Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Windows Update and google search results not working after virus

This is a discussion on Windows Update and google search results not working after virus within the Resolved HJT Threads forums, part of the Tech Support Forum category. I got a virus about 4 days ago. After I got the virus, it said that my computer was infected


 
 
Thread Tools Search this Thread
Old 07-19-2010, 05:59 AM   #1
Registered Member
 
Join Date: Sep 2009
Posts: 22
OS: Windows XP


Angry

I got a virus about 4 days ago. After I got the virus, it said that my computer was infected and brought up a window and simulated a scan of my computer using the Antivir Antivirus program which I don't use. I use AVG and it is up to date. I closed the program and it kept telling me that it wasn't safe to not scan my computer. After that, any program I tried to open I would get a message saying that the file was corrupted, etc. This is what I've done so far to fix it.

1) I booted in to safe mode and restored the system to the last restore point. That allowed me to boot normally and download some antivirus/anti-malware programs.

2) I ran AVG and it didn't find anything.

3) I then ran malwarebytes and it found a few items and deleted them.

4) Ran Avast! antivirus and it also found a few infected files and deleted them.

5) I then ran both of those programs again to make sure everything was gone and neither found anything, so I assumed everything was good.

Over the next few days the Antivir program never came up to try to scan but I'm sure the computer is still infected. Every so often (usually after a reboot) I get the windows update in the system tray and it tries to download the update but it only says 0%. Then the icon goes away. Now I'm noticing that after I do a google search I can click on one of the links, but if I go back and click on another I get the following message "400 Bad Request" and below that it says "nginx/0.8.35".

It sometimes will allow me to get in the link but maybe only 1 out of every 10 tries. I usually just launch another browser. The other issue that I'm seeing is that when I click on the windows update "program" (really just a url link) from the programs list in the start menu it'll take me to a page that says "Internet Explorer cannot display the webpage" and that happens every time.

So the next steps I've taken are:

6) I ran Spybot - Search & Destroy and it found a lot of stuff, then deleted them.

7) I ran SuperAntiSpyware and it also found a lot, then deleted them.

8) Then I ran Dr. Web CureIt! and it found just a few, then deleted them.

I'm still having the same problems with my google searches and windows update. Note that I haven't seen any problems if I click on one of my favorites or type in a url and I haven't seen the problem occur when using internet explorer, except for the windows update issue. I've tried uninstalling and reinstalling google chrome now as well, but no luck.

I've now run all of the diagnostic tools required by TSF and here they are:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt Parker at 12:47:23.84 on Sun 07/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1196 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Matt Parker\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Documents and Settings\Matt Parker\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Matt Parker\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt Parker\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [BackgroundSwitcher] "c:\program files\johnsadventures.com\john's background switcher\BackgroundSwitcher.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\matt parker\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251517388390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mattpa~1\applic~1\mozilla\firefox\profiles\171pigbp.default\
FF - plugin: c:\documents and settings\matt parker\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-14 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-14 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-14 40384]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-5-24 54760]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2010-4-14 78104]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-14 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-14 40384]
S3 AIDA32Driver;AIDA32Driver;\??\e:\aida32\aida32.sys --> e:\aida32\aida32.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2010-3-15 91830]

=============== Created Last 30 ================

2010-07-17 06:37:33 0 d-----w- c:\documents and settings\matt parker\DoctorWeb
2010-07-17 05:20:07 0 d-----w- c:\docume~1\mattpa~1\applic~1\SUPERAntiSpyware.com
2010-07-17 05:20:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-17 05:19:57 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-17 04:38:12 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-17 04:38:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-16 03:59:05 0 d-----w- c:\docume~1\mattpa~1\applic~1\ElevatedDiagnostics
2010-07-15 02:20:21 38848 ----a-w- c:\windows\avastSS.scr
2010-07-15 02:20:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-14 23:55:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-14 23:55:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-14 23:55:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-14 23:46:17 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-14 04:19:15 0 d-----w- c:\docume~1\mattpa~1\applic~1\Malwarebytes
2010-07-14 04:18:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-14 02:08:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-30 01:07:38 0 d-----w- c:\docume~1\mattpa~1\applic~1\DTencryptor-E
2010-06-22 03:05:39 0 d-----w- c:\program files\iPod
2010-06-22 03:05:29 0 d-----w- c:\program files\iTunes
2010-06-22 03:00:44 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-15 02:05:08 60464 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 01:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

