malwarebytes tool found two and removed them. Attached is the log...

I cannot tell if the machine is behaving better, because the symptoms were infrequent. So far, so good!

Thanks
Attached Files
File Type: txt mbam-log-2010-04-05 (13-19-57).txt (1.1 KB, 4 views)
__________________
PeterL is offline  
Old 04-05-2010, 10:38 AM   #6
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,958
OS: XP Pro; XP Home; Win7 x86 & x64



Looks good. MBAM has removed a couple other related components of the same adware.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

Java(TM) 6 Update 13

This is outdated, and a security risk by having it installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this. I find it interesting that j6u13 is still showing, as this overwrite feature has been in place since j6u10

Leave Java(TM) 6 Update 19 alone, as it has the most recent security updates.

---------------------------------------------------------------------------------------------

Regarding the D drive folder...

Quote:
Is it possible this was set up by the chap who installed XP pro on my system as some sort of installation tool?
Indeed, as I see nLite in that folder, it's quite possible this was used as a location to create a slipstreamed install, which may have included Service Packs and other software. The subfolders and files would seem to follow along with that thought. Were you presented with an installation disk from that final process, or is the disk you have your original XP Pro disk?

If you don't want the folder on the machine, I see no need to keep it, but it's not doing any harm...though it does seem to be causing your security apps to choke on one of the files. If you can have Ad-Aware ignore that folder, do so, but I see no advantage to keeping the folder.

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 04-05-2010, 06:51 PM   #7
Registered Member
 
Join Date: Feb 2005
Posts: 91
OS: Win 7



Ok Bob ,that's done,, it took a long time!

I'm curious about one thing: why did you instruct me to:
"Make sure that the option Remove found treats is unticked".?

I followed your instruction.
Eset found 7 threats... are they still there?

And why did this scanner find 7 more threats that Malawarebytes did not?

Attached is the log.

Thanks

Peter


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d6f6201b65020744835af75d89ac5d01
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-06 01:44:01
# local_time=2010-04-05 09:44:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777191 100 0 12325377 12325377 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=95158
# found=7
# cleaned=0
# scan_time=12004
C:\Documents and Settings\Desk\Application Data\Sun\Java\Deployment\cache\6.0\37\301cb0e5-647e40f2 multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Desk\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-38f85806 multiple threats 00000000000000000000000000000000 I
C:\Downloads\FW\loadedtoipod\travelling wilburys - best track ever.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\oldfilestrobe sorted\LibrarySoftware\Setup_demo.msi probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Program Files\Adobe\Adobe Photoshop CS4\adobe.photoshop.cs4-nope.exe probably a variant of Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{77CCBE12-F94F-4B5F-9347-0FD8E0051FED}\RP314\A0050098.exe JS/BadJoke.KillFiles.A application 00000000000000000000000000000000 I
D:\LibrarySoftware\Setup_demo.msi probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
Attached Files
File Type: txt log.txt (1.7 KB, 2 views)
__________________
PeterL is offline  
Old 04-05-2010, 07:31 PM   #8
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,958
OS: XP Pro; XP Home; Win7 x86 & x64



Quote:
why did you instruct me to:
"Make sure that the option Remove found treats is unticked".?
A couple of reasons. One, no scanner is without false positives. It's just as easy to manually delete items after they've been identified if they need deletion.

Quote:
And why did this scanner find 7 more threats that Malawarebytes did not?
Malwarebytes Anti-Malware quick scan looks mostly for active threats in memory or typical loading points. An online scan such as Eset is much more detailed. Also, different vendors' definitions may find different things, so it's a cross check.


Do you know what these items are for? Some items get flagged due to different file packers, or the language they are written in. If you have any doubts about where they came from, delete them

C:\oldfilestrobe sorted\LibrarySoftware\Setup_demo.msi
D:\LibrarySoftware\Setup_demo.msi

This next item is suspect. Usually comes from torrent versions (illegal) of Photoshop. I've included it in the deletion script below.




Next....

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:
Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Desk\Application Data\Sun\Java\Deployment\cache\6.0\37\301cb0e5-647e40f2"
"C:\Documents and Settings\Desk\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-38f85806"
"C:\Downloads\FW\loadedtoipod\travelling wilburys - best track ever.mp3"
"C:\Program Files\Adobe\Adobe Photoshop CS4\adobe.photoshop.cs4-nope.exe"

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 04-05-2010, 08:12 PM   #9
Registered Member
 
Join Date: Feb 2005
Posts: 91
OS: Win 7



Yes, that worked...Deleted Successfully!

Thanks for the above clarifications...

Once we complete this process, I'm going to need your help in gathering tools to avoid this in the future. Up until now, I've only used the fee versions of AVG, Adaware and Spybot S&D. I guess its time to spend some money on protection huh?

So, what's next?


Thanks

Peter
__________________
PeterL is offline  
Old 04-05-2010, 08:50 PM   #10
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,958
OS: XP Pro; XP Home; Win7 x86 & x64



Hi Peter -

The other items Eset found are in System Restore's cache, and will be addressed by uninstalling ComboFix as instructed below.

Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

ComboFix /Uninstall
This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

---------------------------------------------------------------------------------------------

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs. I use these on my machine, but remember, prevention begins at the keyboard. For an antivirus, I use Eset's NOD32 or Kaspersky when I can pay; for free, I prefer Avira, Avast or Microsoft's Security Essentials.
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/vulnerability_scanning/online/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 04-05-2010, 09:36 PM   #11
Registered Member
 
Join Date: Feb 2005
Posts: 91
OS: Win 7



Thanks tetonBob, I appreciate your help a lot... Hopefully I'll avoid this in the future, but if not, I know where to come to get expert help.

Thanks very much

Peter
__________________
PeterL is offline  
Old 04-05-2010, 10:08 PM   #12
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,958
OS: XP Pro; XP Home; Win7 x86 & x64



Cheers, Peter. I'm glad to have helped. We also hope your visit to this section of the forum is a one time event. Please do enjoy the rest of the forum as much as you like.

Thanks for your support for the forums!

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 04:41 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts