Malwarebytes Forum > IDS Virus - can't run .exe files, Task Manager

durnik56

Nov 18 2009, 10:30 PM

Help please!!!! Even with up to date Spyware and Anti-virus programs running, I got a nasty virus on my desktop system.

A description:

The virus has hijacked my computer and put up a false desktop "skin" - I can use the toolbar to see the original background behind it. I cannot run any .exe programs and it has disabled Tas Manager. It asks me to install IDS virus protection to clear the virus.

My actions:

I was able to download Malwarebytes installation script on my laptop, put it on my flash drive, and install it on my desktop from the flash drive. Once installed though, it would not allow me to run the Malwarebytes.exe file either from the shortcut or directly from the installed location. Thried renaming ang placing .bat extension - no luck.

Ran RootRepeal to see if it identified a hidden .sys file for a rootkit virus - found only 1 .sys file and it was a file last modified in 2004.

Ran HijackThis and got the following output:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:07 PM, on 11/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\winupdate86.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\msb.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe
C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
C:\WINDOWS\system32\ctfmon.exe
K:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061121
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rhodeisland.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061121
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINDOWS\system32\fe849ad7v.dll - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\fe849ad7v.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrayStartup] C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MailBlocker] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
O4 - HKCU\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\AVR.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172237870781
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/T26L10NSP...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://secure.ptc.com/dana-cached/setup/JuniperSetup.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: mimadove.dll
O22 - SharedTaskScheduler: jkshf8a3rudbfa873fudfhbdugf87whjdb - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\fe849ad7v.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\GameChannel\Games\26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c965fa76bde79a) (gupdate1c965fa76bde79a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Media Store and Share Backup Manager Service (VaultClientSRV) - COX - C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe
O23 - Service: Backup Manager Upgrade Service (VaultClientUpgrade) - COX - C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe

--
End of file - 13003 bytes

durnik56

Nov 20 2009, 12:45 PM

Help please!!!! Even with up to date Spyware and Anti-virus programs running, I got a nasty virus on my desktop system.

A description:

The virus has hijacked my computer and put up a false desktop "skin" - I can use the toolbar to see the original background behind it. I cannot run any .exe programs and it has disabled Tas Manager. It asks me to install IDS virus protection to clear the virus.

My actions:

I was able to download Malwarebytes installation script on my laptop, put it on my flash drive, and install it on my desktop from the flash drive. Once installed though, it would not allow me to run the Malwarebytes.exe file either from the shortcut or directly from the installed location. Thried renaming ang placing .bat extension - no luck.

Ran RootRepeal to see if it identified a hidden .sys file for a rootkit virus - found only 1 .sys file and it was a file last modified in 2004.

Ran HijackThis and got the following output:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:07 PM, on 11/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\winupdate86.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\msb.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe
C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
C:\WINDOWS\system32\ctfmon.exe
K:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061121
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rhodeisland.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061121
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINDOWS\system32\fe849ad7v.dll - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\fe849ad7v.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrayStartup] C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MailBlocker] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
O4 - HKCU\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\AVR.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172237870781
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/T26L10NSP...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://secure.ptc.com/dana-cached/setup/JuniperSetup.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: mimadove.dll
O22 - SharedTaskScheduler: jkshf8a3rudbfa873fudfhbdugf87whjdb - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\fe849ad7v.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\GameChannel\Games\26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c965fa76bde79a) (gupdate1c965fa76bde79a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Media Store and Share Backup Manager Service (VaultClientSRV) - COX - C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe
O23 - Service: Backup Manager Upgrade Service (VaultClientUpgrade) - COX - C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe

--
End of file - 13003 bytes

IndiGenus

Nov 20 2009, 10:02 PM

Hello durnik56 and welcome to the forums here at MalwareBytes.

NOTE: I noticed you opened another topic several days ago. Please don't start any more topics and respond back to this one only.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. The logs that we ask for can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:

I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
Malware and the removal process can pose a risk of data loss. Also, with some infections we may advise you to reformat and re-install Windows. I recommend you make a backup of any data that you have created, such as documents, pictures, music, ect... before we begin the fix if possible.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop. Post them back to your topic.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download This file. Note its name and save it to your root folder, such as C:\.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "Yes" to begin the scan.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.

durnik56

Nov 23 2009, 01:42 AM

Dave,

Sorry for the double post, I was impatient and should have given you guys more time.

I downloaded the dds.scr file to the desktop - tried to run it, started executing but then it was blocked. Phony error message told me it was an infected file. Tried renaming it and got the same result. Downloaded it to a flash drive and tried running it from there - same result. Tried renaming it - blocked again. So no luck getting you that information.

Downloaded the sucozc.exe file, placed it in the root directory C:, and it ran successfully. Saved the file to results.log. Results are here:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-22 20:38:53
Windows 5.1.2600 Service Pack 2
Running: sucozc20.exe; Driver: C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\pgtoapoc.sys

