0

Hi Guys,

For the past couple of days explorer keeps opening the wrong page, it only shows adverts when I want to open a new page. I don't know anything about computers SOMEONE HELP ME. I've run malwarebytes scan, windows defender and they found 3 trojan files, deleted them but the problem is still there. I don't know what else to do. I read about checking hosting files and running HJT????? No idea what those are. Can someone give me guidance please.

3
Contributors
10
Replies
11
Views
6 Years
Discussion Span
Last Post by PhilliePhan
0

Hi, thanks for the responce, I've spent all day scanning. Two things, after scanning, removing and re-booting I got this message:-

C:\DOCUME~1\NAEEM_~1\LOCALS~1\Temp\WER4423.dir00\Mini012011-01.dmp
C:\DOCUME~1\NAEEM_~1\LOCALS~1\Temp\WER4423.dir00\sysdata.xml

Error signature

BCCode : 40000080 BCP1 : 871D1AD0 BCP2 : 8699F378 BCP3 : F78BAF2C
BCP4 : 00000001 OSVer : 5_1_2600 SP : 3_0 Product : 768_1

Also I keeo getting the grey error box for explorer :- Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience. but explorers open and working. Before all the scans microsoft security essentials kept finding and removing :- trojan:win32/fakesysdef. If's been removed why does it keep appearing??

Anyway, here are the logs you requested:- What do they mean in english please?????

Gmer 1:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-20 14:56:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD2500JD-22HBC0 rev.08.02D08
Running: uwpvcmqx.exe; Driver: C:\DOCUME~1\NAEEM_~1\LOCALS~1\Temp\agldaaow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEDC5D82E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xEDC5D652]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xEDC5D78C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device aswSP.SYS (avast! self protection module/AVAST Software)
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Threads - GMER 1.0.15 ----

Thread System [4:120] 8730B53C
Thread System [4:124] 8730D52D

---- EOF - GMER 1.0.15 ----

Gmer 2

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-20 15:01:14
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD2500JD-22HBC0 rev.08.02D08
Running: uwpvcmqx.exe; Driver: C:\DOCUME~1\NAEEM_~1\LOCALS~1\Temp\agldaaow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xEDC49728]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xEDD1DFA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xEDC507EA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xEDD1EA38]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xEDC506A2]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus_22705.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xEF07E422]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus_22705.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xEF07D8F8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xEDC50CA8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xEDC50BBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xEDC50276]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xEDC497D8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xEDD22340]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xEDD1EB0E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xEDC5077E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xEDC501B2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xEDC50218]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xEDC49870]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xEDC508C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xEDC50D76]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xEDD22252]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xEDC50880]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xEDD1DF48]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus_22705.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xEF07D96C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xEDC50A04]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xEDD1DEE4]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus_22705.sys (RapportCerberus/Trusteer Ltd.) ZwTerminateProcess [0xEF07D87E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xEDD1DE80]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEDC5D82E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xEDC5D652]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xEDC5D78C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device aswSP.SYS (avast! self protection module/AVAST Software)
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Threads - GMER 1.0.15 ----

Thread System [4:120] 8730B53C
Thread System [4:124] 8730D52D

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5011B86C-7743-018B-900E-25D254391AE6}

---- EOF - GMER 1.0.15 ----

Mbam:-

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5542

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/01/2011 16:09:25
mbam-log-2011-01-20 (16-09-17).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 223673
Time elapsed: 1 hour(s), 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\windows live\messenger\riched20.dll (PUP.FunWebProducts) -> No action taken.
c:\system volume information\_restore{986d4782-3cc4-4b8b-813a-c6b025e1ed46}\RP397\A0058699.exe (Adware.Hotbar) -> No action taken.
c:\system volume information\_restore{986d4782-3cc4-4b8b-813a-c6b025e1ed46}\RP420\A0064637.DLL (PUP.FunWebProducts) -> No action taken.
c:\system volume information\_restore{986d4782-3cc4-4b8b-813a-c6b025e1ed46}\RP430\A0070061.scr (PUP.FunWebProducts) -> No action taken.

Mbam 2:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5542

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/01/2011 16:10:09
mbam-log-2011-01-20 (16-10-09).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 223673
Time elapsed: 1 hour(s), 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\windows live\messenger\riched20.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{986d4782-3cc4-4b8b-813a-c6b025e1ed46}\RP397\A0058699.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\system volume information\_restore{986d4782-3cc4-4b8b-813a-c6b025e1ed46}\RP420\A0064637.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{986d4782-3cc4-4b8b-813a-c6b025e1ed46}\RP430\A0070061.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.

Attach.txt:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5542

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/01/2011 16:10:09
mbam-log-2011-01-20 (16-10-09).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 223673
Time elapsed: 1 hour(s), 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\windows live\messenger\riched20.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{986d4782-3cc4-4b8b-813a-c6b025e1ed46}\RP397\A0058699.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\system volume information\_restore{986d4782-3cc4-4b8b-813a-c6b025e1ed46}\RP420\A0064637.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{986d4782-3cc4-4b8b-813a-c6b025e1ed46}\RP430\A0070061.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.

DDS.txt

DDS (Ver_10-12-12.02) - NTFSx86
Run by Naeem_Asiya at 16:25:25.28 on 20/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.359 [GMT 0:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\PC Internet Access\NPCIA.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Naeem_Asiya\Desktop\Security\dds.com
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [NokiaPCInternetAccess] "c:\program files\nokia\pc internet access\NPCIA.exe" /b
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 6\PCSuite.exe" -onlytray
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Calendar] c:\program files\desksware\desktop ical\Calendar.exe
uRun: [FEXeTWLLHYgf.exe] c:\documents and settings\all users\application data\FEXeTWLLHYgf.exe
uRun: [iVV8cvvMWNUBz] c:\documents and settings\all users\application data\iVV8cvvMWNUBz.exe
uRun: [aliim] c:\program files\trademanager\aliim.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [DSLSTATEXE] c:\program files\bt voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\bt voyager 105 adsl modem\dslagent.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SiteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe
mRun: [McENUI] ¸????A??9]????\McENUI.exe /hide
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: motive.com\pbttbc.bt
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {24849366-2BE3-4EC3-8BF7-60BBC9448B49} - hxxp://www.gestation.net/pregnancy_dating/GC.CAB
DPF: {2C31D267-894F-467D-93B2-D6D417A436AF} - hxxp://www.gestation.net/efw/efw2007.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.startriteshoes.com/ImageUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207831435359
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207858342156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FC93A9C7-F48C-400E-8641-AAF042FF2594} - hxxp://www.gestation.net/birthweight_centiles/centile5.12.1.CAB
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-1-12 53816]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-17 294608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 RapportCerberus_22705;RapportCerberus_22705;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus_22705.sys [2011-1-12 47928]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-1-12 63160]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-1-12 156344]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-17 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-17 40384]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-1-12 821048]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 auxipnzh;auxipnzh;\??\c:\windows\system32\drivers\auxipnzh.sys --> c:\windows\system32\drivers\auxipnzh.sys [?]
S1 edvfrcqi;edvfrcqi;\??\c:\windows\system32\drivers\edvfrcqi.sys --> c:\windows\system32\drivers\edvfrcqi.sys [?]
S1 plejjdlu;plejjdlu;\??\c:\windows\system32\drivers\plejjdlu.sys --> c:\windows\system32\drivers\plejjdlu.sys [?]
S2 0046261294343633mcinstcleanup;McAfee Application Installer Cleanup (0046261294343633);c:\docume~1\naeem_~1\locals~1\temp\004626~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\naeem_~1\locals~1\temp\004626~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

=============== Created Last 30 ================

2011-01-20 11:49:14 -------- d-----w- C:\bc764c9ec93ea446988c7a0063
2011-01-19 14:17:52 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{4b3706fb-2428-4521-aed2-bf4e344ef0e6}\mpengine.dll
2011-01-19 13:45:01 -------- d-----w- c:\program files\Prevx
2011-01-18 17:58:06 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6a1aa794-9460-4423-abc3-a428d51b71cf}\mpengine.dll
2011-01-17 19:18:24 38848 ----a-w- c:\windows\avastSS.scr
2011-01-17 11:47:20 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-01-16 12:30:06 -------- d-----w- c:\windows\pss
2011-01-16 12:22:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2011-01-16 10:03:40 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-16 09:50:24 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-01-16 09:50:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-12 23:30:22 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-01-07 01:37:27 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2011-01-07 01:33:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-01-07 01:32:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2011-01-07 01:32:36 -------- d-----w- c:\program files\COMODO
2011-01-07 01:32:34 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-01-06 19:09:31 -------- d-----w- c:\docume~1\naeem_~1\applic~1\SiteAdvisor
2011-01-05 22:08:08 53248 ----a-w- c:\windows\system32\drivers\sst1F4.sys
2011-01-05 22:08:08 0 ----a-w- c:\windows\system32\drivers\sst1F4.tmp
2011-01-02 02:17:19 -------- d-----w- c:\windows\system32\aliedit
2011-01-02 02:17:06 -------- d-----w- c:\program files\trademanager
2010-12-31 20:39:19 -------- d-----w- c:\program files\DigitalFossils
2010-12-27 19:01:22 15256 ----a-w- c:\docume~1\naeem_~1\applic~1\microsoft\identitycrl\production\ppcrlconfig.dll
2010-12-26 13:48:13 -------- d-----w- c:\documents and settings\naeem_asiya\Tracing
2010-12-26 13:44:36 -------- d-----w- c:\program files\Microsoft
2010-12-26 13:44:19 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-12-26 13:42:34 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc164.tmp
2010-12-26 13:41:55 -------- d-----w- c:\program files\common files\Windows Live
2010-12-26 13:39:18 -------- d-----w- c:\documents and settings\naeem_asiya\Contacts

