Only Affecting attempts to fix

[Kibure]

My boss brought me his personal computer. Someone had convinced him to download "Antivirus 2009" on it. It has been preventing me from running Malwarebytes (which I read can remove it) or updating any of the scanner/virus programs. I booted in safe mode and ran AVG. My boss thinks I fixed it, for most purposes it runs ok. However when you search for spyware programs, antivirus updates, or try to go to the main webpages to download updates you get redirected to a trash advertisement page. I even went to Download.com and tried to get Hijackthis from there and when the download started it canceled it and redirected the browser to a trash page. Instead I was able to download Hijackthis onto my laptop and transfer it via media key. I ran it and below is the log. I tried running gmer and the other program you ask for logs from, but even transferring from my media key the programs won't run. Thanks for your time.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:32 PM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.albany-inn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm399YYUS
O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46...abblecubes.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47...m/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47...amesLoader.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinner.com/games/v48...t/brickout.cab
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - http://www.worldwinner.com/games/v45...itairerush.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41...l/freecell.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v49.../dinerdash.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47...familyfeud.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://myspace.oberon-media.com/game...loader_v10.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 6009 bytes

[Angelfire777]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Note: Please rename combofix.exe to cfix.exe

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[Kibure]

Cannot get the computer to run combo fix. I think it might be time to wipe and reinstall. At this point I can't seem even get it into Safe Mode. Going to make one last attempt with a boot disk to see if I can make it behave well enough to run the programs.

[Kibure]

After several hours of fussing with it, I was able to get the programs suggested to run.

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.albany-inn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore

c:\windows\Downloaded Program Files\popcaploader.dll - O16 -: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--7ef977fe-1f6b-4bbb-8939-8242fed46ce9/online/zuma_new/en/popcaploader_v10.cab
c:\windows\Downloaded Program Files\popcaploader.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 21:12:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-12-11 21:22:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-12 05:20:40

Pre-Run: 26,533,019,648 bytes free
Post-Run: 27,059,105,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

196 --- E O F --- 2008-12-09 23:35:16


DDS (Version 1.0) - NTFSx86 MINIMAL
Run by Administrator at 19:00:51.89 on Thu 12/11/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.151 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe
C:\Documents and Settings\Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Page =
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-26 97928]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-26 26824]
S1 NEOFLTR_550_12491;Juniper Networks TDI Filter Driver (NEOFLTR_550_12491);\??\c:\windows\system32\drivers\NEOFLTR_550_12491.SYS [2007-12-25 64144]
S2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-26 875288]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-26 231704]
S2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-26 76040]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-2-11 24652]

=============== Created Last 30 ================

2008-12-10 13:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2008-12-04 22:40 <DIR> --d----- c:\program files\Trend Micro
2008-12-04 22:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-04 22:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-04 21:07 <DIR> --d----- c:\program files\Lavasoft
2008-12-04 21:06 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-04 16:41 <DIR> --d----- c:\windows\pss
2008-12-04 14:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-04 14:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 14:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-04 14:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 14:30 <DIR> --d----- c:\docume~1\admini~1\applic~1\Juniper Networks
2008-12-04 14:30 <DIR> --d----- c:\documents and settings\Administrator
2008-11-27 08:57 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-11-26 10:52 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-11-26 10:52 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2008-11-26 10:52 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-11-26 10:52 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-11-26 10:52 <DIR> --d----- c:\program files\AVG
2008-11-26 10:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-11-25 13:57 26,112 a------- c:\windows\system32\stu2.exe
2008-11-11 19:16 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:15 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-12-08 21:21 <DIR> --d----- c:\program files\GameHouse
2008-11-26 12:44 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-11-26 12:44 <DIR> --d----- c:\program files\Symantec
2008-11-26 11:14 <DIR> --d----- c:\program files\Shockwave.com
2008-11-26 11:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-11-26 10:59 <DIR> --d----- c:\program files\MySpace
2008-11-25 13:57 10,752 a------- c:\windows\system32\userinit.exe
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-08-18 07:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SoftLand Ltd
2008-05-17 13:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PopCap
2008-03-20 16:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MumboJumbo
2007-01-22 09:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2006-12-22 04:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Infospace
2006-12-12 22:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FunGames
2008-08-10 19:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081020080811\index.dat

============= FINISH: 19:01:42.71 ===============

[Angelfire777]

Can you re-post all the contents of C:\Combofix.txt please.

[Kibure]

Quote:

Originally Posted by Angelfire777

Can you re-post all the contents of C:\Combofix.txt please.

Certainly

ComboFix 08-12-11.04 - Owner 2008-12-11 20:47:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.34 [GMT -8:00]
Command switches used :: c:\documents and settings\Owner\Desktop\Lobby\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\TDSSmqxt.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.

2008-12-10 13:50 . 2008-12-10 13:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
2008-12-09 15:31 . 2008-12-09 15:34 1,374 --a------ c:\windows\imsins.BAK
2008-12-04 22:40 . 2008-12-04 22:40 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 22:07 . 2008-12-04 22:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 22:07 . 2008-12-04 22:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 21:07 . 2008-12-04 21:07 <DIR> d-------- c:\program files\Lavasoft
2008-12-04 21:07 . 2008-12-04 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-04 21:06 . 2008-12-04 21:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-04 14:41 . 2008-12-04 14:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 14:41 . 2008-12-04 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 14:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 14:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks
2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Administrator
2008-11-28 01:37 . 2008-11-28 01:37 <DIR> d-------- c:\documents and settings\Albany Inn\Application Data\Juniper Networks
2008-11-28 01:36 . 2008-11-28 01:37 <DIR> d-------- c:\documents and settings\Albany Inn
2008-11-27 08:57 . 2008-12-04 16:20 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-26 10:52 . 2008-11-29 04:43 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-26 10:52 . 2008-11-26 10:52 <DIR> d-------- c:\program files\AVG
2008-11-26 10:52 . 2008-11-29 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-26 10:52 . 2008-11-26 10:52 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-26 10:52 . 2008-11-26 10:52 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-26 10:52 . 2008-11-26 10:52 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-25 13:57 . 2008-04-13 16:12 26,112 --a------ c:\windows\system32\stu2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 05:21 --------- d-----w c:\program files\GameHouse
2008-11-26 20:44 --------- d-----w c:\program files\Symantec
2008-11-26 20:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-26 19:14 --------- d-----w c:\program files\Shockwave.com
2008-11-26 19:01 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-26 18:59 --------- d-----w c:\program files\MySpace
2008-11-22 17:56 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-17 08:40 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-06-03 14:01 724,984 ----a-w c:\documents and settings\Owner\gotomypc_437.exe
2007-01-13 17:02 32 ----a-r c:\documents and settings\All Users\hash.dat
2006-11-28 23:50 563,712 ----a-w c:\documents and settings\Owner\gotomypc_370.exe
2008-08-11 03:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-09-13 4621816]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MS AntiSpyware 2009"="c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" [2008-12-10 1110016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= c:\windows\ir50_32.dll
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.MJPG"= c:\windows\m3jpeg32.dll
"vidc.dmb1"= c:\windows\m3jpeg32.dll
"vidc.GEOX"= c:\windows\system32\GeoCodec.dll
"vidc.GM20"= c:\windows\system32\GXGM20.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-27 02:04 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
-ra------ 2005-02-03 18:38 1851392 c:\program files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"spkrmon"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-26 97928]
R1 NEOFLTR_550_12491;Juniper Networks TDI Filter Driver (NEOFLTR_550_12491);\??\c:\windows\system32\Drivers\NEOFLTR_550_12491.SYS [2007-12-25 64144]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-26 76040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1549de56-b82b-11dd-9212-0011115ceff6}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5e13a39-242e-11db-90f7-0011115ceff6}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eade6503-c458-11dc-919b-0011115ceff6}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-InstallProgram - c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4BQ6S1ZM\setup_110065_3_[1].exe
MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.albany-inn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore

c:\windows\Downloaded Program Files\popcaploader.dll - O16 -: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--7ef977fe-1f6b-4bbb-8939-8242fed46ce9/online/zuma_new/en/popcaploader_v10.cab
c:\windows\Downloaded Program Files\popcaploader.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 21:12:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-12-11 21:22:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-12 05:20:40

Pre-Run: 26,533,019,648 bytes free
Post-Run: 27,059,105,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

196 --- E O F --- 2008-12-09 23:35:16

[Angelfire777]

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type check.bat in the File name and save it to your desktop.

Code:

@echo off
@fdsv c:\windows\system32\stu2.exe > check1.txt
notepad check1.txt
del check1.txt
del %0

Locate check.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.

[Kibure]

FileDigitalSignVerify 1.2

Copyright (C) 2007-2008 Smallfrogs

KZTechs.COM - www.KZTechs.com



FileDigitalSignVerify is used to verify digital signatures on specified files.



Status Name of signer File Path

-----------------------------------------------------------

0x00000000 Microsoft Windows Component Publisher c:\windows\system32\stu2.exe

[Angelfire777]

Hi,

Did you intentionally change your startup page to: http://www.albany-inn.com/ ?

*I see you have Viewpoint installed...
Viewpoint related software are considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

Folder::
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MS AntiSpyware 2009"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
FCopy::
c:\windows\system32\stu2.exe | C:\windows\system32\userinit.exe
Skipfix::

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.
• You can take a look at the image below if you're unsure on how to do it.
  
• Combofix wil restart your machine then it will produce a log afterwards.
• Please post the contents of that log.

*Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
• Click the "Download" button to the right.
• For Platform, select "Windows"
• For language, select your language
• Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  • J2SE Runtime Environment 5.0 Update 6
  • J2SE Runtime Environment 5.0 Update 9
  • Java 2 Runtime Environment, SE v1.4.2_03
  • Java(TM) 6 Update 3
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

*Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

• kaspersky scan log
• combofix log

[Kibure]

Edit: About the "Albany Inn" thing, this used to be my boss' business computer, however it has since been retired to his children when he upgraded to a better model. It's an indian family, they don't mess with much but the youngest got the Antivirus 2009 problem on there in the first place. They are different in the way they do things, instead of changing the home page they made a link on the desktop to google and click on that.

Kapersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 13, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 13, 2008 17:57:19
Records in database: 1458326
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 64806
Threat name: 7
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 02:04:21


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe Infected: not-a-virus:FraudTool.Win32.MSAntivirus.cg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmqxt.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfum.dll.vir Infected: Trojan.Win32.Agent.arvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Downloader.Win32.Agent.asqr 1

The selected area was scanned.


Combofix:

ComboFix 08-12-11.04 - Owner 2008-12-13 22:21:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.73 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210145901203.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210150336250.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210165734421.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210181306953.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081210182849375.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081211181236843.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081211194533078.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081211211436593.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe

.
--------------- FCopy ---------------

c:\windows\system32\stu2.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-13 22:19 . 2008-12-13 22:20 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2008-12-11 19:49 . 2008-12-11 21:23 <DIR> d-------- C:\cfix
2008-12-10 13:50 . 2008-12-13 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
2008-12-09 15:31 . 2008-12-09 15:34 1,374 --a------ c:\windows\imsins.BAK
2008-12-04 22:40 . 2008-12-04 22:40 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 22:07 . 2008-12-04 22:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 22:07 . 2008-12-04 22:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 21:07 . 2008-12-04 21:07 <DIR> d-------- c:\program files\Lavasoft
2008-12-04 21:07 . 2008-12-04 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-04 21:06 . 2008-12-04 21:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-04 14:41 . 2008-12-04 14:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 14:41 . 2008-12-04 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 14:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 14:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks
2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Administrator
2008-11-28 01:37 . 2008-11-28 01:37 <DIR> d-------- c:\documents and settings\Albany Inn\Application Data\Juniper Networks
2008-11-28 01:36 . 2008-11-28 01:37 <DIR> d-------- c:\documents and settings\Albany Inn
2008-11-27 08:57 . 2008-12-04 16:20 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-26 10:52 . 2008-11-29 04:43 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-26 10:52 . 2008-11-26 10:52 <DIR> d-------- c:\program files\AVG
2008-11-26 10:52 . 2008-11-29 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-26 10:52 . 2008-11-26 10:52 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-26 10:52 . 2008-11-26 10:52 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-26 10:52 . 2008-11-26 10:52 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-25 13:57 . 2008-04-13 16:12 26,112 --------- c:\windows\system32\stu2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 05:21 --------- d-----w c:\program files\GameHouse
2008-11-26 20:44 --------- d-----w c:\program files\Symantec
2008-11-26 20:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-26 19:14 --------- d-----w c:\program files\Shockwave.com
2008-11-26 19:01 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-26 18:59 --------- d-----w c:\program files\MySpace
2008-11-22 17:56 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-17 08:40 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-06-03 14:01 724,984 ----a-w c:\documents and settings\Owner\gotomypc_437.exe
2007-01-13 17:02 32 ----a-r c:\documents and settings\All Users\hash.dat
2006-11-28 23:50 563,712 ----a-w c:\documents and settings\Owner\gotomypc_370.exe
2008-08-11 03:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-09-13 4621816]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= c:\windows\ir50_32.dll
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.MJPG"= c:\windows\m3jpeg32.dll
"vidc.dmb1"= c:\windows\m3jpeg32.dll
"vidc.GEOX"= c:\windows\system32\GeoCodec.dll
"vidc.GM20"= c:\windows\system32\GXGM20.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-27 02:04 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
-ra------ 2005-02-03 18:38 1851392 c:\program files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"spkrmon"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-26 97928]
R1 NEOFLTR_550_12491;Juniper Networks TDI Filter Driver (NEOFLTR_550_12491);\??\c:\windows\system32\Drivers\NEOFLTR_550_12491.SYS [2007-12-25 64144]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-26 76040]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-26 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-26 231704]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-02-11 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1549de56-b82b-11dd-9212-0011115ceff6}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5e13a39-242e-11db-90f7-0011115ceff6}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eade6503-c458-11dc-919b-0011115ceff6}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.albany-inn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 22:23:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-13 22:27:18
ComboFix-quarantined-files.txt 2008-12-14 06:26:03
ComboFix2.txt 2008-12-12 05:22:13

Pre-Run: 26,922,360,832 bytes free
Post-Run: 26,990,141,440 bytes free

175 --- E O F --- 2008-12-09 23:35:16

[Angelfire777]

Hi,

Did you decide to keep viewpoint?


What kaspersky found were files inside combofix's quarantine so no need to worry about them.

Since you ran the kaspersky scan first, it found one file which combofix deleted when you ran it.


delete this file: c:\windows\system32\stu2.exe

let me know hows your computer running.

[Kibure]

I am doing this in the middle of a ton of other things (bosses seem to think that you can multi-task about 100 things at a time) thank you for the reminder about the viewpoint. The computer seems to be just fine now, the anti-virus and spy ware programs are updating just fine, and the pop ups have disappeared. Thanks so much for all the help!

[Angelfire777]

Quote:

(bosses seem to think that you can multi-task about 100 things at a time)

Tell me about it..

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

And miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[Kibure]

I shall educate his children. Hopefully this is a mess that will not repeat itself. Thank you so much again! Everything is running beautifully.