---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9E3DD72]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9E1E9A6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9E1EB98]
SSDT AA1630C4 ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9E3E568]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9E3E820]
SSDT AA1630E2 ZwLoadKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9E3CA80]
SSDT AA1630B0 ZwOpenProcess
SSDT AA1630B5 ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9E3EC8A]
SSDT AA1630EC ZwReplaceKey
SSDT AA1630E7 ZwRestoreKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9E3E036]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9E1E656]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C78 805044E4 8 Bytes JMP 6BE8FECA
.text ntkrnlpa.exe!ZwCallbackReturn + 2CC0 8050452C 4 Bytes CALL 01A4FF14
.rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xB9F20000]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB944E360, 0x21235D, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1436] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamA] [00417F30] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamW] [00417F30] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [004185AD] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [00418629] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxA] [00417F3C] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxW] [00417F3C] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxIndirectA] [00417F2A] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxIndirectW] [00417F2A] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [0041875D] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [004186A5] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CreateWindowExW] [00418629] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DialogBoxParamW] [00417F30] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ShowWindow] [004186A5] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowPos] [0041875D] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!MessageBoxW] [00417F3C] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!MessageBoxA] [00417F3C] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!MessageBoxIndirectW] [00417F2A] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!CreateWindowExW] [00418629] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!MessageBoxW] [00417F3C] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowPos] [0041875D] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!DialogBoxParamW] [00417F30] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExA] [004185AD] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExW] [00418629] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] [00417F30] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!MessageBoxW] [00417F3C] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!ShowWindow] [004186A5] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!SetWindowPos] [0041875D] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!ShowWindow] [004186A5] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2188] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!DialogBoxParamW] [00417F30] C:\WINDOWS\msb.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [00416AE8] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [00416B62] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [00416C8E] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [00416BDC] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CreateWindowExW] [00416B62] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ShowWindow] [00416BDC] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowPos] [00416C8E] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!CreateWindowExW] [00416B62] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowPos] [00416C8E] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExA] [00416AE8] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExW] [00416B62] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!ShowWindow] [00416BDC] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!SetWindowPos] [00416C8E] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe[2340] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!ShowWindow] [00416BDC] C:\DOCUME~1\MOM_&_~1\LOCALS~1\Temp\d.exe
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\SAMLIB.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3420] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \Driver\iaStor \Device\Ide\iaStor0 [B9EA4146] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9EA4146] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [B9EA4146] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-2 [B9EA4146] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Mom_&_Dad\Local Settings\Temporary Internet Files\Content.IE5\GXECB3SH\bullet[1] 0 bytes
File C:\Documents and Settings\Mom_&_Dad\Local Settings\Temporary Internet Files\Content.IE5\GXECB3SH\down[1] 0 bytes
File C:\Documents and Settings\Mom_&_Dad\Local Settings\Temporary Internet Files\Content.IE5\GXECB3SH\httpErrorPagesScripts[8] 0 bytes
File C:\Documents and Settings\Mom_&_Dad\Local Settings\Temporary Internet Files\Content.IE5\GXECB3SH\info_48[4] 0 bytes
File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

IndiGenus

Nov 23 2009, 01:55 AM

Yes, some very nasty stuff you have acquired there.

Let's try to go right after it with combofix. Make sure that you don't skip any steps here. Making sure that the recovery console is installed.

Please read through the instructions to familiarize yourself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do Not run combofix more than once. If you have problems please post back for further instructions.
3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

durnik56

Nov 23 2009, 02:45 AM

First of all thanks for your help. Second, what the heck did I pick up here - can you give me an idea of what this crap is and where it may have come from? Third, will having Malwarebytes keep me from getting this crap?

OK then, back to business.

I successfully downloaded and ran Combofix. It downloaded and installed the recovery console. First time through it ran for about 2 minunutes, said it detected rootkit acivity and promted to reboot the machine. I did that and on reboot, ComboFix continued to scan - ran through approx 50 stages, deleted several files and a folder. ComboFix then rebooted the machine itself. Log file is here:

ComboFix 09-11-22.04 - Mom_&_Dad 11/22/2009 21:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1534
[GMT -5:00]
Running from: c:\documents and settings\Mom_&_Dad\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
{AD166499-45F9-482A-A743-FDD3350758C7}
AV: Trend Micro PC-cillin Internet Security *On-access scanning
disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*
{3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mom_&_Dad\Application
Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus
Remover.lnk
c:\documents and settings\Mom_&_Dad\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\Mom_&_Dad\Start Menu\Advanced Virus Remover.lnk
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\AVR.exe
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\41.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\bukesopi.dll
c:\windows\system32\certstore.dat
c:\windows\system32\daqdrv.sys
c:\windows\system32\fe849ad7v.dll
c:\windows\system32\mimadove.dll
c:\windows\system32\tajelavo.dll
c:\windows\system32\winupdate86.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
C:\xcrashdump.dat

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and
disinfected
Restored copy from - Kitty ate it

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4
-------\Legacy_daqdrv
-------\Service_daqdrv

