Author Topic: Malware (Read 25722 times)

earmic · « **on:** January 22, 2012, 06:05:02 AM »

Picked up this nasty little piece of malware yesterday. Something to do with "Microsoft Security Center 2012" I see a few other posts here also. Anyway it's blocking my AVG from running, I did run MBAM it found 800 objects but could not fix any of them, I thought the MBAM might have been corrupted so I removed it and now I can't download it again. All I have is my Hijack this which has the "O1-Hosts: ::1 localhost" redirection which has been blocked from fixing except thru the start run etc command which I tried but can't seem to get to work. I did manage to get a new AVG to run once and find no viruses, but now it's blocked from running. Please help.

Allan · « **Reply #1 on:** January 22, 2012, 06:06:39 AM »

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

You can download everything on another system and transfer them to the system in question.

earmic · « **Reply #2 on:** January 22, 2012, 12:17:11 PM »

Now it looks like I've only got one thing left. In Hijack this, under hostfile redirections, the O1- Hosts: ::1 localhost line I need to delete, but when I try it it says that hijackthis has been denied access to the hostfile for some reason. When I use the directions about start, run, and then it tells me to edit the file myself, I can't get it to work, what am i missing?

SuperDave · « **Reply #3 on:** January 22, 2012, 03:09:07 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
******************************************

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
**********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.

1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

earmic · « **Reply #4 on:** January 23, 2012, 05:01:02 AM »

Here are the logs requested. the host redirection is still there.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:21:01 AM, on 1/23/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Online Armor\OAui.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Online Armor\OAcat.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Online Armor\oasrv.exe
O23 - Service: vToolbarUpdater - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
O23 - Service: WDDMService - WDC - C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
O23 - Service: WDFMEService - Western Digital - C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
O23 - Service: WDRulesService - Western Digital - C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe

--
End of file - 5436 bytes
Earl :: D7SXQY91 [administrator]

1/22/2012 2:36:16 PM
mbam-log-2012-01-22 (14-36-16).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 244936
Time elapsed: 31 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/22/2012 at 10:09 PM

Application Version : 5.0.1142

Core Rules Database Version : 8154
Trace Rules Database Version: 5966

Scan type : Complete Scan
Total Scan Time : 00:32:33

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 422
Memory threats detected : 0
Registry items scanned : 23375
Registry threats detected : 56
File items scanned : 84051
File threats detected : 1

Adware.MyWebSearch/FunWebProducts
   HKU\S-1-5-21-2856773612-2364928292-2262524725-1006\SOFTWARE\FunWebProducts
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\ProxyStubClsid
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\ProxyStubClsid32
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\TypeLib
   HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\TypeLib#Version
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
   HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\ProxyStubClsid
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\ProxyStubClsid32
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\TypeLib
   HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\TypeLib#Version
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid32
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib
   HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib#Version
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\ProxyStubClsid
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\ProxyStubClsid32
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\TypeLib
   HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\TypeLib#Version
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\ProxyStubClsid
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\ProxyStubClsid32
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\TypeLib
   HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\TypeLib#Version
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\ProxyStubClsid
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\ProxyStubClsid32
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib
   HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib#Version
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\ProxyStubClsid
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\ProxyStubClsid32
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\TypeLib
   HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\TypeLib#Version
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE#NextInstance
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Service
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Legacy
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ConfigFlags
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Class
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ClassGUID
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#DeviceDesc

Browser Hijacker.Internet Explorer Settings Hijack
   HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-19_Classes\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-20_Classes\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]
   HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes#URL [ http://findgala.com/?&uid=8039&q={searchTerms} ]

