1.

Solve : Trojan.Vundo and more?

Answer»

Ok. Please try uninstalling AVG using this REMOVAL tool.
AVG Antivirus Remover utilityI accidently closed ComboFix b/4 the log was finished so I re-ran it. Here is the log:

omboFix 11-05-25.03 - Rebecca Woods 05/26/2011 10:44:55.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1361 [GMT -5:00]
Running from: c:\documents and settings\Rebecca Woods\Desktop\ComboFix.exe
AV: AVG Anti-Virus *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Rebecca Woods\g2mdlhlpx.exe
c:\documents and settings\Rebecca Woods\GoToAssistDownloadHelper.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\rnaph.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
.
.
2011-05-26 14:18 . 2011-05-09 18:466962000----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C9BD671-6650-4FAA-B6C1-5CF771BBD1E3}\mpengine.dll
2011-05-25 22:39 . 2011-05-25 22:39--------d-----w-C:\Pro
2011-05-21 19:49 . 2011-05-21 19:49--------d-----w-C:\_OTL
2011-05-21 12:06 . 2011-05-21 12:06388096----a-r-c:\documents and settings\Rebecca Woods\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-19 01:55 . 2011-05-19 01:55--------d-----w-c:\documents and settings\Rebecca Woods\Application Data\Malwarebytes
2011-05-19 01:54 . 2010-12-20 23:0938224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-19 01:54 . 2011-05-19 01:54--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-19 01:54 . 2010-12-20 23:0820952----a-w-c:\windows\system32\drivers\mbam.sys
2011-05-18 22:45 . 2011-05-18 22:45--------d-----w-c:\documents and settings\Rebecca Woods\Application Data\SUPERAntiSpyware.com
2011-05-18 22:45 . 2011-05-18 22:45--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-18 22:12 . 2011-05-18 22:123063136----a-w-C:\ccsetup306.exe
2011-05-18 18:27 . 2011-05-18 19:16--------d-----w-c:\documents and settings\All Users\Application Data\OnlineArmor
2011-05-18 18:27 . 2011-05-18 18:27--------d-----w-c:\documents and settings\Rebecca Woods\Application Data\OnlineArmor
2011-05-18 18:26 . 2011-04-06 18:0239048----a-w-c:\windows\system32\drivers\oahlp32.sys
2011-05-18 18:26 . 2011-04-06 18:0129464----a-w-c:\windows\system32\drivers\OAnet.sys
2011-05-18 18:26 . 2011-04-06 18:0125192----a-w-c:\windows\system32\drivers\OAmon.sys
2011-05-18 18:26 . 2011-04-06 18:01205864----a-w-c:\windows\system32\drivers\OADriver.sys
2011-05-18 14:16 . 2011-05-18 18:11--------d-----w-c:\documents and settings\All Users\Application Data\iolo
2011-05-17 21:01 . 2011-05-17 21:01--------d--h--w-c:\windows\system32\GroupPolicy
2011-05-17 20:31 . 2010-10-19 20:51222080------w-c:\windows\system32\MpSigStub.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 10:07 . 2010-07-07 13:42472808----a-w-c:\windows\system32\deployJava1.dll
2011-04-14 07:40 . 2008-06-26 08:3073728----a-w-c:\windows\system32\javacpl.cpl
2011-03-07 05:33 . 2004-08-10 18:02692736---ha-w-c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 17:51420864---ha-w-c:\windows\system32\vbscript.dll
2011-03-03 14:47 . 2010-01-06 16:51398760---ha-r-c:\windows\system32\cpnprt2.cid
2011-03-03 13:21 . 2004-08-10 17:511857920---ha-w-c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-25 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 2183168]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"eBook Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\eBook Library Launcher.exe" [2009-10-20 902504]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-17 98304]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-04-06 2477032]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"StartUp This"="c:\program files\Laplink\PCmover\LaunchSt.exe" [2007-11-01 247088]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-04-06 354720]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 13:4510536----a-w-c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:1364592----a-w-c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Laplink\\PCmover\\PCmover.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\real\\realplayer\\realplay.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [5/18/2011 1:26 PM 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [5/18/2011 1:26 PM 39048]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [5/18/2011 1:26 PM 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [5/18/2011 1:26 PM 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [10/29/2009 1:27 PM 1074568]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [12/29/2010 10:30 AM 10448]
R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [5/18/2011 1:26 PM 4326472]
S1 MpKslf74c7e6c;MpKslf74c7e6c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C9BD671-6650-4FAA-B6C1-5CF771BBD1E3}\MpKslf74c7e6c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C9BD671-6650-4FAA-B6C1-5CF771BBD1E3}\MpKslf74c7e6c.sys [?]
S2 gupdate1ca25d2787f1ffc;Google Update Service (gupdate1ca25d2787f1ffc);c:\program files\Google\Update\GoogleUpdate.exe [8/25/2009 5:21 PM 133104]
S2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [5/18/2011 1:26 PM 381512]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/12/2009 4:20 PM 401920]
S3 cpuz134;cpuz134;\??\c:\docume~1\REBECC~1\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\REBECC~1\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/2/2010 3:46 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/25/2009 5:21 PM 133104]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [8/3/2005 3:59 PM 4736]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [8/3/2005 3:59 PM 8960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmtREG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-26 22:20]
.
2011-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-25 22:21]
.
2011-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-25 22:21]
.
2011-05-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-05-26 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-05-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-109568239-1760306711-3351161423-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-05-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-109568239-1760306711-3351161423-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080626
Trusted Zone: intuit.com\ttlc
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-hpqSRMon - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-MS Word to Excel Import, Export & Convert Software_is1 - c:\program files\MS Word to Excel Import
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-26 11:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_e87e0bcd\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(1936)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-26 11:09:22
ComboFix-quarantined-files.txt 2011-05-26 16:09
.
Pre-Run: 107,397,668,864 bytes free
Post-Run: 107,265,122,304 bytes free
.
- - End Of File - - 61AA2560A97042CCF7147EE508A838D8
Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    Quote
    KillAll::