((((((((((((((((((((((((( Files Created from 2009-10-23 to
2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-22 23:38 . 2009-11-22 23:34 292352 ----a-w- C:\sucozc20.exe
2009-11-18 02:50 . 2009-09-10
19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-18 02:50 . 2009-09-10
19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 00:57 . 2009-11-18 00:57 -------- d-----w- c:\documents and
settings\Mom_&_Dad\Application Data\Malwarebytes
2009-11-18 00:57 . 2009-11-18 02:55 -------- d-----w- c:\program
files\Malwarebytes' Anti-Malware
2009-11-18 00:57 . 2009-11-18 00:57 -------- d-----w- c:\documents and
settings\All Users\Application Data\Malwarebytes
2009-11-14 00:14 . 2009-11-23
02:07 794384 ----a-w- c:\windows\system32\AVR10.exe
2009-11-12 08:00 . 2009-04-17
09:58 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-11-04 22:47 . 2009-03-30
15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-04 22:47 . 2009-02-13
17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-04 22:47 . 2009-02-13
17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-04 22:47 . 2009-11-04 22:47 -------- d-----w- c:\program files\Avira
2009-11-04 22:47 . 2009-11-04 22:47 -------- d-----w- c:\documents and
settings\All Users\Application Data\Avira
2009-11-01 16:23 . 2009-11-01 16:23 -------- d-----w- c:\program files\Cox
2009-10-31 19:25 . 2009-10-31
19:25 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-31 13:19 . 2009-10-31 13:19 -------- d-----w- c:\documents and
settings\Mom_&_Dad\Application Data\Webroot
2009-10-31 13:19 . 2009-10-31 19:25 -------- d-----w- c:\documents and
settings\All Users\Application Data\Webroot
2009-10-31 13:19 . 2009-10-31 13:19 -------- d-----w- c:\program files\Webroot
2009-10-31 13:19 . 2009-10-31 13:19 164 ----a-w- c:\windows\install.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 23:26 . 2006-12-03 22:21 -------- d-----w- c:\documents and
settings\All Users\Application Data\Google Updater
2009-11-14 00:10 . 2008-08-28 23:19 -------- d-----w- c:\program
files\Spyware Doctor
2009-11-14 00:10 . 2008-08-28 23:20 -------- d---a-w- c:\documents and
settings\All Users\Application Data\TEMP
2009-11-13 23:40 . 2006-12-26 05:14 279 ---h--w- c:\windows\popcinfo.dat
2009-11-13 16:16 . 2008-11-09 18:19 797 ---h--w- c:\windows\popcreg.dat
2009-11-13 16:16 . 2008-11-08 17:50 293 ----a-w- c:\windows\popcinfot.dat
2009-11-01 16:19 . 2006-11-21 16:03 -------- d-----w- c:\documents and
settings\All Users\Application Data\Viewpoint
2009-11-01 16:18 . 2009-10-01 23:49 -------- d-----w- c:\documents and
settings\Mom_&_Dad\Application Data\Move Networks
2009-10-31 19:21 . 2008-03-28 23:03 -------- d-----w- c:\program
files\Common Files\Adobe
2009-10-31 13:21 . 2009-10-10 16:30 -------- d-----w- c:\documents and
settings\Mom_&_Dad\Application Data\Skype
2009-10-31 12:06 . 2009-10-10 16:30 -------- d-----w- c:\documents and
settings\Mom_&_Dad\Application Data\skypePM
2009-10-28 01:03 . 2009-09-08 02:34 1614760 ----a-w- c:\documents and
settings\All Users\Application Data\WildTangent\Dell Game
Console\Downloads\en-us\Installers\SetupGamesClient.exe
2009-10-13 21:38 . 2009-08-18 20:27 -------- d-----w- c:\documents and
settings\Mom_&_Dad\Application Data\HpUpdate
2009-10-10 16:30 . 2009-10-10 16:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-10 16:30 . 2009-10-10 16:30 -------- d-----r- c:\program files\Skype
2009-10-10 16:30 . 2009-10-10 16:30 -------- d-----w- c:\program
files\Common Files\Skype
2009-10-10 16:30 . 2009-10-10 16:29 -------- d-----w- c:\documents and
settings\All Users\Application Data\Skype
2009-09-28 03:41 . 2006-12-05 23:40 -------- d-----w- c:\program
files\PopCap Games
2009-09-11 14:03 . 2004-08-11
22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-11
22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 06:28 . 2009-05-25
02:13 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-29 07:36 . 2004-08-11
22:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-11
22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11
22:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-28 21:36 . 2009-08-28 21:36 75040 ----a-w- c:\documents and
settings\All Users\Application Data\Apple Computer\Installer
Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-27 06:28 . 2009-01-13 14:44 14561504 ----a-w- c:\documents and
settings\All Users\Application Data\WildTangent\Dell Game
Console\Downloads\Installers\SetupGamesClient.exe
2009-08-26 08:16 . 2004-08-11
22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2007-07-19 21:00 . 2007-07-19 21:00 774144 ----a-w- c:\program
files\RngInterstitial.dll
2007-05-09 11:42 . 2006-12-12
12:12 88 --sh--r- c:\windows\system32\81D780132E.sys
2007-05-09 11:42 . 2006-12-12
12:12 4076 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2008-10-08 21:44 495616 ----a-w- c:\program files\Cox\Media Store and
Share Backup Manager\VaultClientMenu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2]
@="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}"
[HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}]
2008-10-08 21:44 491520 ----a-w- c:\program files\Cox\Media Store and
Share Backup Manager\VaultClientIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector" [X]
"OE_OEM"="c:\program files\Trend Micro\Internet Security
12\TMAS_OE\TMAS_OEMon.exe" [2006-04-12 176201]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[2007-04-12 68856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage
Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe"
[2005-11-01 94208]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security
12\pccguide.exe" [2005-08-30 823362]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe"
[2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common
Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software
Update\HPWuSchd2.exe" [2007-05-08 54840]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"TkBellExe"="c:\program files\Common
Files\Real\Update_OB\realsched.exe" [2009-05-02 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TrayStartup"="c:\program files\Cox\Media Store and Share Backup
Manager\VaultClientTray.exe" [2008-10-08 293328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe
[2006-07-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital
Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital
Imaging\bin\hpqthb08.exe [2006-2-10 73728]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-10 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 12\\TmPfw.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys
[5/24/2009 9:13 PM 206256]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program
files\Avira\AntiVir Desktop\sched.exe [11/4/2009 5:47 PM 108289]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys
[8/30/2005 9:47 AM 205328]
R2 Tmntsrv;Trend Micro Real-time
Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 9:47 AM
290889]
R2 TmPfw;Trend Micro Personal
Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 9:47 AM
585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys
[8/30/2005 9:47 AM 36368]
R2 tmproxy;Trend Micro Proxy
Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 9:47 AM
262215]
R2 VaultClientSRV;Media Store and Share Backup Manager
Service;c:\program files\Cox\Media Store and Share Backup
Manager\VaultClientSRV.exe [10/8/2008 4:45 PM 981456]
R2 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program
files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe
[10/8/2008 4:45 PM 55760]
S2 gupdate1c965fa76bde79a;Google Update Service
(gupdate1c965fa76bde79a);c:\program
files\Google\Update\GoogleUpdate.exe [12/24/2008 2:04 PM 133104]
S3 PAC7302;PC VGA Camer@ Plus;c:\windows\system32\drivers\PAC7302.SYS
[6/14/2007 6:34 PM 457856]
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google
Updater\GoogleUpdaterService.exe [2007-01-03 06:44]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:19]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://rhodeisland.cox.net/cci/home
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} -
hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Mom_&_Dad\Application
Data\Mozilla\Firefox\Profiles\g294ruis.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: keyword.URL -
hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Mom_&_Dad\Application
Data\Mozilla\Firefox\Profiles\g294ruis.default\extensions\fotofox@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll
FF - component: c:\documents and settings\Mom_&_Dad\Application
Data\Mozilla\Firefox\Profiles\g294ruis.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Mom_&_Dad\Application
Data\Mozilla\Firefox\Profiles\g294ruis.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Mom_&_Dad\Application
Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Google
Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{faf84218-e366-4e75-b5c9-5ebddc7dc7ff} - tajelavo.dll
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-DW6 - c:\program files\The Weather Channel
FW\Desktop\DesktopWeather.exe
HKLM-Run-YSearchProtection - c:\program files\Yahoo!\Search
Protection\SearchProtection.exe
HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
HKLM-Run-winupdate86.exe - c:\windows\system32\winupdate86.exe
HKLM-Run-vatifeniya - bukesopi.dll
AddRemove-HijackThis - K:\HijackThis.exe
AddRemove-Word Harmony Deluxe 1.0 - c:\program files\PopCap Games\Word
Harmony Deluxe\PopUninstall.exe
AddRemove-WT034555 - c:\program files\Dell Games\Polar Golfer
Pineapple Cup\Uninstall.exe
AddRemove-WT042149 - c:\program files\Dell Games\Nancy Drew - Curse of
Blackmoor Manor\Uninstall.exe
AddRemove-WT044166 - c:\program files\Dell Games\Penguins' Journey\Uninstall.exe
AddRemove-WT044182 - c:\program files\Dell Games\Westward 2 - Heroes
of the Frontier\Uninstall.exe
AddRemove-WT044765 - c:\program files\Dell Games\Magic Farm\Uninstall.exe
AddRemove-WT046798 - c:\program files\Dell Games\Natalie Brooks -
Secrets of Treasure House\Uninstall.exe
AddRemove-WT047045 - c:\program files\Dell Games\Virtual Villagers -
The Secret City\Uninstall.exe
AddRemove-WT055977 - c:\program files\Dell Games\7 Wonders - Treasures
of Seven\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by
Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 21:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\WININET.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll
c:\program files\Cox\Media Store and Share Backup Manager\LIBEXPAT.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientCOM.dll
c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-11-22 21:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-23 02:38

Pre-Run: 596,637,278,208 bytes free
Post-Run: 596,692,512,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP
Professional" /noexecute=optin /fastdetect

- - End Of File - - 63AB9000E4A76E67E58E7D1F822C53FE

IndiGenus

Nov 23 2009, 03:08 AM

QUOTE

First of all thanks for your help.

You're welcome.

QUOTE

Second, what the heck did I pick up here - can you give me an idea of what this crap is and where it may have come from?

A nasty low level rootkit that is accompanied by a host of other Malware. Where, hard to know exactly. Usually this kind of stuff is picked up through file sharing sites such as P2P and Bittorrent sites or cracks and keygens. But it could have just been a poisoned web page that you visited. Did you download any "questionable" files recently?

QUOTE

Third, will having Malwarebytes keep me from getting this crap?

The free version will only do cleaning. The paid version does offer another level of real time protection. But your main point of defense should be a good updated Antivirus and Firewall. I see you have 2 Antivirus programs installed. You only want to run one at a time or you could have issues. After were done I'll give you some advice on staying clean.

I need you to check a file.

Please go to http://www.virustotal.com/en/indexf.html
click on Browse, and upload the following file for analysis:

C:\sucozc20.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

durnik56

Nov 23 2009, 03:22 AM

Dave,

I try my best to stay away from known problem sites and only download files from trusted sites. The last place my wife went was to Lisa Hartman's official web site and clicked on a Youtube link to play a concert video - then all hell broke loose.

I did as you requested - the results:

The link is http://www.virustotal.com/analisis/a04653f...c9a8-1258917338

But if that doesn't work:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.22 -
AhnLab-V3 5.0.0.2 2009.11.20 -
AntiVir 7.9.1.72 2009.11.22 -
Antiy-AVL 2.0.3.7 2009.11.20 -
Authentium 5.2.0.5 2009.11.22 -
Avast 4.8.1351.0 2009.11.22 -
AVG 8.5.0.425 2009.11.22 -
BitDefender 7.2 2009.11.22 -
CAT-QuickHeal 10.00 2009.11.21 -
ClamAV 0.94.1 2009.11.22 -
Comodo 3000 2009.11.22 -
DrWeb 5.0.0.12182 2009.11.22 -
eSafe 7.0.17.0 2009.11.19 -
eTrust-Vet None 2009.11.20 -
F-Prot 4.5.1.85 2009.11.22 -
F-Secure 9.0.15370.0 2009.11.20 -
Fortinet 3.120.0.0 2009.11.22 -
GData 19 2009.11.22 -
Ikarus T3.1.1.74.0 2009.11.22 -
Jiangmin 11.0.800 2009.11.22 -
K7AntiVirus 7.10.901 2009.11.20 -
Kaspersky 7.0.0.125 2009.11.22 -
McAfee 5810 2009.11.22 -
McAfee+Artemis 5810 2009.11.22 -
McAfee-GW-Edition 6.8.5 2009.11.22 -
Microsoft 1.5302 2009.11.22 -
NOD32 4627 2009.11.21 -
Norman 6.03.02 2009.11.21 -
nProtect 2009.1.8.0 2009.11.22 -
Panda 10.0.2.2 2009.11.22 -
PCTools 7.0.3.5 2009.11.22 -
Prevx 3.0 2009.11.22 -
Rising 22.22.06.04 2009.11.22 -
Sophos 4.47.0 2009.11.22 -
Sunbelt 3.2.1858.2 2009.11.22 -
Symantec 1.4.4.12 2009.11.22 -
TheHacker 6.5.0.2.075 2009.11.20 -
TrendMicro 9.0.0.1003 2009.11.22 -
VBA32 3.12.12.0 2009.11.22 -
ViRobot 2009.11.20.2047 2009.11.20 -
VirusBuster 5.0.21.0 2009.11.22 -
Additional information
File size: 292352 bytes
MD5 : ce4baa2eabae3385bc7b2d000a58afa9
SHA1 : 96655ef163ee09b7d59d2d5a9f39be74a89dff4a
SHA256: a04653f2bfaca87f94d7ab709f67d5aa8e24fbdfbf00a143ff2a838f5e1cc9a8
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xB2BE0
timedatestamp.....: 0x4B07CC3D (Sat Nov 21 12:17:17 2009)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6C000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6D000 0x46000 0x45E00 7.93 4bcd84d56f9d623bf7353eb635a63fe4
.rsrc 0xB3000 0x2000 0x1400 3.39 e2387c4d064e7459c7ca637abd882dd5

( 1 imports )

> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess

( 0 exports )
TrID : File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
ssdeep: 6144:zYHJF/CmFRaakGM6iRuKlJ9iQqBk+/KMFyTMZncru6q0:UpUdaDM17iQqBr/KMcTwcy6q
PEiD : -
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch
packers (F-Prot): UPX
RDS : NSRL Reference Data Set
-

IndiGenus

Nov 23 2009, 03:43 AM

Arghh my bad.

Forgot we ran GMER and that was the randomly named executable. Obviously nothing wrong with it....

QUOTE

The last place my wife went was to Lisa Hartman's official web site and clicked on a Youtube link to play a concert video - then all hell broke loose.

Ahh the blond vixen strikes again. I always hated Knots Landing.

Let's continue......

1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE

File::
c:\windows\system32\AVR10.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the log into your next reply.

Also, see if you can run DDS and MalwareBytes again. Should be able to now. Post both of those logs.

durnik56

Nov 23 2009, 03:46 AM

Dave,

I also notice something else. In my toolbar (bottom right of taskbar) I see what looks like a red shield with an X in it, If I mouse over it, it says Windows Security Alert. If I rmb it, it gives me 2 choices - Open Security Center or Go to Microsoft Security Web Site. I did not install this - is it an artifact of the virus? Do I need to disable this?

durnik56

Nov 23 2009, 03:58 AM

Per your last instructions, here's the ComboFix log. I am also trying the MalwareBytes and DDS - will post from those.

