Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT Log help needed

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HJT Log help needed

Unread postby AndyB » May 27th, 2010, 2:39 am

Hello everyone,

Was wondering if someone could help read this log and make recommendations from a HighJackThis scan. My services.msc is being changed on each reboot and url's are redirecting to spyware ad sites. Any help is much appreciated. Thanks :blackeye:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:16 PM, on 5/26/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

--
End of file - 1756 bytes
AndyB
Active Member
 
Posts: 10
Joined: May 27th, 2010, 2:22 am
Advertisement
Register to Remove

Re: HJT Log help needed

Unread postby km2357 » May 27th, 2010, 2:38 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.


Step # 2: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: HJT Log help needed

Unread postby AndyB » May 27th, 2010, 10:21 pm

Hello km2357,

Here is the information as requested. I should also note that gmer utility had only C: checked so I just scanned C drive. But in case it is important, I have the drive partitioned and when I ran a previous malware scanner, before coming here, it found something on the F: drive. Again, I just wanted to bring it up in case it is important. The gmer log below contains only C: scan.

Thanks

Here's the Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/25/2006 9:40:16 PM
System Uptime: 5/27/2010 6:20:25 PM (0 hours ago)

Motherboard: Dell Inc. | | 0X8582
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 119 GiB total, 106.291 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 30 GiB total, 19.149 GiB free.
G: is FIXED (NTFS) - 298 GiB total, 245.665 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 537EP V9x DF PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&5855BE9&0&28F0
Manufacturer: Intel Corporation
Name: Intel(R) 537EP V9x DF PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&5855BE9&0&28F0
Service: Modem

==== System Restore Points ===================

RP244: 3/4/2010 10:29:02 AM - System Checkpoint
RP245: 3/6/2010 4:12:28 AM - System Checkpoint
RP246: 3/7/2010 7:22:18 AM - System Checkpoint
RP247: 3/14/2010 1:26:14 AM - System Checkpoint
RP248: 3/15/2010 9:51:21 AM - System Checkpoint
RP249: 3/20/2010 11:41:52 AM - System Checkpoint
RP250: 3/26/2010 10:21:52 PM - System Checkpoint
RP251: 3/28/2010 10:11:03 AM - System Checkpoint
RP252: 3/29/2010 10:21:10 AM - System Checkpoint
RP253: 3/31/2010 7:25:38 AM - System Checkpoint
RP254: 4/1/2010 7:36:08 AM - System Checkpoint
RP255: 4/2/2010 9:10:03 AM - System Checkpoint
RP256: 4/3/2010 9:29:09 AM - System Checkpoint
RP257: 4/4/2010 10:46:38 AM - System Checkpoint
RP258: 4/6/2010 7:37:40 AM - System Checkpoint
RP259: 4/7/2010 8:57:11 AM - System Checkpoint
RP260: 4/8/2010 11:58:35 AM - System Checkpoint
RP261: 4/10/2010 8:12:56 AM - System Checkpoint
RP262: 4/11/2010 10:29:18 AM - System Checkpoint
RP263: 4/12/2010 11:02:28 AM - System Checkpoint
RP264: 4/14/2010 8:10:44 AM - System Checkpoint
RP265: 4/15/2010 8:17:14 AM - System Checkpoint
RP266: 4/16/2010 8:23:08 AM - System Checkpoint
RP267: 4/17/2010 8:31:18 AM - System Checkpoint
RP268: 4/18/2010 9:08:28 AM - System Checkpoint
RP269: 4/19/2010 9:21:30 AM - System Checkpoint
RP270: 4/20/2010 9:32:49 AM - System Checkpoint
RP271: 4/21/2010 9:51:09 AM - System Checkpoint
RP272: 4/23/2010 7:11:59 AM - System Checkpoint
RP273: 4/24/2010 7:59:11 AM - System Checkpoint
RP274: 4/25/2010 8:00:29 AM - System Checkpoint
RP275: 4/27/2010 7:59:25 AM - System Checkpoint
RP276: 4/28/2010 10:15:13 AM - System Checkpoint
RP277: 5/1/2010 12:52:01 AM - System Checkpoint
RP278: 5/2/2010 7:56:56 AM - System Checkpoint
RP279: 5/3/2010 10:20:37 AM - System Checkpoint
RP280: 5/5/2010 8:33:43 AM - System Checkpoint
RP281: 5/9/2010 8:04:02 AM - System Checkpoint
RP282: 5/10/2010 8:11:10 AM - System Checkpoint
RP283: 5/12/2010 10:02:23 AM - System Checkpoint
RP284: 5/16/2010 9:11:56 AM - System Checkpoint
RP285: 5/17/2010 10:05:39 AM - System Checkpoint
RP286: 5/19/2010 8:03:07 AM - System Checkpoint
RP287: 5/21/2010 8:25:40 AM - System Checkpoint
RP288: 5/23/2010 6:18:51 AM - System Checkpoint
RP289: 5/24/2010 6:41:55 AM - System Checkpoint
RP290: 5/24/2010 10:47:08 AM - Installed D-Link Wireless N DWA-130
RP291: 5/24/2010 10:47:15 AM - Installed ANIO Service
RP292: 5/24/2010 10:47:28 AM - Installed ANIWZCS2 Service
RP293: 5/25/2010 8:54:05 PM - Restore Operation
RP294: 5/25/2010 9:47:31 PM - Installed D-Link Wireless N DWA-130
RP295: 5/25/2010 9:47:37 PM - Installed ANIO Service
RP296: 5/25/2010 9:47:50 PM - Installed ANIWZCS2 Service
RP297: 5/25/2010 11:00:38 PM - Removed ANIWZCS2 Service
RP298: 5/25/2010 11:00:55 PM - Removed ANIO Service
RP299: 5/25/2010 11:01:06 PM - Removed D-Link Wireless N DWA-130
RP300: 5/25/2010 11:06:00 PM - Installed D-Link Wireless N DWA-130
RP301: 5/25/2010 11:06:09 PM - Installed ANIO Service
RP302: 5/25/2010 11:06:23 PM - Installed ANIWZCS2 Service
RP303: 5/25/2010 11:12:05 PM - Restore Operation
RP304: 5/25/2010 11:41:36 PM - Installed AVG 9.0
RP305: 5/26/2010 7:14:27 PM - Installed D-Link Wireless N DWA-130
RP306: 5/26/2010 7:14:55 PM - Installed ANIWZCS2 Service
RP307: 5/26/2010 7:19:49 PM - Removed AVG 9.0
RP308: 5/26/2010 7:20:50 PM - Installed AVG 9.0
RP309: 5/26/2010 7:27:42 PM - Removed ANIWZCS2 Service
RP310: 5/26/2010 7:28:00 PM - Removed ANIO Service
RP311: 5/26/2010 7:28:12 PM - Removed D-Link Wireless N DWA-130
RP312: 5/26/2010 10:37:27 PM - avast! Free Antivirus Setup

==== Installed Programs ======================

Apple Software Update
ATI Display Driver
avast! Free Antivirus
Comcast High-Speed Internet Install Wizard
D-Link Wireless N DWA-130
Digidesign Pro Tools® LE 6.9
Digidesign Shared Plug-Ins
Eqium Demo
Firium Demo
HijackThis 2.0.2
IK Digidesign Bundle
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
iZotope Trash 1.06
Live Digidesign Edition 2.1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.3)
Neodynium Demo
Nero 7 Ultra Edition
PACE System Files
PartitionMagic
PowerQuest PartitionMagic 8.0
QuickTime
Reason 4.0.1
Reason Adapted for Digidesign 2.5
Switch Sound File Converter
Synful Orchestra DXi/VSTi v2.0
Update for Windows XP (KB911164)
Waves Diamond Bundle v5.0
WebFldrs XP