    DDS::
    Trusted Zone: intuit.com\ttlc

    SecCenter::
    17DDD097-36FF-435F-9E1B-52D74245D6BF

  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.
******************************************************
Download Security CHECK by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.ComboFix 11-05-26.05 - Rebecca Woods 05/27/2011 12:17:04.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1438 [GMT -5:00]
Running from: c:\documents and settings\Rebecca Woods\Desktop\ComboFix.exe
AV: AVG Anti-Virus *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-27 to 2011-05-27 )))))))))))))))))))))))))))))))
.
.
2011-05-27 17:05 . 2011-05-09 18:466962000----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-27 17:04 . 2011-05-09 18:466962000----a-w-c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F37D01F6-A895-4DC3-B951-56B8F9E6E01D}\mpengine.dll
2011-05-27 12:32 . 2011-05-27 12:33--------d-----w-c:\windows\system32\MpEngineStore
2011-05-25 22:39 . 2011-05-25 22:39--------d-----w-C:\Pro
2011-05-21 19:49 . 2011-05-21 19:49--------d-----w-C:\_OTL
2011-05-21 12:06 . 2011-05-21 12:06388096----a-r-c:\documents and settings\Rebecca Woods\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-19 01:55 . 2011-05-19 01:55--------d-----w-c:\documents and settings\Rebecca Woods\Application Data\Malwarebytes
2011-05-19 01:54 . 2010-12-20 23:0938224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-19 01:54 . 2011-05-19 01:54--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-19 01:54 . 2010-12-20 23:0820952----a-w-c:\windows\system32\drivers\mbam.sys
2011-05-18 22:45 . 2011-05-18 22:45--------d-----w-c:\documents and settings\Rebecca Woods\Application Data\SUPERAntiSpyware.com
2011-05-18 22:45 . 2011-05-18 22:45--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-18 22:12 . 2011-05-18 22:123063136----a-w-C:\ccsetup306.exe
2011-05-18 18:27 . 2011-05-18 19:16--------d-----w-c:\documents and settings\All Users\Application Data\OnlineArmor
2011-05-18 18:27 . 2011-05-18 18:27--------d-----w-c:\documents and settings\Rebecca Woods\Application Data\OnlineArmor
2011-05-18 18:26 . 2011-04-06 18:0239048----a-w-c:\windows\system32\drivers\oahlp32.sys
2011-05-18 18:26 . 2011-04-06 18:0129464----a-w-c:\windows\system32\drivers\OAnet.sys
2011-05-18 18:26 . 2011-04-06 18:0125192----a-w-c:\windows\system32\drivers\OAmon.sys
2011-05-18 18:26 . 2011-04-06 18:01205864----a-w-c:\windows\system32\drivers\OADriver.sys
2011-05-18 14:16 . 2011-05-18 18:11--------d-----w-c:\documents and settings\All Users\Application Data\iolo
2011-05-17 21:01 . 2011-05-17 21:01--------d--h--w-c:\windows\system32\GroupPolicy
2011-05-17 20:31 . 2010-10-19 20:51222080------w-c:\windows\system32\MpSigStub.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 10:07 . 2010-07-07 13:42472808----a-w-c:\windows\system32\deployJava1.dll
2011-04-14 07:40 . 2008-06-26 08:3073728----a-w-c:\windows\system32\javacpl.cpl
2011-03-07 05:33 . 2004-08-10 18:02692736---ha-w-c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 17:51420864---ha-w-c:\windows\system32\vbscript.dll
2011-03-03 14:47 . 2010-01-06 16:51398760---ha-r-c:\windows\system32\cpnprt2.cid
2011-03-03 13:21 . 2004-08-10 17:511857920---ha-w-c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-25 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 2183168]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"eBook Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\eBook Library Launcher.exe" [2009-10-20 902504]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-17 98304]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-04-06 2477032]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"StartUp This"="c:\program files\Laplink\PCmover\LaunchSt.exe" [2007-11-01 247088]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-04-06 354720]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 13:4510536----a-w-c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:1364592----a-w-c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Laplink\\PCmover\\PCmover.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\real\\realplayer\\realplay.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [5/18/2011 1:26 PM 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [5/18/2011 1:26 PM 39048]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [5/18/2011 1:26 PM 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [5/18/2011 1:26 PM 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [10/29/2009 1:27 PM 1074568]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [12/29/2010 10:30 AM 10448]