============= FINISH: 12:49:11.17 ===============
Attached Files
File Type: zip Attach.zip (7.5 KB, 16 views)

__________________
mvparker79 is offline  
Old 07-20-2010, 01:56 PM   #2
Registered Member
 
Join Date: Aug 2008
Posts: 426
OS: XP SP3



Hello and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

__________________
nrug28 is offline  
Old 07-20-2010, 04:47 PM   #3
Registered Member
 
Join Date: Sep 2009
Posts: 22
OS: Windows XP



Thanks.
__________________
mvparker79 is offline  
Old 07-21-2010, 11:22 AM   #4
Registered Member
 
Join Date: Aug 2008
Posts: 426
OS: XP SP3



Hello mvparker,

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

=========================================================

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

=========================================================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

To disable Avast:
  • Right Click on the Avast icon in the system tray
  • Click on Program Settings...
  • Click on Troubleshooting
  • Place a tick next to Disable avast! self-defense module
  • Click OK
  • At the prompt that appears, click Yes
  • Right Click on the Avast icon in the system tray and click Stop On-Access protection
  • At the prompt that appears, click Yes

To disable Spybot's TeaTimer:

Download ResetTeaTimer
  • Save it to your Desktop.
  • Double click ResetTeaTimer.exe to run it. This will only take a few seconds.
------------------------------------------------------
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Get help with disabling protection Here

Please include the C:\ComboFix.txt in your next reply for further review.

Be sure to re-enable your Anti-Virus before posting the ComboFix.txt
__________________
nrug28 is offline  
Old 07-21-2010, 04:27 PM   #5
Registered Member
 
Join Date: Sep 2009
Posts: 22
OS: Windows XP



I'm also running SuperAnti Spyware. Do you want me to disable this as well?
__________________
mvparker79 is offline  
Old 07-21-2010, 07:58 PM   #6
Registered Member
 
Join Date: Sep 2009
Posts: 22
OS: Windows XP



I didn't know if I should attach the Combo Fix Log or paste so I'm attaching it.

ComboFix 10-07-21.01 - Matt Parker 07/21/2010 21:39:28.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1645 [GMT -5:00]
Running from: c:\documents and settings\Matt Parker\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MATTPA~1\LOCALS~1\Temp\install_flash_player.exe
c:\program files\iWin Games\iWinGamesHookIE.dll