==== Event Viewer Messages From Past Week ========

5/26/2010 7:50:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Wireless Zero Configuration service to connect.
5/26/2010 7:50:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
5/26/2010 7:50:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Task Scheduler service to connect.
5/26/2010 7:50:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Shell Hardware Detection service to connect.
5/26/2010 7:50:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the DHCP Client service to connect.
5/26/2010 7:50:36 PM, error: Service Control Manager [7000] - The Wireless Zero Configuration service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/26/2010 7:50:36 PM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/26/2010 7:50:36 PM, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/26/2010 7:50:36 PM, error: Service Control Manager [7000] - The DHCP Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/26/2010 7:49:27 PM, error: ipnathlp [31012] - The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Time service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Management Instrumentation service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the System Restore Service service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Server service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Secondary Logon service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Network Connections service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Logical Disk Manager service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Help and Support service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Fast User Switching Compatibility service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Error Reporting Service service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Distributed Link Tracking Client service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ Event System service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic Updates service to connect.
5/25/2010 8:53:49 PM, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7001] - The Security Center service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The System Restore Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Network Connections service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Logical Disk Manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Help and Support service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Fast User Switching Compatibility service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Distributed Link Tracking Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:49 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 8:53:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/25/2010 8:53:28 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/25/2010 11:02:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Workstation service to connect.
5/25/2010 11:02:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Audio service to connect.
5/25/2010 11:02:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Cryptographic Services service to connect.
5/25/2010 11:02:41 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 11:02:41 PM, error: Service Control Manager [7000] - The Workstation service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 11:02:41 PM, error: Service Control Manager [7000] - The Windows Audio service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/25/2010 11:02:41 PM, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

Here is the DDS text-


DDS (Ver_10-03-17.01) - NTFSx86
Run by Andy at 18:31:30.76 on Thu 05/27/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.735 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/sh ... wflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\fnsulyyz.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-11-26 15872]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-26 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-26 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-26 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-26 40384]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-11-26 74752]
S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [2010-5-24 439680]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [2006-11-25 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [2006-11-25 69680]

=============== Created Last 30 ================

2010-05-27 06:17:42 0 d-----w- c:\program files\Trend Micro
2010-05-27 05:37:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-27 03:36:27 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 03:36:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-27 02:14:06 0 d-----w- c:\windows\system32\ReinstallBackups
2010-05-26 06:41:59 0 d-----w- c:\program files\AVG
2010-05-26 06:12:24 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-26 06:06:55 3284 ----a-w- c:\windows\system32\ANIWZCS{39A8FA5B-D7AE-4288-A4F4-CEEB59F9321A}
2010-05-26 06:06:43 143360 ----a-w- c:\windows\system32\ANIWConnService(2)(2).exe
2010-05-26 06:06:37 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{39A8FA5B-D7AE-4288-A4F4-CEEB59F9321A}
2010-05-26 04:56:35 0 d-----w- c:\program files\Mozilla Firefox(2)
2010-05-26 04:51:00 0 d-s---w- c:\documents and settings\andy\UserData
2010-05-26 04:49:18 3284 ----a-w- c:\windows\system32\ANIWZCS{553FEE6C-F93B-4BCE-9EA8-B46CDCD824F3}
2010-05-26 04:48:05 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{553FEE6C-F93B-4BCE-9EA8-B46CDCD824F3}
2010-05-25 16:26:19 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME
2010-05-24 17:49:07 3284 ----a-w- c:\windows\system32\ANIWZCS{6D27BB31-2114-4C59-A12F-9F046D965A3D}
2010-05-24 17:47:43 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{6D27BB31-2114-4C59-A12F-9F046D965A3D}
2010-05-24 17:47:09 200704 ----a-w- c:\windows\system32\ssleay32.dll
2010-05-24 17:47:09 1089536 ----a-w- c:\windows\system32\libeay32.dll
2010-05-24 17:46:37 439680 ----a-w- c:\windows\system32\drivers\RTL8192u.sys
2010-05-24 17:46:37 0 d-----w- c:\program files\D-Link

==================== Find3M ====================

2010-03-27 06:48:45 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-03-27 06:48:45 233472 ----a-w- c:\windows\system32\REX Shared Library.dll

============= FINISH: 18:31:59.46 ===============

Here is the gmer scan log -

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-27 18:56:27
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Andy\LOCALS~1\Temp\pwlcqpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwClose [0xEF959C7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateKey [0xEF959B36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDeleteKey [0xEF95A0EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDeleteValueKey [0xEF95A014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDuplicateObject [0xEF95970C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenKey [0xEF959C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenProcess [0xEF95964C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenThread [0xEF9596B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwQueryValueKey [0xEF959D30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRenameKey [0xEF95A1B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRestoreKey [0xEF959CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwSetValueKey [0xEF959E70]

Code \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateProcessEx [0xEF966AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateSection [0xEF9668EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS ZwLoadDriver [0xEF966A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C30 80503830 4 Bytes JMP 54EF95A0
PAGE ntkrnlpa.exe!ZwLoadDriver 80582DFE 7 Bytes JMP EF966A28 \SystemRoot\System32\Drivers\aswSP.SYS
PAGE ntkrnlpa.exe!NtCreateSection 805A9DEE 7 Bytes JMP EF9668EE \SystemRoot\System32\Drivers\aswSP.SYS
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAEDA 5 Bytes JMP EF962536 \SystemRoot\System32\Drivers\aswSP.SYS
PAGE ntkrnlpa.exe!ObInsertObject 805C1810 5 Bytes JMP EF963EC2 \SystemRoot\System32\Drivers\aswSP.SYS
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CF966 7 Bytes JMP EF966ACA \SystemRoot\System32\Drivers\aswSP.SYS
? System32\Drivers\aswTdi.SYS The system cannot find the path specified. !
? System32\Drivers\aswSP.SYS The system cannot find the path specified. !
? System32\Drivers\Aavmker4.SYS The system cannot find the path specified. !
? System32\Drivers\aswFsBlk.SYS The system cannot find the path specified. !
? System32\Drivers\aswMon2.SYS The system cannot find the path specified. !
? System32\Drivers\aswRdr.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[488] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\svchost.exe[488] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00A7000A
.text C:\WINDOWS\System32\svchost.exe[488] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A5000C
.text C:\WINDOWS\System32\svchost.exe[488] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 01DF000A
.text C:\WINDOWS\System32\svchost.exe[488] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 01AD000A
.text C:\WINDOWS\Explorer.EXE[1504] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00AE000A
.text C:\WINDOWS\Explorer.EXE[1504] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[1504] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A0000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS
AttachedDevice \FileSystem\Fastfat \Fat DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS

---- EOF - GMER 1.0.15 ----
AndyB
Active Member
 
Posts: 10
Joined: May 27th, 2010, 2:22 am

Re: HJT Log help needed

Unread postby km2357 » May 28th, 2010, 3:00 pm

I have the drive partitioned and when I ran a previous malware scanner, before coming here, it found something on the F: drive.


Do you remember what was found on the F: drive?


Please do the following:
  • Download a diagnostic tool (MGADiag.exe) from >here< and save this to your Desktop.
  • Double-click on MGADiag.exe.
  • When the program has finished, click on the Validation tab and then click on Copy to Clipboard
  • Please post the results in your next reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: HJT Log help needed

Unread postby AndyB » May 28th, 2010, 10:36 pm

I don't remember what was found exactly, but if I remember correctly it was located in a restore file. I'm not sure why there was a restore file on the partitioned drive f:


There was no tab that said validation, but below is a copy of what was on the windows tab from MGAdiag.exe

Is this what you needed?


Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-Y7WRH-QJHX7-8HHRW
Windows Product Key Hash: xL9xT6yzhWMVRumaaNfEGU80JWw=
Windows Product ID: 76487-017-9561392-22278
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {3ED581FE-87E5-4101-AB8C-0FFFAB3FF690}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{3ED581FE-87E5-4101-AB8C-0FFFAB3FF690}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-8HHRW</PKey><PID>76487-017-9561392-22278</PID><PIDType>5</PIDType><SID>S-1-5-21-776561741-1960408961-839522115</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Dimension 9100 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>A01</Version><SMBIOSVersion major="2" minor="3"/><Date>20050525000000.000000+000</Date></BIOS><HWID>778938870184606D</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1ABBD:Dell Inc|1ABBD:Microsoft Corporation
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
AndyB
Active Member
 
Posts: 10
Joined: May 27th, 2010, 2:22 am

Re: HJT Log help needed

Unread postby km2357 » May 29th, 2010, 1:25 pm

I need to check on something, I'll be back ASAP. :)
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: HJT Log help needed

Unread postby AndyB » May 29th, 2010, 2:21 pm

Ok. I appreciate you looking into this and helping.
AndyB
Active Member
 
Posts: 10
Joined: May 27th, 2010, 2:22 am

Re: HJT Log help needed

Unread postby km2357 » May 30th, 2010, 1:29 pm

Is there any reason why you have not Validated Windows yet?

  • Please visit This website using Internet Explorer.
  • Follow the instructions to Validate Windows, then run MGADiag.exe again and post the new log in your next reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: HJT Log help needed

Unread postby AndyB » May 30th, 2010, 11:19 pm

No reason. Just never got around to it. It is a student purchase version of XP. It should be valid now.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-Y7WRH-QJHX7-8HHRW
Windows Product Key Hash: xL9xT6yzhWMVRumaaNfEGU80JWw=
Windows Product ID: 76487-017-9561392-22278
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {3ED581FE-87E5-4101-AB8C-0FFFAB3FF690}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{3ED581FE-87E5-4101-AB8C-0FFFAB3FF690}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-8HHRW</PKey><PID>76487-017-9561392-22278</PID><PIDType>5</PIDType><SID>S-1-5-21-776561741-1960408961-839522115</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Dimension 9100 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>A01</Version><SMBIOSVersion major="2" minor="3"/><Date>20050525000000.000000+000</Date></BIOS><HWID>778938870184606D</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1ABBD:Dell Inc|1ABBD:Microsoft Corporation
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
AndyB
Active Member
 
Posts: 10
Joined: May 27th, 2010, 2:22 am

Re: HJT Log help needed

Unread postby km2357 » May 30th, 2010, 11:42 pm

The MGAdiag log looks good. :)

You're extremly lacking in Windows Updates, plus you're not running the latest version of XP, SP3. Once we're done cleaning your computer, you'll need to update your computer from SP2 to SP3, plus visit Windows Update.

Let's continue. :)


Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.

* Right click on avast! Antivirus icon near the clock and select Stop On-Access Protection.
* Right click on this icon again and select Program Settings.
* On the left, click on Troubleshooting.
* Uncheck (untick) this box - Disable avast! self-defense module.
* Click OK to apply the settings

If the above doesn't work, do the following:

Right click on the toolbar icon, then pull down "avast shield control" and click "Disable for 1 hour".


Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: HJT Log help needed

Unread postby AndyB » May 31st, 2010, 5:18 am

km2357,

I actually uninstalled Avast. Sorry if I shouldn't have done that. It found some problems and removed them before I came to the forum, but didn't actually remove the problem. I uninstalled it a few posts back, because it seemed to be getting in the way. I can re-install if needed.

Here's the info from combofix. Thanks again-

ComboFix 10-05-30.05 - Andy 05/31/2010 2:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.846 [GMT -7:00]
Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-31 )))))))))))))))))))))))))))))))
.

