Jump to content


Photo

hjt log


  • This topic is locked This topic is locked
25 replies to this topic

#1 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 08 December 2010 - 02:28 AM

Could someone comment on my log? Thank You :) edited to update the scan log. I have some suspicious internet traffic on this computer. I am not sure where it is coming from?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:04:11 PM, on 12/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\PROGRA~1\SIMETE~1\SiMeter.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [Si Meter] C:\PROGRA~1\SIMETE~1\SiMeter.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1291107555781
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6964 bytes

Edited by thomast77, 10 December 2010 - 08:06 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 10 December 2010 - 02:34 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 11 December 2010 - 05:39 PM

Do You still troubleshoot here?? This place used to be the place to go for HJT logs. Anyone here?

EDIT: Our helpers are all volunteers and have lives offline to live... They work as quickly as they can to help as many people as they can, but a wait of 3 days or more is not unusual... Since you posted in the "Not getting help" topic, someone will be around to help you when he/she has time... It does NOT help to bump your topic since our helpers don't rely on the list of recent posts to determine who to help... They typically help the people who have waited the longest and if you keep bumping your post, it will look like you haven't been waiting at all... Please have patience... Thank you...

Edited by Budfred, 11 December 2010 - 11:13 PM.


#4 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 12 December 2010 - 01:12 AM

Do You still troubleshoot here?? This place used to be the place to go for HJT logs. Anyone here?

EDIT: Our helpers are all volunteers and have lives offline to live... They work as quickly as they can to help as many people as they can, but a wait of 3 days or more is not unusual... Since you posted in the "Not getting help" topic, someone will be around to help you when he/she has time... It does NOT help to bump your topic since our helpers don't rely on the list of recent posts to determine who to help... They typically help the people who have waited the longest and if you keep bumping your post, it will look like you haven't been waiting at all... Please have patience... Thank you...

Ok Thanks for the reply :)
I have made some changes so I am going to add a new log below

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:10:20 AM, on 12/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\SIMETE~1\SiMeter.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [Si Meter] C:\PROGRA~1\SIMETE~1\SiMeter.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1291107555781
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6469 bytes

#5 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 12 December 2010 - 01:35 AM

Hi, thomast77, I'm duckfeet and will be helping you.

I'm not seeing anything suspicious on your HijackThis log, please run the following scans:

------------

Please download Malwarebytes' Anti-Malware from here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the Update tab and click the Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • Save this log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
Please reboot the computer.

-----------

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information.

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
<li>Save both reports to your desktop.

Please post the contents of the DDS.txt log in your next reply. We need it to diagnose and fix malware problems - we may ask for Attach.txt later.

----------

Download Security Check by screen317 from here
>>> Please double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt. Please copy and paste its contents into your next reply.

-------

In your next reply, please post
  • MBAM log
  • DDS.txt
  • checkup.txt
...and let me know what problems, if any, remain.

Edited by duckfeet, 12 December 2010 - 01:36 AM.

My help is free. However, Donations in support of this website are always appreciated!

#6 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 13 December 2010 - 11:45 PM

Hi, thomast77, I'm duckfeet and will be helping you.

In your next reply, please post

  • MBAM log
  • DDS.txt
  • checkup.txt
...and let me know what problems, if any, remain.


At first DDS was not producing a log so I disabled AVG, SuperAntiSpyware and Spybot S&D. A log was then produced after running DDS a second time. Ok here we go:


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5309

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/13/2010 10:57:53 PM
mbam-log-2010-12-13 (22-57-47).txt

Scan type: Full scan (C:\|)
Objects scanned: 181314
Time elapsed: 11 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
I believe This is because I disabled automatic windows updates so I disabled the notify option in the security center
Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




DDS (Ver_10-12-12.02) - NTFSx86
Run by thomast77 at 23:05:58.43 on Mon 12/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1410 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\PROGRA~1\SIMETE~1\SiMeter.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\thomast77\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Si Meter] c:\progra~1\simete~1\SiMeter.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291107555781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thomast77\applic~1\mozilla\firefox\profiles\rnw5bwlk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - http://www.google.com/
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: AVG Security Toolbar em:version=6.010.023.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG

Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program

files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Add to Search Bar: add-to-searchbox@maltekraus.de - %profile%\extensions\add-to-searchbox@maltekraus.de
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Statusbar Date(): statusbardate@webspirited.com - %profile%\extensions\statusbardate@webspirited.com
FF - Ext: Nightly Tester Tools: {8620c15f-30dc-4dba-a131-7c5d20cf4a29} - %profile%\extensions\{8620c15f-30dc-4dba-a131-7c5d20cf4a29}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-11-30 19056]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-30 517448]

=============== Created Last 30 ================

2010-12-13 12:58:00 -------- d-----w- c:\program files\IsoBuster
2010-12-12 07:48:38 -------- d-----w- c:\docume~1\thomast77\applic~1\SUPERAntiSpyware.com
2010-12-12 07:48:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-12 07:48:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-11 09:11:25 -------- d-----w- c:\docume~1\thomast77\locals~1\applic~1\Supremus Corporation
2010-12-11 09:11:16 -------- d-----w- c:\program files\Windows Updates Downloader
2010-12-11 05:25:56 -------- d-----w- C:\RegBack
2010-12-11 01:10:14 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition

updates\{6c6ce863-7003-4304-b4ae-ec4d268b2710}\mpengine.dll
2010-12-10 13:56:45 -------- d-----w- c:\program files\Marxio File Checksum Verifier
2010-12-10 13:52:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Karen's Power Tools
2010-12-10 12:10:46 -------- d-----w- c:\program files\FileZilla-3.3.5.1
2010-12-10 12:08:14 -------- d-sh--w- c:\documents and settings\thomast77\IECompatCache
2010-12-10 11:24:04 -------- d-----w- c:\docume~1\thomast77\locals~1\applic~1\Help
2010-12-10 11:15:20 -------- d-----w- c:\program files\EA Games
2010-12-10 11:08:18 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-12-10 11:06:57 -------- d-----w- c:\docume~1\thomast77\applic~1\DAEMON Tools Lite
2010-12-10 11:06:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2010-12-10 08:07:35 -------- d--h--w- C:\$AVG
2010-12-10 06:15:18 -------- d-----w- c:\program files\MS Virtual CD
2010-12-10 06:12:42 8576 ----a-w- c:\windows\system32\drivers\VCdRom.sys
2010-12-10 05:14:01 -------- d-----w- c:\program files\SlySoft
2010-12-10 04:20:31 436792 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-12-09 10:31:17 -------- d-----w- c:\program files\nLite
2010-12-09 03:34:23 -------- d-----w- c:\program files\gBurner
2010-12-08 20:43:26 12800 ----a-w- c:\program files\mozilla firefox\plugins\npwachk.dll
2010-12-08 10:52:27 -------- d-----w- c:\program files\Stinger
2010-12-08 08:38:31 -------- d-----w- c:\program files\HJT
2010-12-08 06:06:54 -------- d-----w- c:\program files\Rootreveal
2010-12-08 04:41:13 -------- d-----w- c:\docume~1\thomast77\applic~1\DVDFab
2010-12-05 12:30:40 -------- d-----w- c:\documents and settings\thomast77\.thumbnails
2010-12-05 12:28:57 -------- d-----w- c:\documents and settings\thomast77\.gimp-2.2
2010-12-04 01:41:08 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\backup\mpengine.dll
2010-12-04 01:41:06 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-04 00:20:12 -------- d-----w- c:\docume~1\thomast77\locals~1\applic~1\Ahead
2010-12-03 22:50:08 5504 ------w- c:\windows\system32\drivers\imagedrv.sys
2010-12-03 22:50:08 125184 ------w- c:\windows\system32\drivers\imagesrv.sys
2010-12-03 22:49:53 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-12-03 22:49:52 476320 ------w- c:\windows\system32\ImagXpr7.dll
2010-12-03 22:49:52 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-12-03 22:49:52 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-12-03 22:49:52 1568768 ------w- c:\windows\system32\ImagX7.dll
2010-12-03 22:49:52 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-12-03 10:57:21 87608 ----a-w- c:\docume~1\thomast77\applic~1\inst.exe
2010-12-03 10:57:21 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-12-03 10:57:21 47360 ----a-w- c:\docume~1\thomast77\applic~1\pcouffin.sys
2010-12-03 10:57:14 -------- d-----w- c:\program files\DVDFab 8
2010-12-03 10:54:51 -------- d-----w- c:\program files\DAMN NFO Viewer
2010-12-03 08:29:18 -------- d-----w- c:\program files\Bakers Calc
2010-12-03 08:24:44 -------- d-----w- c:\program files\Jellyfish 3.5
2010-12-02 06:00:24 -------- d-----w- c:\docume~1\thomast77\applic~1\Malwarebytes
2010-12-02 06:00:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-02 06:00:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-02 06:00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-02 06:00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-02 05:26:13 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-12-02 05:26:12 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-12-02 05:26:09 -------- d-----w- c:\windows\Logs
2010-12-02 05:26:01 -------- d-----w- c:\program files\Winamp Detect
2010-12-02 05:18:47 -------- d-----w- c:\docume~1\thomast77\locals~1\applic~1\Apple
2010-12-02 05:18:25 -------- d-----w- c:\program files\Bonjour
2010-12-02 05:16:58 -------- d-----w- c:\docume~1\thomast77\locals~1\applic~1\Apple Computer
2010-12-02 05:15:33 -------- d-----w- c:\docume~1\thomast77\applic~1\Mp3tag
2010-12-02 05:15:27 -------- d-----w- c:\program files\Mp3tag
2010-12-02 05:11:19 -------- d-----w- c:\program files\Canon
2010-12-02 05:11:17 303104 ----a-w- c:\windows\system32\CNC560L.dll
2010-12-02 05:11:17 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2010-12-02 05:11:17 1310720 ----a-w- c:\windows\system32\CNC560C.dll
2010-12-02 05:11:17 110592 ----a-w- c:\windows\system32\CNC560I.dll
2010-12-02 05:11:17 106496 ----a-w- c:\windows\system32\CNC560U.dll
2010-12-02 05:10:55 353792 ----a-w- c:\windows\system32\CNMNPPM.DLL
2010-12-02 05:10:55 137216 ----a-w- c:\windows\system32\CNMNPUI.DLL
2010-12-02 05:10:55 -------- d-----w- c:\windows\system32\STRING
2010-12-02 05:10:55 -------- d-----w- c:\windows\system32\CHM
2010-12-02 05:10:39 70656 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPPA0.DLL
2010-12-02 05:10:39 27648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPDA0.DLL
2010-12-02 05:10:38 272384 ----a-w- c:\windows\system32\CNMLMA0.DLL
2010-12-02 05:10:35 178176 ----a-w- c:\windows\system32\CNMIUA0.DLL
2010-12-02 05:09:26 -------- d-----w- c:\program files\Unlocker
2010-12-02 04:47:40 -------- d-----w- c:\program files\uTorrent
2010-12-02 04:47:01 -------- d-----w- c:\docume~1\thomast77\applic~1\uTorrent
2010-12-02 04:43:18 528384 ------w- c:\windows\system32\BladeEnc.dll
2010-12-02 04:43:18 120832 ------w- c:\windows\system32\ShnDll32.dll
2010-12-02 04:43:18 -------- d-----w- c:\program files\Michael K. Weise
2010-12-02 04:42:49 315904 ----a-w- c:\windows\IsUninst.exe
2010-12-02 04:42:48 -------- d-----w- c:\documents and settings\thomast77\WINDOWS
2010-12-02 04:41:57 -------- d-----w- c:\program files\FLAC
2010-12-02 01:42:16 -------- d-----w- c:\program files\GIMPshop
2010-12-01 11:22:04 25840 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2010-12-01 11:22:04 24816 ----a-w- c:\windows\system32\mdimon.dll
2010-12-01 11:21:13 -------- d-----w- c:\windows\SHELLNEW
2010-12-01 11:21:09 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-12-01 11:03:19 -------- d-----w- c:\windows\Downloaded Installations
2010-12-01 11:01:51 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-12-01 08:18:02 -------- d--h--w- c:\windows\PIF
2010-12-01 06:16:01 -------- d-----w- c:\program files\VideoLAN
2010-12-01 06:03:30 -------- d-----w- c:\program files\CCleaner
2010-12-01 05:49:23 -------- d-----w- c:\docume~1\thomast77\locals~1\applic~1\AVG Security Toolbar
2010-12-01 05:36:06 -------- d-----w- c:\program files\Si Meter
2010-12-01 05:32:23 -------- d-----w- c:\docume~1\thomast77\applic~1\AVG10
2010-12-01 05:27:24 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-01 05:27:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-12-01 05:26:42 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-01 05:26:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-01 05:26:29 -------- d-----w- c:\program files\AVG
2010-12-01 05:19:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-01 05:13:06 -------- d-----w- c:\program files\PeerBlock
2010-11-30 23:00:11 -------- d-----w- c:\docume~1\thomast77\applic~1\Foxit Software
2010-11-30 22:59:32 -------- d-----w- c:\program files\Foxit Software
2010-11-30 22:55:03 -------- d-----w- c:\program files\Paint.NET
2010-11-30 22:55:00 -------- d-----w- c:\docume~1\thomast77\locals~1\applic~1\Paint.NET
2010-11-30 22:51:57 987904 ----a-r- c:\windows\system32\drivers\HSF_DPV.sys