Adware.Tracking Cookie
   C:\DOCUMENTS AND SETTINGS\EARL\Cookies\[email protected][2].txt [ Cookie:[email protected]
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Earl at 6:48:28 on 2012-01-23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2710 [GMT -5:00]
.
AV: Malware Protection Center *Enabled/Updated* {0A22CD38-123B-4E0A-85D3-4F3C45DF26AB}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *Enabled*
FW: Malware Protection Center *Enabled*
FW: *Disabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Online Armor\OAui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {37153479-1976-43C3-A1EE-557513977B64} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [@OnlineArmor GUI] "c:\program files\online armor\OAui.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{B1CEA017-F4BD-4A2E-B0E7-3A9471493943} : DhcpNameServer = 10.0.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: image file execution options - svchost.exe
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2012-1-22 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2012-1-22 40296]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2012-1-22 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2012-1-22 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2012-1-22 207936]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2012-1-22 4363040]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-1-19 909152]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\WDDMService.exe [2011-6-29 263056]
R2 WDFMEService;WDFMEService;c:\program files\western digital\wd smartware\WDFME.exe [2011-6-29 1592208]
R2 WDRulesService;WDRulesService;c:\program files\western digital\wd smartware\WDRulesEngine.exe [2011-6-29 1091984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-8-7 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-23 02:34:48   --------   d-----w-   c:\documents and settings\earl\application data\SUPERAntiSpyware.com
2012-01-23 02:33:53   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-23 02:33:53   --------   d-----w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-22 19:26:38   --------   d-----w-   c:\documents and settings\earl\application data\OnlineArmor
2012-01-22 19:26:38   --------   d-----w-   c:\documents and settings\all users\application data\OnlineArmor
2012-01-22 19:26:14   40296   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2012-01-22 19:26:14   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2012-01-22 19:26:14   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2012-01-22 19:26:14   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2012-01-22 19:26:10   --------   d-----w-   c:\program files\Online Armor
2012-01-22 13:08:55   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-22 09:04:52   --------   d-----w-   c:\documents and settings\earl\application data\AVG2012
2012-01-22 08:09:21   --------   d-----w-   c:\documents and settings\all users\application data\AVG Secure Search
2012-01-21 17:57:21   --------   d-sh--w-   c:\documents and settings\earl\application data\Malware Protection Center
2012-01-21 17:57:20   --------   d-sh--w-   c:\documents and settings\all users\application data\MPDPJDIC
2012-01-21 17:56:25   --------   d-sh--w-   c:\documents and settings\all users\application data\29c85f
.
==================== Find3M ====================
.
2011-12-28 22:27:35   2620   --sha-w-   c:\windows\system32\KGyGaAvL.sys
2011-11-25 21:57:19   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-11-23 13:25:32   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-18 12:35:08   60416   ----a-w-   c:\windows\system32\packager.exe
2011-11-16 22:49:12   2256   ----a-w-   c:\windows\current_settings.bin
2011-11-10 10:54:13   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-09 03:37:12   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20:51   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59   385024   ------w-   c:\windows\system32\html.iec
2011-11-03 15:28:36   386048   ----a-w-   c:\windows\system32\qdvd.dll
2011-11-03 15:28:36   1292288   ----a-w-   c:\windows\system32\quartz.dll
2011-11-01 16:07:10   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31:48   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08   2148864   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02   2027008   ----a-w-   c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 6:52:21.45 ===============

SuperDave · « **Reply #5 on:** January 23, 2012, 04:24:50 PM »

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click ComboFix.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

earmic · « **Reply #6 on:** January 23, 2012, 06:16:23 PM »

I disabled my AVG, downloaded the Combofix and it ran for about 3/4 of the way through the 'green screed' and then it suddenly stops running and dissappears. I tried it several times, same thing.

earmic · « **Reply #7 on:** January 23, 2012, 06:23:57 PM »

I closed IE and it continued to run except it stops and warns me about the 'Malware protection center' scanner that's running, and to disable it. Is it talking aboutm MBAM? or something else, I can't find any 'malware proterctiion center'.

SuperDave · « **Reply #8 on:** January 23, 2012, 07:05:57 PM »

Ok. Let's try this. Delete ComboFix from your desktop and download a new version.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.

Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click PCHelpForum.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

earmic · « **Reply #9 on:** January 23, 2012, 07:35:21 PM »

Okay tried that, also disabled AVG like before, and closed IE, same thing happens.

SuperDave · « **Reply #10 on:** January 24, 2012, 04:26:07 PM »

Please try running ComboFix in Safe mode.

earmic · « **Reply #11 on:** January 24, 2012, 06:13:43 PM »

Was able to run it in safe mode, and it made it a little farther into the scan then the same thing happened, the security center warning popped up. where is this thing hiding? I can't find it anywhere.

earmic · « **Reply #12 on:** January 24, 2012, 06:46:30 PM »

well somhow i was able to get Combofix to run. Here is the log report:
ComboFix 12-01-23.02 - Earl 01/24/2012 20:26:03.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2802 [GMT -5:00]
Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Malware Protection Center *Enabled/Updated* {0A22CD38-123B-4E0A-85D3-4F3C45DF26AB}
FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Malware Protection Center *Enabled* {4EA14CFC-3409-44BF-BC95-3D4160821E44}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\29c85f
c:\documents and settings\All Users\Application Data\29c85f\71.mof
c:\documents and settings\All Users\Application Data\29c85f\MPC.ico
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
c:\documents and settings\Earl\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a155ed85f72d3a41.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\c7df7a3556de1eb9.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\drivers\1028_DELL_XPS_Dell DM051 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DM051 .MRK
.
.
((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
.
.
2012-01-25 00:54 . 2012-01-25 00:56   --------   d-----w-   c:\documents and settings\Administrator
2012-01-23 11:32 . 2012-01-23 11:32   --------   d-----w-   c:\program files\Common Files\Java
2012-01-23 02:34 . 2012-01-23 02:34   --------   d-----w-   c:\documents and settings\Earl\Application Data\SUPERAntiSpyware.com
2012-01-23 02:33 . 2012-01-23 02:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-23 02:33 . 2012-01-23 02:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-22 19:26 . 2012-01-23 02:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
2012-01-22 19:26 . 2012-01-22 19:27   --------   d-----w-   c:\documents and settings\Earl\Application Data\OnlineArmor
2012-01-22 19:26 . 2011-11-01 16:34   40296   ----a-w-   c:\windows\system32\drivers\oahlp32.sys
2012-01-22 19:26 . 2011-11-01 16:34   29464   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2012-01-22 19:26 . 2011-11-01 16:34   25192   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2012-01-22 19:26 . 2011-11-01 16:34   205864   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2012-01-22 19:26 . 2012-01-24 01:01   --------   d-----w-   c:\program files\Online Armor
2012-01-22 13:08 . 2011-12-10 20:24   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-22 09:04 . 2012-01-22 09:04   --------   d-----w-   c:\documents and settings\Earl\Application Data\AVG2012
2012-01-22 08:09 . 2012-01-22 08:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-01-21 17:57 . 2012-01-21 17:59   --------   d-sh--w-   c:\documents and settings\Earl\Application Data\Malware Protection Center
2012-01-21 17:57 . 2012-01-21 17:57   --------   d-sh--w-   c:\documents and settings\All Users\Application Data\MPDPJDIC
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2004-08-10 16:51   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-10 16:51   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 16:51   60416   ----a-w-   c:\windows\system32\packager.exe
2011-11-10 10:54 . 2011-06-20 12:05   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2011-07-02 00:37   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-09 03:37 . 2011-05-23 23:39   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2004-08-10 16:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 16:51   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 16:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 16:51   385024   ------w-   c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-10 16:51   386048   ----a-w-   c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-10 16:51   1292288   ----a-w-   c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-10 16:51   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 16:50   33280   ----a-w-   c:\windows\system32\csrsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-05 98304]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2011-11-01 2531104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2011-11-01 358840]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Quick View.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Quick View.lnk
backup=c:\windows\pss\WD Quick View.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-02-09 22:34   106496   ----a-w-   c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 00:13   77824   ----a-w-   c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 00:17   118784   ----a-w-   c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 00:17   94208   ----a-w-   c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2010-08-16 17:45   2736128   ----a-w-   c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-05-05 18:02   98304   ----a-w-   c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06   254696   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [1/22/2012 2:26 PM 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [1/22/2012 2:26 PM 40296]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [1/22/2012 2:26 PM 25192]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [1/22/2012 2:26 PM 29464]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [1/22/2012 2:26 PM 207936]
R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [1/22/2012 2:26 PM 4363040]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [1/19/2012 5:27 PM 909152]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WDDMService.exe [6/29/2011 7:01 AM 263056]
R2 WDFMEService;WDFMEService;c:\program files\Western Digital\WD SmartWare\WDFME.exe [6/29/2011 7:01 AM 1592208]
R2 WDRulesService;WDRulesService;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [6/29/2011 7:01 AM 1091984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/7/2011 6:51 AM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 17:43   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{37153479-1976-43C3-A1EE-557513977B64} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 20:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-01-24 20:42:36
ComboFix-quarantined-files.txt 2012-01-25 01:42
.
Pre-Run: 55,385,833,472 bytes free
Post-Run: 56,277,286,912 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 86C8BC36E13C0EB1C10E378114C5C68D

SuperDave · « **Reply #13 on:** January 25, 2012, 12:28:17 PM »

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

earmic · « **Reply #14 on:** January 25, 2012, 03:18:05 PM »

Here is the antirootkit log:
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A89AE000
Module End: A89C6000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA5B2000
Module End: BA5B4000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAllocateVirtualMemory
Address: A8C4042C
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwAssignProcessToJobObject
Address: A8C3F928
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwConnectPort
Address: A8C3E64C
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateFile
Address: A8C45316
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateKey
Address: A8C47242
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreatePort
Address: A8C3E46A
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcess
Address: A8C3FEE8
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcessEx
Address: A8C3C978
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateSection
Address: A8C3C4F2
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateThread
Address: A8C3D634
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDebugActiveProcess
Address: A8C3DD22
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDuplicateObject
Address: A8C3E32C
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwLoadDriver
Address: A8C3F350
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenFile
Address: A8C45694
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenProcess
Address: A8165F3C
Driver Base: A8165000
Driver End: A8168000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwOpenSection
Address: A8C3C7B4
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenThread
Address: A8C3D8B0
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwProtectVirtualMemory
Address: A8C3F6DA
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwQueueApcThread
Address: A8C3FA44
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestPort
Address: A8C3ECB0
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestWaitReplyPort
Address: A8C3F018
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRestoreKey
Address: A8C4510E
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwResumeThread
Address: A8C3E0CE
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSecureConnectPort
Address: A8C3E86E
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetContextThread
Address: A8C3DBCC
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetSystemInformation
Address: A8C400E0
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwShutdownSystem
Address: A8C3F28A
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendProcess
Address: A8C3E1FE
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendThread
Address: A8C3DF7A
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSystemDebugControl
Address: A8C3DE40
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwTerminateProcess
Address: A8CA2640
Driver Base: A8C98000
Driver End: A8CBA000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

Function Name: ZwTerminateThread
Address: A8166080
Driver Base: A8165000
Driver End: A8168000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwUnloadDriver
Address: A8C3F518
Driver Base: A8C3C000
Driver End: A8C6D000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwWriteVirtualMemory
Address: A816611C
Driver Base: A8165000
Driver End: A8168000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found

Computer Hope Forum

News:

Author Topic: Malware (Read 25722 times)

earmic

Malware

Allan

Re: Malware

earmic

Re: Malware

SuperDave

Re: Malware

earmic

Re: Malware

SuperDave

Re: Malware

earmic

Re: Malware

earmic

Re: Malware

SuperDave

Re: Malware

earmic

Re: Malware

SuperDave

Re: Malware

earmic

Re: Malware

earmic

Re: Malware

SuperDave

Re: Malware

earmic

Re: Malware