2010-05-29 02:24 . 2010-05-29 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-27 06:17 . 2010-05-27 06:17 -------- d-----w- c:\program files\Trend Micro
2010-05-27 05:37 . 2010-05-27 05:37 -------- d-----w- c:\program files\Alwil Software
2010-05-27 05:37 . 2010-05-27 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-27 03:36 . 2010-05-27 04:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 03:36 . 2010-05-27 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-27 03:27 . 2010-05-27 05:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-27 02:49 . 2006-02-28 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-05-26 06:41 . 2010-05-26 06:41 -------- d-----w- c:\program files\AVG
2010-05-26 06:12 . 2010-05-26 06:12 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-26 06:12 . 2010-05-26 06:12 -------- d-----w- c:\documents and settings\Andy\Application Data\InstallShield
2010-05-26 06:06 . 2008-07-09 15:58 143360 ----a-w- c:\windows\system32\ANIWConnService(2)(2).exe
2010-05-26 04:56 . 2010-05-26 04:56 0 ----a-w- c:\windows\nsreg.dat
2010-05-26 04:56 . 2010-05-26 04:56 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\Mozilla
2010-05-26 04:56 . 2010-05-26 06:12 -------- d-----w- c:\program files\Mozilla Firefox(2)
2010-05-26 04:51 . 2010-05-26 06:28 -------- d-s---w- c:\documents and settings\Andy\UserData
2010-05-24 17:47 . 2008-05-16 09:59 200704 ----a-w- c:\windows\system32\ssleay32.dll
2010-05-24 17:47 . 2008-05-16 09:58 1089536 ----a-w- c:\windows\system32\libeay32.dll
2010-05-24 17:46 . 2010-05-24 17:46 -------- d-----w- c:\program files\D-Link
2010-05-24 17:46 . 2008-08-14 22:16 439680 ----a-w- c:\windows\system32\drivers\RTL8192u.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-31 09:04 . 2006-11-26 06:27 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2010-05-31 09:04 . 2006-11-26 06:27 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2010-05-24 17:47 . 2006-11-26 05:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-04 19:10 . 2006-11-27 01:24 -------- d-----w- c:\documents and settings\Andy\Application Data\Digidesign
2010-03-27 06:48 . 2010-03-27 06:48 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-03-27 06:48 . 2010-03-27 06:48 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2005-04-12 49152]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI1"=diomidi.dll
"wave2"=Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 23:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ssdiag]
2004-07-14 16:28 57401 ----a-w- c:\windows\ssdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DigiRefresh"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [11/26/2006 6:21 PM 15872]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [11/26/2006 6:14 PM 74752]
S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [5/24/2010 10:46 AM 439680]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [11/25/2006 11:23 PM 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [11/25/2006 11:23 PM 69680]
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 22:21]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\fnsulyyz.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-31 02:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-31 02:08:25
ComboFix-quarantined-files.txt 2010-05-31 09:08

Pre-Run: 114,097,610,752 bytes free
Post-Run: 114,144,886,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DE18E57D151678103317D89517AE7A2E
AndyB
Active Member
 
Posts: 10
Joined: May 27th, 2010, 2:22 am

Re: HJT Log help needed

Unread postby km2357 » May 31st, 2010, 3:15 pm

I actually uninstalled Avast. Sorry if I shouldn't have done that. It found some problems and removed them before I came to the forum, but didn't actually remove the problem. I uninstalled it a few posts back, because it seemed to be getting in the way. I can re-install if needed.


Yes, you need to reinstall Avast ASAP. You don't want to use your computer/Go out onto the Internet without an AV installed.

If you don't want to use Avast, here' s another free AntiVirus you can use:

1)Antivir PersonalEdition Classic

Choose only one, either Avast or Avira Antivir. Do not install both.


Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 2 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


In your next post/reply, I need to see the following:

1. The MalwareBytes' Log
2. A fresh DDS Log
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: HJT Log help needed

Unread postby AndyB » May 31st, 2010, 4:13 pm

km2357,

Seems the services.msc settings have changed since running Combofix last night. I no longer have to go in and restart the DHCP client (each time I reboot) to connect to the internet :cheers: . I ran the ATF cleaner, but please note, the Opera setting was grayed out so I could not empty that setting. Also, Malwarebytes did not find anything to remove.

Here are the results from Malwarebytes and a fresh DDS-

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4159

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/31/2010 12:59:30 PM
mbam-log-2010-05-31 (12-59-30).txt

Scan type: Quick scan
Objects scanned: 109224
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS Log-


DDS (Ver_10-03-17.01) - NTFSx86
Run by Andy at 13:02:40.20 on Mon 05/31/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.799 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Andy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\fnsulyyz.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2006-11-26 15872]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2006-11-26 74752]
S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [2010-5-24 439680]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [2006-11-25 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [2006-11-25 69680]