Infected copy of c:\windows\system32\drivers\ohci1394.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-18 17:07 . 2010-07-18 17:08 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-18 05:05 . 2010-07-18 05:05 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-18 05:05 . 2010-07-18 05:05 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-18 05:05 . 2010-07-18 05:05 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-18 05:04 . 2010-07-18 05:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-18 01:53 . 2010-07-18 01:53 -------- d-----w- c:\documents and settings\Matt Parker\Local Settings\Application Data\Deployment
2010-07-17 06:37 . 2010-07-17 17:05 -------- d-----w- c:\documents and settings\Matt Parker\DoctorWeb
2010-07-17 05:20 . 2010-07-17 05:20 63488 ----a-w- c:\documents and settings\Matt Parker\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-17 05:20 . 2010-07-17 05:20 52224 ----a-w- c:\documents and settings\Matt Parker\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-17 05:20 . 2010-07-17 05:20 117760 ----a-w- c:\documents and settings\Matt Parker\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-17 05:20 . 2010-07-17 05:20 -------- d-----w- c:\documents and settings\Matt Parker\Application Data\SUPERAntiSpyware.com
2010-07-17 05:20 . 2010-07-17 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-17 05:19 . 2010-07-21 23:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-17 04:38 . 2010-07-17 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-17 04:38 . 2010-07-17 04:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-16 03:59 . 2010-07-16 03:59 -------- d-----w- c:\documents and settings\Matt Parker\Application Data\ElevatedDiagnostics
2010-07-15 23:39 . 2010-07-15 23:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-15 20:34 . 2010-07-15 20:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-15 02:21 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-15 02:20 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-15 02:20 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-15 02:20 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-15 02:20 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-15 02:20 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-15 02:20 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-15 02:20 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-15 02:20 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-15 02:20 . 2010-07-15 02:20 -------- d-----w- c:\program files\Alwil Software
2010-07-15 02:20 . 2010-07-15 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-14 23:55 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-14 23:55 . 2010-07-14 23:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-14 23:55 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-14 23:46 . 2010-07-14 23:46 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-14 23:41 . 2010-07-15 02:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\kisecqhuo
2010-07-14 19:44 . 2010-07-14 19:44 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-14 04:19 . 2010-07-14 04:19 -------- d-----w- c:\documents and settings\Matt Parker\Application Data\Malwarebytes
2010-07-14 04:18 . 2010-07-14 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-14 02:08 . 2010-07-14 02:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-14 02:08 . 2010-07-14 02:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-13 22:07 . 2010-07-14 23:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-07-13 20:35 . 2010-07-13 20:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-10 00:08 . 2010-07-10 00:08 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-10 00:08 . 2010-07-10 00:08 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-07-10 00:04 . 2010-07-10 00:04 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-06-30 01:07 . 2010-06-30 01:22 -------- d-----w- c:\documents and settings\Matt Parker\Application Data\DTencryptor-E
2010-06-30 01:07 . 2009-06-25 15:25 1323008 ----a-w- c:\documents and settings\Matt Parker\Application Data\DTencryptor-E\DTencryptor.exe
2010-06-22 03:05 . 2010-06-22 03:05 -------- d-----w- c:\program files\iPod
2010-06-22 03:05 . 2010-06-22 03:06 -------- d-----w- c:\program files\iTunes
2010-06-22 03:00 . 2010-06-22 03:00 -------- d-----w- c:\program files\Bonjour
2010-06-22 02:59 . 2010-06-22 02:59 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-22 02:54 . 2010-06-22 02:54 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 02:47 . 2010-04-19 03:26 -------- d-----w- c:\program files\iWin Games
2010-07-18 00:15 . 2009-10-31 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-16 23:47 . 2010-04-05 02:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-10 00:09 . 2010-05-31 02:26 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-10 00:09 . 2010-05-31 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-10 00:08 . 2010-05-31 02:24 -------- d-----w- c:\program files\DivX
2010-07-10 00:03 . 2010-05-31 02:23 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-07-10 00:03 . 2010-05-31 02:26 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-07-10 00:02 . 2010-05-31 02:26 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-22 03:05 . 2009-08-30 02:22 -------- d-----w- c:\program files\Common Files\Apple
2010-06-22 02:57 . 2009-09-11 23:47 -------- d-----w- c:\program files\Safari
2010-06-12 20:35 . 2009-10-22 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-05 23:31 . 2010-06-05 23:31 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-05 23:31 . 2010-06-05 23:31 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-05 23:30 . 2010-06-05 23:30 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-05 23:30 . 2010-06-05 23:30 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-05 23:30 . 2010-06-05 23:30 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 22:17 . 2009-09-19 05:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 19:12 . 2010-05-31 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-31 19:01 . 2010-05-31 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-31 19:01 . 2010-05-31 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-31 02:25 . 2010-05-31 02:25 -------- d-----w- c:\documents and settings\Matt Parker\Application Data\DivX
2010-05-31 02:25 . 2010-05-31 02:25 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-31 02:25 . 2010-05-31 02:25 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-31 02:24 . 2010-05-31 02:24 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-31 02:24 . 2010-05-31 02:24 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-31 02:24 . 2010-05-31 02:24 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-31 02:24 . 2010-05-31 02:24 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-05-31 02:24 . 2010-05-31 02:24 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-31 02:24 . 2010-05-31 02:24 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-31 02:24 . 2010-05-31 02:24 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-31 02:24 . 2010-05-31 02:24 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-05-31 02:24 . 2010-05-31 02:24 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-05-28 17:14 . 2010-05-28 17:14 -------- d-----w- c:\documents and settings\Matt Parker\Application Data\johnsadventures.com
2010-05-28 17:06 . 2010-05-28 17:06 -------- d-----w- c:\program files\johnsadventures.com
2010-05-25 01:15 . 2010-05-25 01:15 -------- d-----w- c:\documents and settings\Matt Parker\Application Data\Windows Search
2010-05-25 01:09 . 2010-05-25 01:09 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-05-25 01:08 . 2010-05-25 01:06 -------- d-----w- c:\program files\Windows Live
2010-05-25 01:08 . 2010-05-25 01:08 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-05-25 01:07 . 2010-05-25 01:07 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-25 01:06 . 2010-05-25 00:53 -------- d-----w- c:\program files\Microsoft
2010-05-25 01:06 . 2010-05-25 01:06 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-15 02:05 . 2009-09-13 23:39 60464 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-06 10:41 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-12 13:33 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 12:44 . 2010-05-25 01:08 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackgroundSwitcher"="c:\program files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" [2010-05-18 119104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-29 2403568]
"Google Update"="c:\documents and settings\Matt Parker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-21 761945]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-02-23 106496]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Matt Parker^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Matt Parker\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2006-09-21 12:00 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-06-15 18:37 47408 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-03 00:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
2005-10-27 23:00 299008 ------w- c:\program files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-07-18 01:53 136176 ----atw- c:\documents and settings\Matt Parker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 21:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-09-21 12:00 16010752 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-09-21 12:00 544768 ----a-w- c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-03 03:41 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-12 23:41 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/14/2010 9:20 PM 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/14/2010 9:21 PM 17744]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [4/14/2010 9:16 AM 78104]
S3 AIDA32Driver;AIDA32Driver;\??\e:\aida32\aida32.sys --> e:\aida32\aida32.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [3/15/2010 9:50 PM 91830]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder

2010-07-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-12-07 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2170 series272A572217594EBCF1CEE215E352B92AD073FDE4252206633.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1450960922-725345543-1003Core.job
- c:\documents and settings\Matt Parker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-18 01:53]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1450960922-725345543-1003UA.job
- c:\documents and settings\Matt Parker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-18 01:53]

2010-07-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1275210071-1450960922-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-07-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1275210071-1450960922-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-07-22 c:\windows\Tasks\User_Feed_Synchronization-{B2F5460A-1507-4E5E-823A-EA9929E59DF7}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Matt Parker\Application Data\Mozilla\Firefox\Profiles\171pigbp.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
AddRemove-ActiveTouchMeetingClient - c:\docume~1\MATTPA~1\LOCALS~1\APPLIC~1\Google\Chrome\APPLIC~1\plugins\atcliun.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 21:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-21 21:51:17
ComboFix-quarantined-files.txt 2010-07-22 02:50

Pre-Run: 29,795,115,008 bytes free
Post-Run: 31,315,578,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7D4515BA4575C149F0CD42D012341AFC
Attached Files
File Type: txt Combofix.txt (22.2 KB, 10 views)
__________________
mvparker79 is offline  
Old 07-21-2010, 08:09 PM   #7
Registered Member
 
Join Date: Sep 2009
Posts: 22
OS: Windows XP



After I posted my last reply the windows update shield showed up. It said that updates were ready to be installed which means that the files actually downloaded. I didn't install them though. I then tried to go to Microsoft's Windows update page and it came up like it should. I've also tried to recreate the "400 Bad Request" page from doing various google searches. I can't recreate it. It looks as if everything is fixed now. Was there something in the process that you just gave me that may have fixed the issue?
__________________
mvparker79 is offline  
Old 07-22-2010, 10:46 AM   #8
Registered Member
 
Join Date: Aug 2008
Posts: 426
OS: XP SP3



Hello mvparker,

Quote:
I didn't know if I should attach the Combo Fix Log or paste so I'm attaching it.
Please copy/paste the logs that are requested as it is easier to review them.

Quote:
It looks as if everything is fixed now. Was there something in the process that you just gave me that may have fixed the issue?
Even though the symptoms may have went away we still have some work to do.

=========================================================

Open notepad and copy/paste the text in the codebox below into it:

Code:
dir /a /s "c:\documents and settings\NetworkService\Local Settings\Application Data\kisecqhuo" > log.txt
notepad log.txt
del peek.bat
Save this as peek.bat and Choose to "Save type as - All Files"
Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply.

=========================================================

Since you already have MalwareBytes' Anti Malware installed please run a quick scan.
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

=========================================================

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________
nrug28 is offline  
Old 07-25-2010, 05:58 PM   #9
Registered Member
 
Join Date: Sep 2009
Posts: 22
OS: Windows XP



Here is the peek.bat report:


Volume in drive C has no label.
Volume Serial Number is BCC4-3544

Directory of c:\documents and settings\NetworkService\Local Settings\Application Data\kisecqhuo

07/14/2010 09:04 PM <DIR> .
07/14/2010 09:04 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 30,687,879,168 bytes free



Here is the Malwarebytes report:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4347

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/25/2010 5:31:45 PM
mbam-log-2010-07-25 (17-31-45).txt

Scan type: Quick scan
Objects scanned: 138262
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is the ESET report:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d4e89ca9fa000b46b7a548da1c2d02e0
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-26 12:45:17
# local_time=2010-07-25 07:45:17 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 27561034 27561034 0 0
# compatibility_mode=768 16777215 100 0 17879 17879 0 0
# compatibility_mode=1024 16777215 100 0 22213031 22213031 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=94389
# found=7
# cleaned=0
# scan_time=5234
C:\Documents and Settings\Matt Parker\Application Data\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-552f3853 Java/TrojanDownloader.Agent.NBK trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Matt Parker\Application Data\Sun\Java\Deployment\cache\6.0\44\690b50ac-5255a210 multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Matt Parker\Application Data\Sun\Java\Deployment\cache\6.0\44\696d2fac-39735c15 multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\Matt Parker\Application Data\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-757660c7 Java/TrojanDownloader.Agent.NBL trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Matt Parker\Application Data\Sun\Java\Deployment\cache\6.0\53\42441975-6954a112 Java/TrojanDownloader.Agent.NBM trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ohci1394.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{3C61178B-F9FF-42D5-BEB9-5F0303225083}\RP319\A0063946.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
__________________
mvparker79 is offline  
Old 07-26-2010, 01:09 PM   #10
Registered Member
 
Join Date: Aug 2008
Posts: 426
OS: XP SP3



Hello mvparker,

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK:

cmd /c rd /s/q "c:\documents and settings\NetworkService\Local Settings\Application Data\kisecqhuo"

=========================================================

Your logs are clean.

The online scan flagged files in your Java cache, ComboFix's quarantine folder, and System Restore all of which we will address now.

Your Java is out of date.

Java(TM) 6 Update 16 can be updated from the Java control panel

Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Clear Sun Jave cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

=========================================================

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

You can also delete any of the tools that we have used and the logs from them.

=========================================================

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster helps prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
    • click the button - enable protection for all unprotected items
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer.

ANTIVIRUS SOFTWARE
It is very important that you keep your Anti Virus and Anti Malware software updated and scan with them on a regular basis. If you do not get regular updates (at least once a week) then you will be open to attacks by new malware that may have been released.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
nrug28 is offline  
Old 07-26-2010, 04:06 PM   #11
Registered Member
 
Join Date: Sep 2009
Posts: 22
OS: Windows XP



I've finished the last few steps you've given me. Should I run that ESET scan once more just to be sure that everything is gone?
__________________
mvparker79 is offline  
Old 07-27-2010, 09:54 AM   #12
Registered Member
 
Join Date: Aug 2008
Posts: 426
OS: XP SP3



Hi mvparker,

No need to run ESET again as we have taken care of everything the scanner found.

If there are no more issues we can mark this thread as resolved.

__________________
nrug28 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 10:07 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts