AVG Resident Shield Alert & Web Shield Alert

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

AVG Resident Shield Alert & Web Shield Alert Do not know how to remove it

#1 uronerose

Member

Group: Members
Posts: 17
Joined: 04-June 09

Posted 04 June 2009 - 05:11 AM

DDS (Ver_09-05-14.01) - NTFSx86
Run by Compaq_Owner at 2:48:23.73 on 06/04/2009 Thu
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.702.138 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\e.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\ld08.exe
C:\windows\pp10.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\e.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Internet Speed Monitor: {1b2588f5-45ce-4322-b755-d79944ad1b17} - c:\program files\ism\BndDrive6.dll
EB: Internet Speed Monitor: {1ed6a320-8af3-4f06-868a-9ba95585712e} - c:\program files\ism\BndDrive7.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QdrModule9] "c:\program files\qdrmodule\QdrModule9.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AHNSD] "c:\program files\ahnlab\smart update utility\AhnSD.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageworkstation\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageworkstation\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [pp] c:\windows\pp10.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: doginhispen.com
Trusted Zone: whataboutadog.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\2zgixuf6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

============= SERVICES / DRIVERS ===============

R?2 AcrSch2Svc Task Scheduler;Acronis Scheduler2 Service AcrSch2Svc Task Scheduler;c:\windows\system32\e.exe run --> c:\windows\system32\e.exe run [?]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-24 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-24 108552]
R2 AhnLab Task Scheduler;AhnLab Task Scheduler;c:\program files\ahnlab\smart update utility\AhnSDsv.exe [2008-4-28 174792]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-16 38496]
S3 st324kj;st324kj;c:\windows\system32\drivers\st324kj.sys --> c:\windows\system32\drivers\st324kj.sys [?]

=============== Created Last 30 ================

2009-06-04 02:23 17,408 a------- c:\windows\run_1244116590.exe
2009-06-04 02:23 15,872 a------- c:\windows\run_1244127169.exe
2009-06-04 01:21 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-06-04 01:21 14,336 ----h--- c:\windows\pp10.exe
2009-06-04 01:21 2 ----h--- c:\windows\ro122730.dat
2009-06-04 01:19 14,848 ----h--- c:\windows\ld08.exe
2009-06-04 01:19 <DIR> --d----- c:\program files\Microsoft Common
2009-06-02 03:50 <DIR> --dsh--- c:\windows\system32\lowsec
2009-06-02 03:50 24,576 a---h--- c:\windows\system32\e.exe
2009-05-31 12:50 <DIR> --d----- c:\program files\The Creative Assembly
2009-05-26 00:11 <DIR> --d-h--- C:\$AVG8.VAULT$

==================== Find3M ====================

2009-05-01 14:44 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-01 14:44 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-01 14:44 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-29 21:03 36,095 a------- c:\windows\DIIUnin.dat
2009-03-29 21:02 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-03-29 21:02 17,212 a------t c:\windows\system32\SIntf32.dll
2009-03-29 21:02 12,067 a------t c:\windows\system32\SIntf16.dll
2009-03-29 03:13 94,208 a------- c:\windows\DIIUnin.exe
2009-03-29 03:13 2,829 a------- c:\windows\DIIUnin.pif
2009-03-21 07:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 07:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-06 07:44 283,648 a------- c:\windows\system32\dllcache\pdh.dll
2006-03-30 20:52 1 ac------ c:\documents and settings\compaq_owner\SI.bin
2005-01-14 05:34 0 ac------ c:\docume~1\compaq~1\applic~1\wklnhst.dat
2003-04-03 00:21 23,938 ac---r-- c:\windows\inf\SMC2208.SYS

============= FINISH: 2:50:29.20 ===============

Attached File(s)

Attach.txt (12.77K)
Number of downloads: 0

#2 miekiemoes

Malware Killer Dog

Group: Malware Response Team
Posts: 19,287
Joined: 18-February 05
Gender:Female
Location:Belgium

Posted 04 June 2009 - 07:07 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 uronerose

Member

Group: Members
Posts: 17
Joined: 04-June 09

Posted 05 June 2009 - 12:17 AM

Hello,

My computer actually started going nuts to where I couldn't even get online or load any applications so I had to do a PC recovery. After this, I used Malwarebytes and there were about 25 objects found! I removed them and did another DDS. I'm also going to post trend micro hijackthis log that i ran also.