ComboFix 09-11-22.04 - Mom_&_Dad 11/22/2009 22:50.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1262 [GMT -5:00]
Running from: c:\documents and settings\Mom_&_Dad\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Mom_&_Dad\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\system32\AVR10.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AVR10.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-23 02:35 . 2009-11-23 02:35 -------- d-----w- c:\windows\LastGood
2009-11-22 23:38 . 2009-11-22 23:34 292352 ----a-w- C:\sucozc20.exe
2009-11-18 02:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-18 02:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 00:57 . 2009-11-18 00:57 -------- d-----w- c:\documents and settings\Mom_&_Dad\Application Data\Malwarebytes
2009-11-18 00:57 . 2009-11-18 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-18 00:57 . 2009-11-18 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-12 08:00 . 2009-04-17 09:58 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-11-04 22:47 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-04 22:47 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-04 22:47 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-04 22:47 . 2009-11-04 22:47 -------- d-----w- c:\program files\Avira
2009-11-04 22:47 . 2009-11-04 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-01 16:23 . 2009-11-01 16:23 -------- d-----w- c:\program files\Cox
2009-10-31 19:25 . 2009-10-31 19:25 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-31 13:19 . 2009-10-31 13:19 -------- d-----w- c:\documents and settings\Mom_&_Dad\Application Data\Webroot
2009-10-31 13:19 . 2009-10-31 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-10-31 13:19 . 2009-10-31 13:19 -------- d-----w- c:\program files\Webroot
2009-10-31 13:19 . 2009-10-31 13:19 164 ----a-w- c:\windows\install.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 23:26 . 2006-12-03 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-14 00:10 . 2008-08-28 23:19 -------- d-----w- c:\program files\Spyware Doctor
2009-11-14 00:10 . 2008-08-28 23:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-13 23:40 . 2006-12-26 05:14 279 ---h--w- c:\windows\popcinfo.dat
2009-11-13 16:16 . 2008-11-09 18:19 797 ---h--w- c:\windows\popcreg.dat
2009-11-13 16:16 . 2008-11-08 17:50 293 ----a-w- c:\windows\popcinfot.dat
2009-11-01 16:19 . 2006-11-21 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-01 16:18 . 2009-10-01 23:49 -------- d-----w- c:\documents and settings\Mom_&_Dad\Application Data\Move Networks
2009-10-31 19:21 . 2008-03-28 23:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-31 13:21 . 2009-10-10 16:30 -------- d-----w- c:\documents and settings\Mom_&_Dad\Application Data\Skype
2009-10-31 12:06 . 2009-10-10 16:30 -------- d-----w- c:\documents and settings\Mom_&_Dad\Application Data\skypePM
2009-10-28 01:03 . 2009-09-08 02:34 1614760 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\Dell Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2009-10-13 21:38 . 2009-08-18 20:27 -------- d-----w- c:\documents and settings\Mom_&_Dad\Application Data\HpUpdate
2009-10-10 16:30 . 2009-10-10 16:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-10 16:30 . 2009-10-10 16:30 -------- d-----r- c:\program files\Skype
2009-10-10 16:30 . 2009-10-10 16:30 -------- d-----w- c:\program files\Common Files\Skype
2009-10-10 16:30 . 2009-10-10 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-28 03:41 . 2006-12-05 23:40 -------- d-----w- c:\program files\PopCap Games
2009-09-11 14:03 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 06:28 . 2009-05-25 02:13 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-28 21:36 . 2009-08-28 21:36 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-27 06:28 . 2009-01-13 14:44 14561504 ----a-w- c:\documents and settings\All Users\Application Data\WildTangent\Dell Game Console\Downloads\Installers\SetupGamesClient.exe
2009-08-26 08:16 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2007-07-19 21:00 . 2007-07-19 21:00 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-05-09 11:42 . 2006-12-12 12:12 88 --sh--r- c:\windows\system32\81D780132E.sys
2007-05-09 11:42 . 2006-12-12 12:12 4076 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-23_02.31.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-11-11 13:23 . 2009-08-14 15:25 30208 c:\windows\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\update\w32ksign.dll
- 2009-11-11 13:23 . 2008-07-08 13:02 26488 c:\windows\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\update\spcustom.dll
- 2009-11-11 13:23 . 2008-07-08 13:02 17272 c:\windows\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\spmsg.dll
- 2009-11-11 13:23 . 2009-05-26 11:40 382840 c:\windows\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\update\updspapi.dll
- 2009-11-11 13:23 . 2009-05-26 11:40 755576 c:\windows\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\update\update.exe
- 2009-11-11 13:23 . 2008-07-08 13:02 231288 c:\windows\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\spuninst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2008-10-08 21:44 495616 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientMenu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon2]
@="{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}"
[HKEY_CLASSES_ROOT\CLSID\{E30CEB29-7F47-4d0e-B2E1-56A7FC25E97D}]
2008-10-08 21:44 491520 ----a-w- c:\program files\Cox\Media Store and Share Backup Manager\VaultClientIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector" [X]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-12 176201]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-12 68856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-02 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TrayStartup"="c:\program files\Cox\Media Store and Share Backup Manager\VaultClientTray.exe" [2008-10-08 293328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-2-10 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 12\\TmPfw.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/24/2009 9:13 PM 206256]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/4/2009 5:47 PM 108289]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 9:47 AM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 9:47 AM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 9:47 AM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 9:47 AM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 9:47 AM 262215]
R2 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientSRV.exe [10/8/2008 4:45 PM 981456]
R2 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe [10/8/2008 4:45 PM 55760]
S2 gupdate1c965fa76bde79a;Google Update Service (gupdate1c965fa76bde79a);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 2:04 PM 133104]
S3 PAC7302;PC VGA Camer@ Plus;c:\windows\system32\drivers\PAC7302.SYS [6/14/2007 6:34 PM 457856]
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-03 06:44]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:19]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://rhodeisland.cox.net/cci/home
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Mom_&_Dad\Application Data\Mozilla\Firefox\Profiles\g294ruis.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Mom_&_Dad\Application Data\Mozilla\Firefox\Profiles\g294ruis.default\extensions\fotofox@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll
FF - component: c:\documents and settings\Mom_&_Dad\Application Data\Mozilla\Firefox\Profiles\g294ruis.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Mom_&_Dad\Application Data\Mozilla\Firefox\Profiles\g294ruis.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Mom_&_Dad\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 22:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-22 22:55
ComboFix-quarantined-files.txt 2009-11-23 03:55
ComboFix2.txt 2009-11-23 02:38

Pre-Run: 596,679,450,624 bytes free
Post-Run: 596,643,794,944 bytes free

- - End Of File - - 20C9E2D0FC3846C29A5795D4811DE759

IndiGenus

Nov 23 2009, 04:07 AM

QUOTE (durnik56 @ Nov 22 2009, 10:46 PM)

Dave,

I also notice something else. In my toolbar (bottom right of taskbar) I see what looks like a red shield with an X in it, If I mouse over it, it says Windows Security Alert. If I rmb it, it gives me 2 choices - Open Security Center or Go to Microsoft Security Web Site. I did not install this - is it an artifact of the virus? Do I need to disable this?

It's part of Windows. It is alerting you that you have the notifications turned off. Was probably done by the Malware. But now that the Malware is mainly gone it's showing. MBAM should take care of it.

You do need to decide on an Antivirus. Either Trend Micro or Avira is fine, but just one. I assume you paid for TM and it includes a firewall, so you probably want to stay with that as long as you can get updated definitions.

durnik56

Nov 23 2009, 04:20 AM

I also had Spyware Doctor but it looks like the malware removed the pctsGui.exe file from the install so it doesn't run. My Trend Micro will be expiring and I have to decide whether this is the one I want. I can get McAfee free from Cox as I am a subscriber. Which would be your choice - McAfee, Trend, Spyware Doctor, or Avira?

IndiGenus

Nov 23 2009, 04:31 AM

QUOTE (durnik56 @ Nov 22 2009, 11:20 PM)

I also had Spyware Doctor but it looks like the malware removed the pctsGui.exe file from the install so it doesn't run. My Trend Micro will be expiring and I have to decide whether this is the one I want. I can get McAfee free from Cox as I am a subscriber. Which would be your choice - McAfee, Trend, Spyware Doctor, or Avira?

Well, it depends....

First, Spyware Doctor is not really part of the conversation, as it's not an Antivirus. It can be used in addition to the AV and Firewall.

Second, I prefer the "roll my own" approach to security. That would be Avira (or one of the other free AV's), with an additional free firewall. Then a few other free programs to supplement. I'll give you the whole shebang at the end. But if you prefer to have it all in one package (like McAfee or TM) and not have to worry about managing several security apps., then the "suite" approach is the way to go. So, again, it's up to you. There is no one security app that will stop everything. One saying I use....If you ask 10 security experts what the best software is, you'll get 20 different answers.

A layered approach is the best way to go in my opinion. That's another reason I prefer the "make my own" suite.

durnik56

Nov 23 2009, 04:55 AM

Here's the MalwareBytes log - do I delete selected (I assume so).

Malwarebytes' Anti-Malware 1.41
Database version: 3216
Windows 5.1.2600 Service Pack 2

11/22/2009 11:53:06 PM
mbam-log-2009-11-22 (23-52-51).txt

Scan type: Full Scan (C:\|K:\|)
Objects scanned: 245239
Time elapsed: 44 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd4f7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\AdvancedVirusRemover\AVR.exe.vir (Rogue.Installer) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir (Trojan.Inject) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\AVR10.exe.vir (Rogue.Installer) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bukesopi.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\daqdrv.sys.vir (Backdoor.Bot) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fe849ad7v.dll.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mimadove.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tajelavo.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate86.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000025.exe (Rogue.Installer) -> No action taken.

durnik56

Nov 23 2009, 05:00 AM

DDS log

DDS (Ver_09-11-23.01) - FAT32x86
Run by Mom_&_Dad at 23:57:58.92 on Sun 11/22/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1289 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Cox\Media Store and Share Backup Manager\VaultClientUpgrade.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
K:\rtd.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://rhodeisland.cox.net/cci/home
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TrayStartup] c:\program files\cox\media store and share backup manager\VaultClientTray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172237870781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://meetings.webex.com/client/T26L10NSP49/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.ptc.com/dana-cached/setup/JuniperSetup.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mom_&_~1\applic~1\mozilla\firefox\profiles\g294ruis.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\mom_&_dad\application data\mozilla\firefox\profiles\g294ruis.default\extensions\fotofox@mozilla.com\platform\winnt_x86-msvc\components\mozFotofox.dll
FF - component: c:\documents and settings\mom_&_dad\application data\mozilla\firefox\profiles\g294ruis.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\mom_&_dad\application data\mozilla\firefox\profiles\g294ruis.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\mom_&_dad\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-24 206256]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-4 108289]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
R2 VaultClientUpgrade;Backup Manager Upgrade Service;c:\program files\cox\media store and share backup manager\VaultClientUpgrade.exe [2008-10-8 55760]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-22 38224]
S2 gupdate1c965fa76bde79a;Google Update Service (gupdate1c965fa76bde79a);c:\program files\google\update\GoogleUpdate.exe [2008-12-24 133104]
S2 VaultClientSRV;Media Store and Share Backup Manager Service;c:\program files\cox\media store and share backup manager\VaultClientSRV.exe [2008-10-8 981456]
S3 PAC7302;PC VGA Camer@ Plus;c:\windows\system32\drivers\PAC7302.SYS [2007-6-14 457856]

=============== Created Last 30 ================

2009-11-23 04:05:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-23 04:05:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 02:15:26 0 d-sha-r- C:\cmdcons
2009-11-23 02:13:57 98816 ----a-w- c:\windows\sed.exe
2009-11-23 02:13:57 77312 ----a-w- c:\windows\MBR.exe
2009-11-23 02:13:57 260608 ----a-w- c:\windows\PEV.exe
2009-11-23 02:13:57 161792 ----a-w- c:\windows\SWREG.exe
2009-11-22 23:38:59 292352 ----a-w- C:\sucozc20.exe
2009-11-18 00:57:49 0 d-----w- c:\docume~1\mom_&_~1\applic~1\Malwarebytes
2009-11-18 00:57:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-18 00:57:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-13 23:21:54 3248 ----a-w- c:\windows\system32\wbem\Outlook_01ca64b8166e37c4.mof
2009-11-12 08:00:45 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-11-04 22:47:38 0 d-----w- c:\program files\Avira
2009-11-04 22:47:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-01 16:23:30 0 d-----w- c:\program files\Cox
2009-10-31 19:25:36 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-31 13:19:26 0 d-----w- c:\docume~1\mom_&_~1\applic~1\Webroot
2009-10-31 13:19:25 0 d-----w- c:\program files\Webroot
2009-10-31 13:19:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2009-10-31 13:19:19 164 ----a-w- c:\windows\install.dat

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:03:37 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:45:26 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:16:37 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2007-07-19 21:00:22 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-05-09 11:42:10 88 --sh--r- c:\windows\system32\81D780132E.sys
2007-05-09 11:42:43 4076 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 23:58:27.23 ===============

IndiGenus

Nov 23 2009, 05:36 AM

Yes, you can have MalwareBytes take care of those items. Most are already quarantined by combofix so we could uninstall combofix first, which will remove those, then you can run MBAM again and have it fix everything.

How's it running?