S1 MpKslf74c7e6c;MpKslf74c7e6c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C9BD671-6650-4FAA-B6C1-5CF771BBD1E3}\MpKslf74c7e6c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C9BD671-6650-4FAA-B6C1-5CF771BBD1E3}\MpKslf74c7e6c.sys [?]
S2 gupdate1ca25d2787f1ffc;Google Update Service (gupdate1ca25d2787f1ffc);c:\program files\Google\Update\GoogleUpdate.exe [8/25/2009 5:21 PM 133104]
S2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [5/18/2011 1:26 PM 381512]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [5/18/2011 1:26 PM 4326472]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/12/2009 4:20 PM 401920]
S3 cpuz134;cpuz134;\??\c:\docume~1\REBECC~1\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\REBECC~1\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/2/2010 3:46 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/25/2009 5:21 PM 133104]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [8/3/2005 3:59 PM 4736]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [8/3/2005 3:59 PM 8960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmtREG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-26 22:20]
.
2011-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-25 22:21]
.
2011-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-25 22:21]
.
2011-05-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-109568239-1760306711-3351161423-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-05-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-109568239-1760306711-3351161423-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080626
TCP: DhcpNameServer = 208.180.42.68 208.180.42.100
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-27 12:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_e87e0bcd\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(2492)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-27 12:27:58
ComboFix-quarantined-files.txt 2011-05-27 17:27
ComboFix2.txt 2011-05-26 16:09
.
Pre-Run: 107,173,453,824 bytes free
Post-Run: 107,162,755,072 bytes free
.
- - End Of File - - BC2C36FF47868
i would still like to see the Security Check log.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel MODULES << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected
  • At the bottom of the page
    • Hidden Objects Only << Selected
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
Sorry! My computer froze and I forgot to go back and run that.

esults of screen317's Security Check version 0.99.12
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Online Armor 5.0
Microsoft Security Essentials
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 25
Adobe Flash Player
Adobe Reader 9.4.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Tall Emu Online Armor OAhlp.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
``````````End of Log````````````
Thanks. Your MicroSoft Security Essentials is out-of-date. Please update it.

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and ENTER Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.As soon as I started to run the Sysprot program I got the lovely blue screen that said windows encountered a problem and was shutting down. Now my computer won't load past the desktop background.

RebeccaQuote
Now my computer won't load past the desktop background.

Once you get to the desktop, it's loaded. Do you mean you can't open anything?
Can you give me a screenshot.
How to post screenshots or images
No desktop icons, no start menu. Just the background nothing on it with the mouse arrow frozen.

RebeccaPlease see if you can re-boot in Safe Mode. If you can, please try System Restore to a date before you tried Sysprot. It looks like everything is restored. I updated MS Essentials and Adobe Reader.

Rebecca


Discussion

No Comment Found

Related InterviewSolutions