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 16:32:37.70 ===============

0

I'm still getting internet explorer message , when I open it, it states:-
AppName: iexplore.exe AppVer: 8.0.6001.18702 ModName: unknown
ModVer: 0.0.0.0 Offset: 01582663

0

I'm still getting internet explorer message , when I open it, it states:-
AppName: iexplore.exe AppVer: 8.0.6001.18702 ModName: unknown
ModVer: 0.0.0.0 Offset: 01582663

It looks like you've got some hidden baddies. Let's have a crack at them.

-- Also, it looks like you are using the tandem of Avast! and MSE. I have seen where that has been recommended - Normally I don't care for the idea of multiple AV apps, but I'm wondering how that works for you with regard to machine speed? (We already know it didn't catch this malware... ;) )

Anyhoo, please follow the instructions in the linky below to download Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Try to refrain from using the infested machine until we can remove all this mess.
Will check back as time permits.

PP:)

0

PP, I don't think this shell extension is approved, actually...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5011B86C-7743-018B-900E-25D254391AE6}
Dunno why these escape MBAM...
uRun: [FEXeTWLLHYgf.exe] c:\documents and settings\all users\application data\FEXeTWLLHYgf.exe
uRun: [iVV8cvvMWNUBz] c:\documents and settings\all users\application data\iVV8cvvMWNUBz.exe
Some weirdness on the McENUI key...
mRun: [McENUI] ¸????A??9]????
\McENUI.exe /hide
And these:
S1 auxipnzh;auxipnzh;\??\c:\windows\system32\drivers\auxipnzh.sys --> c:\windows\system32\drivers\auxipnzh.sys [?]
S1 edvfrcqi;edvfrcqi;\??\c:\windows\system32\drivers\edvfrcqi.sys --> c:\windows\system32\drivers\edvfrcqi.sys [?]
S1 plejjdlu;plejjdlu;\??\c:\windows\system32\drivers\plejjdlu.sys --> c:\windows\system32\drivers\plejjdlu.sys [?]
2011-01-05 22:08:08 53248 ----a-w- c:\windows\system32\drivers\sst1F4.sys
2011-01-05 22:08:08 0 ----a-w- c:\windows\system32\drivers\sst1F4.tmp

Edited by gerbil: n/a

0

PP, I don't think this shell extension is approved, actually...

Indeed!

To be perfectly honest, I did not see any of those (other than the drivers) because I did not bother to look :)

The first thing I do any more - due to my time restraints - is look for suspicious drivers in the logs. If I see them, I request a run of Combofix and go from there.
If not, then I look at the rest of the logs....

-- Hey Gerbil: What do you think of running Avast! (or any other AV) with MSE? This isn't the first time I've seen this in a log....

PP:)

0

As you say, either one is good, both may be less than.
I think Combofix will sort him out. I try to avoid it cos I don't like the system resets it does; those services could be removed manually and I be that would expose other files to scans. You wanna do the work?

0

those services could be removed manually and I be that would expose other files to scans. You wanna do the work?

Maybe.
Maybe not..... I'd rather go with combofix first and see what remains and then have a whack at manual removal.

PP:)

0

Thanks for all the help guys, sorry haven't replied sooner. I only downloaded Avant to do a virus scan after the computer started going crazy, but My hubbys friend took the PC and he's fixed it. If I have anymore problems, which I hope I don't I will let you know.

0

My hubbys friend took the PC and he's fixed it. If I have anymore problems, which I hope I don't I will let you know.

Glad to hear it!

Thanks for letting us know you got it sorted out.

Cheers :)
PP

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.