Uninstall Combofix

Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

The above procedure will:

Delete the following: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

~~~~~~~~~~~~~~~~~~~~~

Let's run an online scan too.

The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Accept

The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
Kaspersky log

durnik56

Nov 23 2009, 06:02 AM

Computer is running well. Uninstalled ComboFix and running Kapersky. I will let it run and update you later in the morning. It's 1:00 AM here and I have to call it a night to be able to get up for work. Talk to you later.

durnik56

Nov 23 2009, 01:25 PM

Dave,

I left Kaspersky running last night but when I woke up this morning the computer had gone into hibernate mode and interrupted it (I didn't think to disable my hibernate - duh). When I try to relog into Kaspersky site and run the scan again it fails to finish the database update - it tells me it keeps getting interrupted but I have disabled all antivirus scans. Any ideas?

IndiGenus

Nov 23 2009, 04:12 PM

Rather than spend a lot of time trying to figure out what happened or what is happening we can just run another scanner.

Eset Online Scanner
Run with Internet Explorer

Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button, or click the notification bar at the top of the window and choose to install.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

durnik56

Nov 23 2009, 04:18 PM

Dave,

Got Kaspersky to run in IE instead of Firefox. What's next?

Results are:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 23, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 23, 2009 13:41:52
Records in database: 3280468
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 136100
Threats found: 2
Infected objects found: 6
Suspicious objects found: 1
Scan duration: 01:26:14

File name / Threat / Threats count
C:\Documents and Settings\Mom_&_Dad\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13.tmp Infected: Trojan.HTML.Fraud.b 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\15.tmp Infected: Trojan.HTML.Fraud.b 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\41.tmp Infected: Trojan.HTML.Fraud.b 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\42.tmp Infected: Trojan.HTML.Fraud.b 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\8.tmp Infected: Trojan.HTML.Fraud.b 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\E.tmp Infected: Trojan.HTML.Fraud.b 1

Selected area has been scanned.

durnik56

Nov 23 2009, 04:19 PM

Got Kaspersky running this morning on IE. Finished just now. What's next?

Results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 23, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 23, 2009 13:41:52
Records in database: 3280468
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 136100
Threats found: 2
Infected objects found: 6
Suspicious objects found: 1
Scan duration: 01:26:14

File name / Threat / Threats count
C:\Documents and Settings\Mom_&_Dad\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13.tmp Infected: Trojan.HTML.Fraud.b 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\15.tmp Infected: Trojan.HTML.Fraud.b 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\41.tmp Infected: Trojan.HTML.Fraud.b 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\42.tmp Infected: Trojan.HTML.Fraud.b 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\8.tmp Infected: Trojan.HTML.Fraud.b 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\E.tmp Infected: Trojan.HTML.Fraud.b 1

Selected area has been scanned.

IndiGenus

Nov 23 2009, 04:23 PM

I think we're pretty much all set then. You can remove any of the other tools we have used, such as GMER and DDS.

Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

durnik56

Nov 23 2009, 04:31 PM

Here's the latest from SecurityCheck:

Results of screen317's Security Check version 0.99.0
ECHO is off.
Error creating install.txt after 3 tries! Trying alternate method...
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

durnik56

Nov 23 2009, 06:15 PM

If we've cleaned everything then at this point I'd like to talk about Best Practices for keeping clean going forward. I would love to have your expert advice on how I can keep this machine as clean as possible.

durnik56

Nov 24 2009, 04:47 PM

Dave,

Just waiting for your final OK on this and your advice on keeping clean.

IndiGenus

Nov 24 2009, 05:07 PM

QUOTE (durnik56 @ Nov 23 2009, 11:31 AM)

Antivirus up to date! (On Access scanning disabled!)

Looks like your AV is turned off? Need to get that turned on asap.

QUOTE

If we've cleaned everything then at this point I'd like to talk about Best Practices for keeping clean going forward. I would love to have your expert advice on how I can keep this machine as clean as possible.

That somewhat depends on what your plans are. Are you going to keep TM? Or go with the McAfee suite? Or do you want to go with individual products? I'll give you my whole set-up for a "roll your own" package.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here is a list of some free and evaluation versions to try:

AVG AntiVirus

Avast Antivirus Home Version--Free

Antivir Personal - Free

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.

Online-Armor

Outpost Firewall

For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install Winpatrol -
Use Winpatrol to take control of your PC and provide another layer of security.
Help file and tutorial can be found Here

Block unwanted parasites with a custom hosts file -
http://www.mvps.org/winhelp2002/hosts.htm

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Keep your applications up to date -
Use Secunia Personal Software Inspector to help stay on top of application updates that could leave your PC vulnerable to attack.

I'll leave the thread open a few days in case you have questions or issues.

Regards,
Dave

durnik56

Nov 24 2009, 05:50 PM

Thanks Dave,

If I decide to keep TM (has firewall) then dump Avira correct? Also, I assume that in addition I should get Spywareblaster, Winpatrol and the hosts file - correct?

I have my Windows Update on automatic with a notice to me to install - always had it.

IndiGenus

Nov 24 2009, 06:04 PM

QUOTE (durnik56 @ Nov 24 2009, 12:50 PM)

Thanks Dave,

If I decide to keep TM (has firewall) then dump Avira correct? Also, I assume that in addition I should get Spywareblaster, Winpatrol and the hosts file - correct?

I have my Windows Update on automatic with a notice to me to install - always had it.

Yes, if you go with TM then no Avira. Make sure the Windows Firewall is off. TM should take care of that but I always like to make sure so you don't have 2 running.

The other programs I mention are good additions and use very little to no resources. Good for you on Windows updates and check out Secunia for keeping other programs up to date.

Take care,
Dave