2010-11-30 22:51:57 731136 ----a-r- c:\windows\system32\drivers\HSF_CNXT.sys
2010-11-30 22:51:57 268032 ----a-r- c:\windows\system32\drivers\HSFHWBS2.sys
2010-11-30 22:51:57 212992 ----a-r- c:\windows\system32\UCI32M19.dll
2010-11-30 22:51:57 -------- d-----w- c:\program files\CONEXANT
2010-11-30 22:49:48 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-11-30 11:42:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-30 11:42:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-30 11:25:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-30 11:25:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-30 11:25:19 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-30 10:13:19 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-30 10:13:08 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-30 10:13:03 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-30 10:13:03 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-30 10:13:03 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-30 10:13:03 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-30 10:13:03 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-30 10:13:03 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-30 10:13:03 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-30 10:13:03 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-30 10:11:53 -------- d-----w- c:\docume~1\thomast77\locals~1\applic~1\Identities
2010-11-30 10:11:51 -------- d-----w- c:\docume~1\thomast77\applic~1\Windows Desktop Search
2010-11-30 10:11:36 -------- d-----w- c:\windows\system32\GroupPolicy
2010-11-30 10:11:36 -------- d-----w- c:\program files\Windows Desktop Search
2010-11-30 10:11:22 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-11-30 10:11:22 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-11-30 10:11:22 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-11-30 09:58:24 -------- d-----w- c:\docume~1\thomast77\locals~1\applic~1\ATI
2010-11-30 09:43:02 -------- d-----w- c:\docume~1\thomast77\locals~1\applic~1\ApplicationHistory
2010-11-30 09:37:45 -------- d-----w- c:\program files\Windows Media Connect 2
2010-11-30 09:37:04 -------- d-----w- c:\windows\system32\LogFiles
2010-11-30 09:36:11 -------- d-----w- c:\windows\system32\URTTemp
2010-11-30 09:21:12 -------- d-sh--w- c:\documents and settings\thomast77\PrivacIE
2010-11-30 09:17:50 -------- d-sh--w- c:\documents and settings\thomast77\IETldCache
2010-11-30 09:12:27 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-11-30 09:12:10 -------- d-----w- c:\windows\ie8updates
2010-11-30 09:12:05 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-30 09:12:05 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-30 09:12:05 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-30 09:12:05 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-11-30 09:12:05 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-11-30 09:12:05 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-11-30 09:12:05 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-11-30 09:11:52 -------- dc-h--w- c:\windows\ie8
2010-11-30 09:08:09 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2010-11-30 09:07:55 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-11-30 09:07:55 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-30 09:07:18 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-11-30 09:06:44 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-11-30 09:06:40 357248 -c----w- c:\windows\system32\dllcache\srv.sys
2010-11-30 09:06:25 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-11-30 09:05:39 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-11-30 09:05:05 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-11-30 09:05:05 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-11-30 09:05:01 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-11-30 09:04:07 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-11-30 09:01:56 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-11-30 09:01:54 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-11-30 09:01:34 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-11-30 09:01:32 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-11-30 09:01:07 -------- d-----w- c:\windows\system32\PreInstall

==================== Find3M ====================

2010-11-30 08:45:02 319488 ----a-w- c:\windows\HideWin.exe
2010-11-17 05:41:00 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-10-07 18:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-09-18 18:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

============= FINISH: 23:06:23.23 ===============




Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG 2011
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 22
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Mozilla Firefox (3.6.13) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


Thank You for taking a look at this for me. I greatly Appreciate it.

#7 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 14 December 2010 - 01:09 PM

Hi thomast77 ...

Please download ComboFix.exe. Visit this webpage for download links, and instructions for running the tool:
how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Due to recent changes in AVG antivirus and how it interacts with CF, AVG must be uninstalled to run ComboFix. You will get a message from CF stating such.

If AVG will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. The AVG uninstaller can be downloaded from here: AppRemover.exe. Go to their Home Page and you will see they have support for removal of other AV's as well AVG appremover tool. http://www.appremover.com

Edited by duckfeet, 14 December 2010 - 01:19 PM.

My help is free. However, Donations in support of this website are always appreciated!

#8 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 14 December 2010 - 04:08 PM

Hi Thank You duckfeet for the reply. Did you find anything in the scans I provided? I looked at the Combofix page and looks like I will have to completely remove AVG? and disable some other programs. If so I will do that tonight sometime
Thanks
Thomas

#9 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 14 December 2010 - 08:43 PM

Hi Thank You duckfeet for the reply. Did you find anything in the scans I provided? I looked at the Combofix page and looks like I will have to completely remove AVG? and disable some other programs. If so I will do that tonight sometime
Thanks
Thomas



Hi Thomas,
If you haven't already ran ComboFix, Please submit the file in c:\Documents and settings\thomast77\Application Data\inst.exe to the following link for a scan, then post the results in your next message for me to see.
Jotti's malware scan

If you've already ran CF, just submit that log...(sorry about the late edit.)

Edited by duckfeet, 14 December 2010 - 10:28 PM.

My help is free. However, Donations in support of this website are always appreciated!

#10 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 14 December 2010 - 11:30 PM

I uninstalled AVG and disabled all security based software and ran combofix. It told me there was a rootkit found and said it would need to reboot click ok to reboot. I clicked ok but the system hung for about 30 minutes before I finally decided it must have locked up. I had to press and hold the power button to get it to shutdown. I then started the computer up and combofix resumed scanning so I guess the lockup did not affect anything. It then provided the log file. Out of curiosity I would like to know what I had and how I might have gotten it so that I can avoid it in the future. Or what I could do to block this from happening again. I run a lot of different security software and it still got in somehow. Thank You again for the help I Greatly Appreciate it. And here is the log file:

ComboFix 10-12-14.02 - thomast77 12/14/2010 23:01:37.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1637 [GMT -6:00]
Running from: c:\documents and settings\thomast77\Desktop\ComboFix.exe
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\thomast77\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

2010-12-11 05:25 . 2010-12-11 05:26 -------- d-----w- C:\RegBack
2010-12-10 08:07 . 2010-12-10 08:07 -------- d-----w- C:\$AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 18:23 . 2010-10-07 18:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23 . 2010-10-07 18:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23 . 2010-10-07 18:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23 . 2010-10-07 18:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-09-18 18:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-02 16851456]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Si Meter"="c:\progra~1\SIMETE~1\SiMeter.exe" [2004-01-08 520192]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/9/2010 10:20 PM 436792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\thomast77\Application Data\Mozilla\Firefox\Profiles\rnw5bwlk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - http://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Add to Search Bar: add-to-searchbox@maltekraus.de - %profile%\extensions\add-to-searchbox@maltekraus.de
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Statusbar Date(): statusbardate@webspirited.com - %profile%\extensions\statusbardate@webspirited.com
FF - Ext: Nightly Tester Tools: {8620c15f-30dc-4dba-a131-7c5d20cf4a29} - %profile%\extensions\{8620c15f-30dc-4dba-a131-7c5d20cf4a29}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-14 23:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-14 23:07:02
ComboFix-quarantined-files.txt 2010-12-15 05:07

Pre-Run: 29,457,297,408 bytes free
Post-Run: 29,421,572,096 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - 90E148DC5B83666C25A4CC1C6483F268

#11 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 December 2010 - 12:22 AM

I just noticed you edited your profile. I already ran combofix and the file is no longer on my computer. It must have been part of the rootkit?? Does this rootkit have a name so I could do some research online. I am very curious how I got it? Also there are several computers connected on the same wireless router. They are not networked together but now I am wondering if it could have infected those computers too??
Thank You for your time

Edited to add: I have noticed that my computer is running faster.

Edited by thomast77, 15 December 2010 - 12:50 AM.


#12 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 15 December 2010 - 01:32 AM

I just noticed you edited your profile. I already ran combofix and the file is no longer on my computer. It must have been part of the rootkit?? Does this rootkit have a name so I could do some research online. I am very curious how I got it? Also there are several computers connected on the same wireless router. They are not networked together but now I am wondering if it could have infected those computers too??
Thank You for your time

Edited to add: I have noticed that my computer is running faster.


Hi Thomas: Yes, I was trying to catch you in time on that edit, and check the file inst.exe first...but as you can see, it was malware, so we would have followed the same procedure, and it removed the file in any case. That rootkit is something else, I believe, and doesn't show being removed on reboot anyway...more to do, to make sure:

--------

Please download Defogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.
Remind me if I forget to tell you.

----------------

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to Desktop.

Posted Image Please close any open programs/windows!

Open the program and click on the Rootkit/Malware tab.
http://www.gmer.net/files.php

Make sure all the boxes on the right of the screen are checked, apart from 'Show All'.
Posted Image

Click on Scan (1).
Posted Image

When the scan has run click Copy (2) and paste the results (if any) into this thread.
My help is free. However, Donations in support of this website are always appreciated!

#13 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 December 2010 - 02:20 AM

Ok here it is

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-15 02:19:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.CR10
Running: gmer.exe; Driver: C:\DOCUME~1\BillM\LOCALS~1\Temp\agryqaod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA6F1E6C0]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA010D620]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA6F1E810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA6F1E8B0]

INT 0x01 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) B8EEF541
INT 0x03 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) B8EEF5E7

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 3038 805048D4 4 Bytes CALL CB58EFCA
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8D81000, 0x16DFE2, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[640] SHELL32.dll!SHFileOperationW 7CA708E4 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\WINDOWS\system32\SearchIndexer.exe[724] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\USB_RNDIS \Device\{B82891B3-B85E-4C5C-AB61-1E5869CE15BF} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF6 0xA7 0x71 0x62 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDE 0xB4 0xCD 0x1E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCD 0x59 0xEF 0xFF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD8 0x6D 0x9B 0x67 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF6 0xA7 0x71 0x62 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDE 0xB4 0xCD 0x1E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCD 0x59 0xEF 0xFF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD8 0x6D 0x9B 0x67 ...

---- EOF - GMER 1.0.15 ----

#14 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 15 December 2010 - 02:54 AM

Hi Thomas:

Your logs appear clean. The infection you'd asked about is inst.exe Hard to say when or how you picked it up. Often P2P file sharing is the culprit, but again, we can't know for certain. In final post I'll have some suggestions that will help prevent recurrence. On the other computers you had mentioned, I'd just run a MBAM scan on each of them.

-------------


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is checked and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Edited by duckfeet, 15 December 2010 - 02:55 AM.

My help is free. However, Donations in support of this website are always appreciated!

#15 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 December 2010 - 04:17 AM

Here is the ESET log. Should it be seeing Unlocker as an Adware application??

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=b43b7e74ed1eba42aa566fb6396703fc
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-15 10:12:08
# local_time=2010-12-15 04:12:08 (-0600, Central Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1032 16777189 100 96 0 49135373 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=126440
# found=2
# cleaned=0
# scan_time=3810
D:\(MY FILES)\My Downloads\Drivers\(530s)\Programs\Unlocker1.9.0.exe Win32/Adware.ADON application (unable to clean) 00000000000000000000000000000000 I
F:\(MY FILES)\My Downloads\Drivers\(530s)\Programs\Unlocker1.9.0.exe Win32/Adware.ADON application (unable to clean) 00000000000000000000000000000000 I

#16 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 15 December 2010 - 11:52 AM

Here is the ESET log. Should it be seeing Unlocker as an Adware application??


Hi Thomas: Those are false positives: your logs appear clean.

---------------

I see you are using the P2P file sharing program utorrent.

Peer to Peer (P2P) file sharing programs are a security risk which can make your computer susceptible malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks.

The best way to reduce the risk of infection is to not use any P2P applications. My recommendation is you uninstall and do not use P2P file sharing programs, since you asked earlier how this malware might have gotten on your system.

See:

http://www.betanews....Afee/1210193904

----------------

To prevent the automatic running of programs when you insert a USB/flash drive I suggest downloading and installing Panda USB and Autorun Vaccine. The program has two options, to either vaccinate a PC to disable AutoRun completely so that no program from any USB/CD/DVD drive (regardless of whether they have been previously vaccinated or not) can auto-execute, or on individual USB drives to disable its autorun.inf file in order to prevent malware infections from spreading automatically.

To clean any removable drives you may own, download Panda USB vaccine from here.

  • Double-click on USBVaccineSetup.exe to install the program to C:\Program Files\Panda USB Vaccine.
  • Read and accept the license agreement, then click Next.
  • When setup completes, make sure "Launch Panda USB Vaccine" is checked and click Finish to open the program.
  • Click the Vaccinate computer button. It should now show a green checkmark and confirm Computer vaccinated.
  • Hold down the Shift key and insert your USB flash drive.
  • When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
  • Exit the program when done
Note: Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

--------------

This will implement some cleanup procedures as well as reset System Restore points:
To remove Combofix from your computer, please go to Start => Run and type ComboFix /Uninstall in the runbox. Click OK (make sure to leave a space between ComboFix and /Uninstall).

--------------

Your version of Java is out of date and older versions contain vulnerabilities. Here are the steps to follow:
1) Download the latest JRE version from here
.
2) Go to Start > Control Panel > double-click on the Software icon and open Add or Remove Programs
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).
Select each in turn and click Remove.
3) Install the latest version.

ADOBE - Reader and Flash Player vulnerabilities.

Please get the latest updates.

Latest Security Update available for Adobe Reader here

The latest Adobe Reader is available here Decline installation of McAfee Security Scan (unless you want it)

--------------

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • Defogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running Defogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

------------

Let me know how these updates went, and if any problems remain.
My help is free. However, Donations in support of this website are always appreciated!

#17 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 December 2010 - 06:31 PM

All updates were successful. I like the Panda usb vaccine. I have actually been looking for something like that. Thank You very much for your time.

#18 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 15 December 2010 - 07:29 PM

All updates were successful. I like the Panda usb vaccine. I have actually been looking for something like that. Thank You very much for your time.


Your welcome! I agree on the Panda: I'd thought of that when you mentioned the laptops. I use it too.

Please remove any other antimalware tools we installed for the purpose of this fix.


Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.


Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewa...nti-spyware.htm

A similar category of programs is now called "scareware". Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

As a minimum, you need at least one antivirus, one firewall and some type of anti-spyware program. AVG includes all three. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time.

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

Edited by duckfeet, 15 December 2010 - 09:44 PM.

My help is free. However, Donations in support of this website are always appreciated!

#19 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 December 2010 - 04:07 AM

I already use Spybot. I was thinking about adding Spywareblaster that you listed above. Will their be any conflict between Spybot immunize and spywareblaster?

Also now that you mention not to run more than one Resident shield at one time. I am not sure how to proceed. I have always run AVG resident and Spybot resident at the same time. So are you telling me that running them together might make my system less secure? If so which one do you recommend I shut off. I have no idea which might be the best resident shield.

Edited to add that if I use Spywareguard Should I then disable its resident shield as well? Just use it as a scanner?

Thank You for the help :)

Edited by thomast77, 16 December 2010 - 04:11 AM.


#20 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 16 December 2010 - 03:26 PM

Hi Thomas,

I already use Spybot. I was thinking about adding Spywareblaster that you listed above. Will their be any conflict between Spybot immunize and spywareblaster?

There is some overlap, so you might need to re-immunize Spybot after installing Spywareblaster. Nowadays, I'd only run one or the other: see:
Spybot and Spywareblaster


Also now that you mention not to run more than one Resident shield at one time. I am not sure how to proceed. I have always run AVG resident and Spybot resident at the same time. So are you telling me that running them together might make my system less secure? If so which one do you recommend I shut off. I have no idea which might be the best resident shield.

(I apologize for my hasty edit of closing suggestions in prior post which led to this confusion ). Yes, you only want one resident protection program of each type running at the same time. They can conflict with each other and degrade system perfomance otherwise. I would recommend running only AVG in resident mode, since this provides non-conflicting antivirus, antispyware, and firewall protection, and then either uninstall or disable Spybot resident protection. In cases where there is debate--and in antimalware protection programs, there is much debate--I go for simple.

Edited to add that if I use Spywareguard Should I then disable its resident shield as well? Just use it as a scanner?

Yes: Spywareguard is a resident scanner, while Spywareblaster is a preventative program not running in resident mode. So, IMO, Spywareguard should be disabled ... but again, these are arguable: see: What is Real Time Protection

Again: AVG has all 3 in resident: Antivirus, Antispyware, and Firewall. I'd make sure any conflicting programs are disabled or removed...

Edited by duckfeet, 16 December 2010 - 09:18 PM.

My help is free. However, Donations in support of this website are always appreciated!

#21 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 December 2010 - 09:32 PM

Ok Thank You again. You have been very helpful. One last question I am thinking about installing a software Firewall. What would you or anyone here recommend?? By the way I have the AVG free version. It only has the Anti-virus and Antispyware but no firewall.
Thank You
Thomas

#22 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 16 December 2010 - 10:07 PM

Ok Thank You again. You have been very helpful. One last question I am thinking about installing a software Firewall. What would you or anyone here recommend?? By the way I have the AVG free version. It only has the Anti-virus and Antispyware but no firewall.
Thank You
Thomas


Thankyou!

HIPS (Host Intrusion Prevention Systems). Firewalls are important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.


These firewalls are good and do have free versions available:
A tutorial on understanding and using firewalls may be found here.
My help is free. However, Donations in support of this website are always appreciated!

#23 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 December 2010 - 10:14 PM

If I install a software firewall should I disable windows firewall? And what do you think about zone alarm?

#24 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 16 December 2010 - 10:29 PM

If I install a software firewall should I disable windows firewall? And what do you think about zone alarm?


Yes. And I'm not familiar with Zone Alarm anymore...you might have to ask in Software about that...I used it years ago, but now I.m not sure...
My help is free. However, Donations in support of this website are always appreciated!

#25 thomast77

thomast77

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 16 December 2010 - 10:38 PM

Thank You very much for all the help :)

#26 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 16 December 2010 - 11:11 PM

Thank You very much for all the help :)


Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
My help is free. However, Donations in support of this website are always appreciated!




Member of UNITE
Support SpywareInfo Forum - click the button