=============== Created Last 30 ================

2010-05-31 19:55:32 0 d-----w- c:\docume~1\andy\applic~1\Malwarebytes
2010-05-31 19:55:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-31 19:55:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-31 19:55:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 19:55:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-31 09:03:01 0 d-sha-r- C:\cmdcons
2010-05-31 08:59:55 98816 ----a-w- c:\windows\sed.exe
2010-05-31 08:59:55 77312 ----a-w- c:\windows\MBR.exe
2010-05-31 08:59:55 256512 ----a-w- c:\windows\PEV.exe
2010-05-31 08:59:55 161792 ----a-w- c:\windows\SWREG.exe
2010-05-27 06:17:42 0 d-----w- c:\program files\Trend Micro
2010-05-27 05:37:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-27 03:36:27 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 03:36:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-27 02:14:06 0 d-----w- c:\windows\system32\ReinstallBackups
2010-05-26 06:41:59 0 d-----w- c:\program files\AVG
2010-05-26 06:12:24 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-26 06:06:55 3284 ----a-w- c:\windows\system32\ANIWZCS{39A8FA5B-D7AE-4288-A4F4-CEEB59F9321A}
2010-05-26 06:06:43 143360 ----a-w- c:\windows\system32\ANIWConnService(2)(2).exe
2010-05-26 06:06:37 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{39A8FA5B-D7AE-4288-A4F4-CEEB59F9321A}
2010-05-26 04:56:35 0 d-----w- c:\program files\Mozilla Firefox(2)
2010-05-26 04:51:00 0 d-s---w- c:\documents and settings\andy\UserData
2010-05-26 04:49:18 3284 ----a-w- c:\windows\system32\ANIWZCS{553FEE6C-F93B-4BCE-9EA8-B46CDCD824F3}
2010-05-26 04:48:05 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{553FEE6C-F93B-4BCE-9EA8-B46CDCD824F3}
2010-05-25 16:26:19 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME
2010-05-24 17:49:07 3284 ----a-w- c:\windows\system32\ANIWZCS{6D27BB31-2114-4C59-A12F-9F046D965A3D}
2010-05-24 17:47:43 5 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{6D27BB31-2114-4C59-A12F-9F046D965A3D}
2010-05-24 17:47:09 200704 ----a-w- c:\windows\system32\ssleay32.dll
2010-05-24 17:47:09 1089536 ----a-w- c:\windows\system32\libeay32.dll
2010-05-24 17:46:37 439680 ----a-w- c:\windows\system32\drivers\RTL8192u.sys
2010-05-24 17:46:37 0 d-----w- c:\program files\D-Link

==================== Find3M ====================

2010-03-27 06:48:45 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-03-27 06:48:45 233472 ----a-w- c:\windows\system32\REX Shared Library.dll

============= FINISH: 13:02:49.43 ===============
AndyB
Active Member
 
Posts: 10
Joined: May 27th, 2010, 2:22 am

Re: HJT Log help needed

Unread postby km2357 » May 31st, 2010, 8:33 pm

I ran the ATF cleaner, but please note, the Opera setting was grayed out so I could not empty that setting.


That's fine, that just means you don't have Opera installed on your computer. :)

I see you haven't either reinstalled Avast or replaced it yet, please do that ASAP.


Step # 1 Download Java

Downloading and Installing Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u20.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • From your desktop double-click on the download to install the newest version.


Step # 2: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. Kaspersky Log
2. How is your computer doing, any problems?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: HJT Log help needed

Unread postby AndyB » June 1st, 2010, 3:26 am

km2357,

I ran the java update, re-installed avast. I also ran windows updates, because the message kept popping up for me to update. Hope that is ok.

I am running Kaspersky scan now, but it is taking a while. It has found 1 threat so far, but only at (25%). It is late, so I am going to let it run and re-post tomorrow evening with the results.

All in all the machine is running much better. The task bar looks normal on reboot, and I don't have to go into services.msc to restart the DHCP client and other services. So seems to be coming along well.

Appreciate your help with this, and I will re-post tomorrow evening.
AndyB
Active Member
 
Posts: 10
Joined: May 27th, 2010, 2:22 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 280 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware