Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Trojan/Spyware Issue - Need help for removal
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 07-29-2009, 11:21 AM   #1 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Trojan/Spyware Issue - Need help for removal
Hello,

Two days ago my computer got infected by a nasty set of viruses/trojans.. they spready fairly quickly and I shut off my internet access very quickly after this happened.

I had numerous popups from AVG alerting me of the issue and though I quarantined the threats they did not go away and always seemed to come back.

The following infections are what AVG caught:

Generic14.LPC
Sheur2.ASYI
Win32/Cryptor
Agent2.ODD
Downloader.Generic8.BEKT
Small.AU
Generic14.DQM
FakeAlert.LJ

Also, from Malwarebytes I kept seeing a recurring instance of Taskman Backdoor.Bot which even after the other infections stopped showing up, that one would not go away.

I will include the nececssary logs now, and any support would be appreciated. Right now after attemps to remove it with my anti-virus and anti-spyware I lessened the threat, but there are still signs of infection.

_______________________________________________________________

DDS (Ver_09-06-26.01) - NTFSx86
Run by Matt at 12:13:06.35 on Wed 07/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.448 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\clclean.0001
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\matt\startm~1\programs\startup\dropbox.lnk - d:\dropbox\Dropbox.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239573915953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\6fymqytd.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: XUL Cache: {6CB4F533-289F-4C24-8E28-742C39E06A50} - c:\documents and settings\matt\local settings\application data\{6CB4F533-289F-4C24-8E28-742C39E06A50}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-12 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-12 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-12 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-12 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-4-12 18432]
S4 SessionLauncher;SessionLauncher;c:\docume~1\matt\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\matt\locals~1\temp\dx9\SessionLauncher.exe [?]

=============== Created Last 30 ================

2009-07-29 12:06 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-29 11:52 219,648 a------- c:\windows\PEV.exe
2009-07-29 11:52 161,792 a------- c:\windows\SWREG.exe
2009-07-29 11:52 98,816 a------- c:\windows\sed.exe
2009-07-28 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-28 17:17 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-28 17:17 <DIR> --d----- c:\docume~1\matt\applic~1\SUPERAntiSpyware.com
2009-07-28 17:17 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-28 13:31 124,957 a------- C:\MGlogs.zip
2009-07-28 13:31 <DIR> --d----- C:\MGtools
2009-07-28 13:26 <DIR> --d----- c:\program files\CCleaner
2009-07-28 13:25 1,343,372 a------- C:\MGtools.exe
2009-07-28 11:28 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2009-07-28 10:34 <DIR> --d----- c:\docume~1\matt\applic~1\Malwarebytes
2009-07-28 10:34 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 10:34 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-28 10:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 10:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-28 01:46 120 a------- c:\windows\Lsowivul.dat
2009-07-18 14:31 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2009-07-18 11:05 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-24 11:47 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-28 00:43 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll

============= FINISH: 12:13:20.84 ===============


Also, one question.. when I have something quarantined or put into a virus vault, is it ever right to delete them from there? Does that delete it or just release it back into my computer?

Thanks for any help, I appreciate it.
Attached Files
File Type: zip Attach.zip (5.9 KB, 1 views)
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-01-2009, 09:48 AM   #2 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Re: Trojan/Spyware Issue - Need help for removal
Bump..

I know its like an hour before 72 hours, I am not sure how strict you are on that.. I won't be home in an hour though, so I figured I would bump now.
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 11:44 AM   #3 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,564
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan/Spyware Issue - Need help for removal
Hello -

Do you have an open topic at Major Geeks forum? I see you've recently run their MGTools package. If so, and you're not receiving help there yet, please advise them that it will not be needed.

It appears as though you've run ComboFix.

A Reminder....

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'
Quote:
Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix
Please post the log located at C:\ComboFix.txt


Quote:
but there are still signs of infection.
What symptoms are still present?

Also....

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 12:05 PM   #4 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Re: Trojan/Spyware Issue - Need help for removal
By signs of infection I mean that my scans with AVG and Malwarebytes do not come up completely clean. I have ran them several times the past few days, as well in safe mode. They are a lot cleaner than they were originally, but I occasionally get a few things that pop up.

It is definitely a bit better than it was originally though. When this first happened, whenever I would enable my internet access all of a sudden I would get warnings all over the place for 8 different viruses/trojans.


ComboFix 09-07-28.06 - Matt 07/29/2009 11:53.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.512 [GMT -4:00]
Running from: c:\documents and settings\Matt\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Matt\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Administrator\Application Data\bcrypt.html
c:\documents and settings\Matt\Application Data\bcrypt.html
c:\documents and settings\Matt\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\recycler\S-1-5-21-3193046689-1610522344-288601311-1340
c:\recycler\S-1-5-21-3193046689-1610522344-288601311-1340\Desktop.ini
c:\recycler\S-1-5-21-3193046689-1610522344-288601311-1340\msimfo32.exe
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\kb913800.exe
c:\windows\msa.exe
c:\windows\system32\braviax.exe
c:\windows\system32\Cache
c:\windows\system32\cru629.dat
c:\windows\system32\Data

c:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-29 15:26 . 2009-07-29 15:26 206460 ----a-w- C:\vattwgqs.exe
2009-07-29 15:26 . 2009-07-29 15:26 51200 ----a-w- C:\gxgrt.exe
2009-07-29 04:56 . 2009-07-29 04:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-28 21:23 . 2009-07-29 16:01 117760 ----a-w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-28 21:17 . 2009-07-28 21:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-28 21:17 . 2009-07-28 21:17 -------- d-----w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com
2009-07-28 21:17 . 2009-07-28 21:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-28 17:31 . 2009-07-28 17:34 124957 ----a-w- C:\MGlogs.zip
2009-07-28 17:31 . 2009-07-28 17:34 -------- d-----w- C:\MGtools
2009-07-28 17:26 . 2009-07-28 17:26 -------- d-----w- c:\program files\CCleaner
2009-07-28 17:25 . 2009-07-28 17:20 1343372 ----a-w- C:\MGtools.exe
2009-07-28 15:28 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-28 14:34 . 2009-07-28 14:34 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes
2009-07-28 14:34 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 14:34 . 2009-07-28 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 14:34 . 2009-07-28 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-28 14:34 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 05:46 . 2009-07-28 14:35 120 ----a-w- c:\windows\Lsowivul.dat
2009-07-28 05:33 . 2009-07-28 05:33 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\{6CB4F533-289F-4C24-8E28-742C39E06A50}
2009-07-18 18:31 . 2009-07-18 18:31 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 16:01 . 2009-06-01 22:42 -------- d-----w- c:\documents and settings\Matt\Application Data\Dropbox
2009-07-29 16:00 . 2009-04-13 04:19 -------- d-----w- c:\program files\DNA
2009-07-29 16:00 . 2009-04-13 04:19 -------- d-----w- c:\documents and settings\Matt\Application Data\DNA
2009-07-29 15:45 . 2009-04-13 04:19 -------- d-----w- c:\program files\BitTorrent
2009-07-29 05:01 . 2009-04-12 07:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-28 05:02 . 2009-04-12 07:20 -------- d-----w- c:\program files\SpywareBlaster
2009-07-27 03:47 . 2009-06-17 15:44 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-27 03:47 . 2009-06-17 15:43 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-27 03:47 . 2009-06-17 15:43 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-18 15:05 . 2009-04-12 07:28 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 04:56 . 2009-04-18 06:24 -------- d-----w- c:\program files\SpeedFan
2009-07-14 05:32 . 2009-04-13 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-07-14 05:32 . 2009-04-13 19:58 -------- d-----w- c:\documents and settings\Matt\Application Data\ZoomBrowser EX
2009-07-03 17:09 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-24 15:47 . 2009-04-12 07:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-24 15:47 . 2009-04-12 07:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2004-08-10 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 19:05 . 2009-06-14 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-13 16:15 . 2009-04-12 06:55 66936 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 04:25 . 2009-04-12 21:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-13 04:22 . 2009-06-13 04:22 -------- d-----w- c:\program files\Common Files\Control Panels
2009-06-13 04:19 . 2009-06-13 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-06-13 04:07 . 2009-06-13 04:07 -------- d-----w- c:\program files\Bonjour
2009-06-13 03:59 . 2009-06-13 03:59 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-10 15:56 . 2009-04-12 07:14 -------- d-----w- c:\program files\Java
2009-06-10 15:55 . 2009-06-10 15:55 152576 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2004-08-10 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 02:58 . 2009-05-08 20:23 -------- d-----w- c:\documents and settings\Matt\Application Data\Roxio
2009-06-02 02:54 . 2009-04-12 21:05 -------- d-----w- c:\program files\Winamp
2009-05-28 04:43 . 2009-05-28 04:43 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-28 04:43 . 2009-04-13 04:12 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-21 15:33 . 2009-04-12 07:15 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:32 . 2004-08-10 11:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 05:53 . 2009-04-12 07:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-17 05:35 . 2009-04-12 07:15 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-07-29 15:26 30208 EDA5656314130CF7D3897CB3D09FA279 c:\windows\system32\dllcache\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- d:\dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- d:\dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- d:\dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-13 321344]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-24 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-02 520024]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2006-01-04 1355181]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
Dropbox.lnk - d:\dropbox\Dropbox.exe [2009-4-8 25598505]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-24 15:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/12/2009 3:29 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2009 3:28 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2009 3:29 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/12/2009 3:27 AM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 10:32 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 10:32 AM 166384]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 10:31 AM 1120752]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [4/12/2009 6:10 PM 18432]
S4 SessionLauncher;SessionLauncher;c:\docume~1\Matt\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Matt\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\6fymqytd.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: XUL Cache: {6CB4F533-289F-4C24-8E28-742C39E06A50} - c:\documents and settings\Matt\Local Settings\Application Data\{6CB4F533-289F-4C24-8E28-742C39E06A50}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 12:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2716)
c:\windows\system32\WININET.dll
d:\dropbox\DropboxExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\docume~1\Matt\LOCALS~1\temp\clclean.0001
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-07-29 12:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-29 16:07

Pre-Run: 8,549,244,928 bytes free
Post-Run: 8,476,438,528 bytes free

310 --- E O F --- 2009-07-29 07:04



_______________


GooredFix by jpshortstuff (12.07.09)
Log created at 14:00 on 01/08/2009 (Matt)
Firefox version 3.5.1 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{6CB4F533-289F-4C24-8E28-742C39E06A50} -> Success!
Deleting C:\Documents and Settings\Matt\Local Settings\Application Data\{6CB4F533-289F-4C24-8E28-742C39E06A50} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [07:15 12/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [15:56 10/06/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [07:27 12/04/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [07:15 12/04/2009]

-=E.O.F=-



___________

There are no symptoms per se right now.. but I wanted to be as sure as I can that the infection is mostly gone. I have another computer that infected as well with the same thing because my brother accidentally used a flash drive on this computer and then plugged it in his. I am not sure if I have to make a separate thread or not for that computer.

Thanks for your help.
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 12:10 PM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,564
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan/Spyware Issue - Need help for removal
We can look at the other machine once we're done with this one. If you suspect it's infected, keep it offline as much as possible, and don't run any tools on it. It's easier for me to see raw logs, rather than logs from a machine that's had many attempts at removal before posting for help.

Not sure if these files are still present, if so, we should look at them

Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following:

    C:\vattwgqs.exe


  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the results in your next reply.
  • Please repeat for the following files:

    • C:\gxgrt.exe
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 12:17 PM   #6 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Re: Trojan/Spyware Issue - Need help for removal
I am sorry but I tried in both IE and Firefox. On the website I see the browse button to upload a file but I do not see a text box.
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 12:21 PM   #7 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,564
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan/Spyware Issue - Need help for removal
The place to paste the text is right next to the browse button. See the attached image.

In some browser versions, clicking on the Browse button opens an explorer-type window, you can copy/paste the file path into that
Attached Images
File Type: jpg VirusTotal_browse.jpg (29.2 KB, 3 views)
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 12:25 PM   #8 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Re: Trojan/Spyware Issue - Need help for removal
When I type in the filepath in the explorer window I cannot hit enter because the file does not exist on my C: drive.

I tried for both of the filepaths you requested.
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 12:29 PM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,564
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan/Spyware Issue - Need help for removal
Please delete your existing version of ComboFix, download a new copy from one of the links below, run it according to the instructions, allowing the Windows Recovery console to be installed.

  1. Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 12:42 PM   #10 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Re: Trojan/Spyware Issue - Need help for removal
Here is the new combofix log:

ComboFix 09-07-31.04 - Matt 08/01/2009 14:35.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.394 [GMT -4:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Matt\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Matt\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp

.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-29 04:56 . 2009-07-29 04:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-28 21:23 . 2009-08-01 17:59 117760 ----a-w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-28 21:17 . 2009-07-28 21:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-28 21:17 . 2009-07-28 21:17 -------- d-----w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com
2009-07-28 21:17 . 2009-07-28 21:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-28 17:31 . 2009-07-28 17:34 124957 ----a-w- C:\MGlogs.zip
2009-07-28 17:31 . 2009-07-28 17:34 -------- d-----w- C:\MGtools
2009-07-28 17:26 . 2009-07-28 17:26 -------- d-----w- c:\program files\CCleaner
2009-07-28 17:25 . 2009-07-28 17:20 1343372 ----a-w- C:\MGtools.exe
2009-07-28 15:28 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-28 14:34 . 2009-07-28 14:34 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes
2009-07-28 14:34 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 14:34 . 2009-07-28 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 14:34 . 2009-07-28 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-28 14:34 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 05:46 . 2009-07-28 14:35 120 ----a-w- c:\windows\Lsowivul.dat
2009-07-18 18:31 . 2009-07-18 18:31 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 17:58 . 2009-06-01 22:42 -------- d-----w- c:\documents and settings\Matt\Application Data\Dropbox
2009-07-29 15:45 . 2009-04-13 04:19 -------- d-----w- c:\program files\BitTorrent
2009-07-29 05:01 . 2009-04-12 07:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-28 05:02 . 2009-04-12 07:20 -------- d-----w- c:\program files\SpywareBlaster
2009-07-27 03:47 . 2009-06-17 15:44 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-27 03:47 . 2009-06-17 15:43 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-27 03:47 . 2009-06-17 15:43 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-18 15:05 . 2009-04-12 07:28 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 04:56 . 2009-04-18 06:24 -------- d-----w- c:\program files\SpeedFan
2009-07-14 05:32 . 2009-04-13 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-07-14 05:32 . 2009-04-13 19:58 -------- d-----w- c:\documents and settings\Matt\Application Data\ZoomBrowser EX
2009-07-03 17:09 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-24 15:47 . 2009-04-12 07:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-24 15:47 . 2009-04-12 07:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2004-08-10 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 19:05 . 2009-06-14 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-13 16:15 . 2009-04-12 06:55 66936 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 04:25 . 2009-04-12 21:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-13 04:22 . 2009-06-13 04:22 -------- d-----w- c:\program files\Common Files\Control Panels
2009-06-13 04:19 . 2009-06-13 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-06-13 04:07 . 2009-06-13 04:07 -------- d-----w- c:\program files\Bonjour
2009-06-13 03:59 . 2009-06-13 03:59 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-10 15:56 . 2009-04-12 07:14 -------- d-----w- c:\program files\Java
2009-06-10 15:55 . 2009-06-10 15:55 152576 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2004-08-10 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 04:43 . 2009-05-28 04:43 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-28 04:43 . 2009-04-13 04:12 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-21 15:33 . 2009-04-12 07:15 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:32 . 2004-08-10 11:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-17 05:35 . 2009-04-12 07:15 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_16.01.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-01 17:57 . 2009-08-01 17:57 16384 c:\windows\temp\Perflib_Perfdata_58c.dat
+ 2009-04-12 06:51 . 2009-08-01 17:58 214837 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- d:\dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- d:\dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- d:\dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-24 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-02 520024]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2006-01-04 1355181]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
Dropbox.lnk - d:\dropbox\Dropbox.exe [2009-4-8 25598505]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-24 15:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/12/2009 3:29 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2009 3:28 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2009 3:29 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/12/2009 3:27 AM 298776]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 10:32 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 10:32 AM 166384]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 10:31 AM 1120752]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [4/12/2009 6:10 PM 18432]
S4 SessionLauncher;SessionLauncher;c:\docume~1\Matt\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Matt\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\6fymqytd.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 14:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-08-01 14:40
ComboFix-quarantined-files.txt 2009-08-01 18:40

Pre-Run: 8,590,012,416 bytes free
Post-Run: 8,545,947,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

247 --- E O F --- 2009-07-29 07:04
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 12:50 PM   #11 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,564
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan/Spyware Issue - Need help for removal
Looks good. Seems as though something already deleted those files I was asking about. Possibly malwarebytes' antimalware.

I'd like a fresh scan with mbam, please.

I see you have Malwarebytes' AntiMalware installed.

Please update it's definitions, and run a new Quick Scan.
  • Launch Malwarebytes' Antimalware
  • On the updates tab, click on Check for Updates
  • If an update is found, it will begin. Once the update is complete..
  • Click on the Scanner tab. Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Also, please do this:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\beep.*" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

Also....do you have a Windows XP installation CD?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 01:10 PM   #12 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Re: Trojan/Spyware Issue - Need help for removal
Malwarebytes' Anti-Malware 1.39
Database version: 2541
Windows 5.1.2600 Service Pack 3

8/1/2009 3:07:52 PM
mbam-log-2009-08-01 (15-07-52).txt

Scan type: Quick Scan
Objects scanned: 98940
Time elapsed: 12 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



________________



----a-w- 30,208 2009-07-29 15:26:03 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 30,208 Blocks: 59



________________

I have an XP "Reinstallation DVD" which is all that Dell gave me when I requested the XP Install CD in the past.
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 01:22 PM   #13 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,564
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan/Spyware Issue - Need help for removal
One of the machine's Windows files was infected and deleted. There should be a copy to replace it with, but the command I had you run doesn't show it. We can replace it from a trusted external source if the backup is not present.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    removed
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.


    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 01:33 PM   #14 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Re: Trojan/Spyware Issue - Need help for removal
ComboFix 09-07-31.04 - Matt 08/01/2009 15:27.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.670 [GMT -4:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Matt\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Matt\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp

.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-29 04:56 . 2009-07-29 04:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-28 21:22 . 2009-07-28 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-28 21:17 . 2009-08-01 19:23 -------- d-----w- c:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com
2009-07-28 21:17 . 2009-08-01 19:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-28 17:31 . 2009-07-28 17:34 124957 ----a-w- C:\MGlogs.zip
2009-07-28 17:31 . 2009-07-28 17:34 -------- d-----w- C:\MGtools
2009-07-28 17:26 . 2009-07-28 17:26 -------- d-----w- c:\program files\CCleaner
2009-07-28 17:25 . 2009-07-28 17:20 1343372 ----a-w- C:\MGtools.exe
2009-07-28 15:28 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-28 14:34 . 2009-07-28 14:34 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes
2009-07-28 14:34 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 14:34 . 2009-07-28 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 14:34 . 2009-07-28 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-28 14:34 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 05:46 . 2009-07-28 14:35 120 ----a-w- c:\windows\Lsowivul.dat
2009-07-18 18:31 . 2009-07-18 18:31 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 19:22 . 2009-04-12 07:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-01 19:22 . 2009-04-12 07:20 -------- d-----w- c:\program files\SpywareBlaster
2009-08-01 18:45 . 2009-06-01 22:42 -------- d-----w- c:\documents and settings\Matt\Application Data\Dropbox
2009-07-29 15:45 . 2009-04-13 04:19 -------- d-----w- c:\program files\BitTorrent
2009-07-27 03:47 . 2009-06-17 15:44 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-27 03:47 . 2009-06-17 15:43 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-27 03:47 . 2009-06-17 15:43 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-18 15:05 . 2009-04-12 07:28 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 04:56 . 2009-04-18 06:24 -------- d-----w- c:\program files\SpeedFan
2009-07-14 05:32 . 2009-04-13 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-07-14 05:32 . 2009-04-13 19:58 -------- d-----w- c:\documents and settings\Matt\Application Data\ZoomBrowser EX
2009-07-03 17:09 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-24 15:47 . 2009-04-12 07:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-24 15:47 . 2009-04-12 07:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2004-08-10 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 19:05 . 2009-06-14 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-13 16:15 . 2009-04-12 06:55 66936 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 04:25 . 2009-04-12 21:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-13 04:22 . 2009-06-13 04:22 -------- d-----w- c:\program files\Common Files\Control Panels
2009-06-13 04:19 . 2009-06-13 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-06-13 04:07 . 2009-06-13 04:07 -------- d-----w- c:\program files\Bonjour
2009-06-13 03:59 . 2009-06-13 03:59 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-10 15:56 . 2009-04-12 07:14 -------- d-----w- c:\program files\Java
2009-06-10 15:55 . 2009-06-10 15:55 152576 ----a-w- c:\documents and settings\Matt\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2004-08-10 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 04:43 . 2009-05-28 04:43 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-28 04:43 . 2009-04-13 04:12 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-21 15:33 . 2009-04-12 07:15 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:32 . 2004-08-10 11:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-17 05:35 . 2009-04-12 07:15 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.


((((((((((((((((((((((((((((( SnapShot@2009-07-29_16.01.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-01 18:44 . 2009-08-01 18:44 16384 c:\windows\temp\Perflib_Perfdata_194.dat
+ 2009-04-12 06:51 . 2009-08-01 18:44 214847 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- d:\dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- d:\dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- d:\dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-24 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-02 520024]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2006-01-04 1355181]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
Dropbox.lnk - d:\dropbox\Dropbox.exe [2009-4-8 25598505]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-24 15:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/12/2009 3:29 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2009 3:28 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2009 3:29 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/12/2009 3:27 AM 298776]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 10:32 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 10:32 AM 166384]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 10:31 AM 1120752]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [4/12/2009 6:10 PM 18432]
S4 SessionLauncher;SessionLauncher;c:\docume~1\Matt\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Matt\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - SASENUM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\6fymqytd.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 15:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-08-01 15:31
ComboFix-quarantined-files.txt 2009-08-01 19:31
ComboFix2.txt 2009-08-01 18:40

Pre-Run: 8,603,103,232 bytes free
Post-Run: 8,559,468,544 bytes free

276 --- E O F --- 2009-07-29 07:04
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 01:41 PM   #15 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,564
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan/Spyware Issue - Need help for removal
Download and SAVE the attached file, extract it to it's own folder.

Execute the fix.cmd file within by double clicking on it. A command window will open and close quickly, this is expected.

Next, please run this PEV command once again.

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\beep.*" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.
Attached Files
File Type: zip fix.zip (2.2 KB, 3 views)
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 01:44 PM   #16 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Re: Trojan/Spyware Issue - Need help for removal
----a-w- 4,224 2003-03-31 12:00:00 C:\Documents and Settings\Matt\Desktop\Fix\beep.sys
----a-w- 30,208 2009-07-29 15:26:03 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir
-c--a-w- 4,224 2003-03-31 12:00:00 C:\WINDOWS\system32\dllcache\beep.sys
----a-w- 4,224 2003-03-31 12:00:00 C:\WINDOWS\system32\drivers\beep.sys

Entries: 4 (4)
Directories: 0 Files: 4
Bytes: 42,880 Blocks: 86
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 01:46 PM   #17 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,564
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan/Spyware Issue - Need help for removal
Great. You can delete the fix.zip folders now.

I'd like to see a bit more information.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 01:48 PM   #18 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Re: Trojan/Spyware Issue - Need help for removal
Ad-Aware
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3 Presets
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.1.2
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 8.5
Bluetooth Stack for Windows by Toshiba
Broadcom 440x 10/100 Integrated Controller
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
Choice Guard
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Vision M
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
DirectXInstallService
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
Dropbox
Guitar Pro 5.2
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) PROSet/Wireless Software
Java(TM) 6 Update 14
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
Messenger Plus! Live
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Mozilla Firefox (3.5.1)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mWMI
mZConfig
PDF Settings
PowerDVD 5.5
PowerISO
Roxio Activation Module
Roxio CinePlayer Decoder Pack
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Premier
Roxio Creator Premier 10
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Segoe UI
SigmaTel Audio
Sonic Encoders
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
SpeedFan (remove only)
SpywareBlaster 4.2
Steinberg Cubase LE 4
Synaptics Pointing Device Driver
Syncrosoft License Control
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.762
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Winamp (remove only)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
WinZip 12.0
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 01:51 PM   #19 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,564
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan/Spyware Issue - Need help for removal
Good.

Please run this online scan to help look for remnants. It may take an hour or more.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2009, 02:45 PM   #20 (permalink)
Registered User
 
Join Date: Apr 2006
Location: New York
Posts: 49
OS: XP Media Center


Re: Trojan/Spyware Issue - Need help for removal
Ever since I originally ran ComboFix my computer has seemed okay. It is running smoothly and doesn't appear to have any issues. I just really wanted to make sure there was no lingering infection anywhere and that I had removed all the issues I could:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=6fa8316eb0d4c74a88db912435a603d1
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-01 08:41:20
# local_time=2009-08-01 04:41:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 37 83 95 12297631718750
# scanned=103432
# found=6
# cleaned=0
# scan_time=2397
C:\MGtools\Process.exe Win32/PrcView application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-3193046689-1610522344-288601311-1340\msimfo32.exe.vir Win32/Peerfrag.DA worm 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.AAL trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir a variant of Win32/Kryptik.ABB trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir a variant of Win32/Kryptik.AAL trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir a variant of Win32/UltimateDefender.A trojan 00000000000000000000000000000000 I
Sonic_Death is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 04:36 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85