Malwarebytes' Anti-Malware 1.37
Database version: 2232
Windows 5.1.2600 Service Pack 2

6/4/2009 10:03:13 PM
mbam-log-2009-06-04 (22-03-13).txt

Scan type: Quick Scan
Objects scanned: 99353
Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\MicPhone (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\hgjokgc.exe (Trojan.Winwebsec) -> Quarantined and deleted successfully.
c:\lquq.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\rdl11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\naweuhrgybrnvnbwgokimolddb44.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\UACb8fa.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\_A00F3D8CD.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\temporary internet files\Content.IE5\Q1W945I3\ms[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\microsoft common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\MicPhone\antit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\MicPhone\antit.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\dhcp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\mstre19.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\pp10.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122715.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122739.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Compaq_Owner at 22:09:13.37 on Thu 06/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702.417 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\hp\bin\cloaker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\hp\bin\cloaker.exe
c:\windows\i386\winnt32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
mRun: [PCDrProfiler] "c:\program files\pc-doctor 5 for windows\RunProfiler.exe" -r
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] c:\program files\norton internet security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-3-4 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-3-4 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-3-4 161392]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-3-24 127088]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-2-4 53896]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050620.007\NAVENG.Sys [2005-8-26 73760]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050620.007\NavEx15.Sys [2005-8-26 632000]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-2-4 324232]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-3-4 83568]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-2-17 198368]

=============== Created Last 30 ================

2009-06-04 22:09 450,794 a------- C:\txtsetup.sif
2009-06-04 22:09 260,272 a------- C:\$LDR$
2009-06-04 22:08 <DIR> --d----- C:\$WIN_NT$.~BT
2009-06-04 22:08 <DIR> --d----- c:\windows\setupupd
2009-06-04 21:53 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Malwarebytes
2009-06-04 21:53 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-04 21:53 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-04 21:47 221,184 a------- c:\windows\system32\wmpns.dll
2009-06-04 21:46 1,839 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_ED865AA-ABA SR1610NX NA540_YC_0Pres_QMXK535_E54NAheRED3_48_IAMETHYST-M_SMSI_V1.0_B3.33_T050817_WXH2_L409_M703_J80_7AMD_8Sempron_91.79_#050922_N10EC8139_Z11C1048C_G10025954_OTSSTcorp CDW DVD TS-H492C.MRK
2009-06-04 21:44 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Symantec
2009-06-04 21:44 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Intuit
2009-06-04 21:44 <DIR> --d----- c:\documents and settings\compaq_owner\WINDOWS
2009-06-04 21:44 <DIR> --d----- c:\documents and settings\Compaq_Owner
2009-06-04 21:33 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-06-04 20:50 202 a------- C:\2.reg
2009-06-04 20:36 <DIR> --d----- c:\windows\dhcp
2009-06-04 20:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12910464
2009-06-04 20:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\92920456
2009-06-04 20:33 20,480 a------- C:\naiyvquh.exe
2009-06-04 20:33 2 a------- C:\407489284
2009-05-31 12:50 <DIR> --d----- c:\program files\The Creative Assembly
2009-05-26 00:11 <DIR> --d-h--- C:\$AVG8.VAULT$

==================== Find3M ====================

2009-06-04 20:42 579 a------- C:\xcrashdump.dat
2009-03-29 21:03 36,095 a------- c:\windows\DIIUnin.dat
2009-03-29 03:13 94,208 a------- c:\windows\DIIUnin.exe
2009-03-29 03:13 2,829 a------- c:\windows\DIIUnin.pif
2006-03-30 20:52 1 ac------ c:\documents and settings\compaq_owner\SI.bin
2003-04-03 00:21 23,938 ac---r-- c:\windows\inf\SMC2208.SYS

============= FINISH: 22:10:07.28 ===============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:10 PM, on 6/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\hp\bin\cloaker.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\hp\bin\cloaker.exe
c:\windows\i386\winnt32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCDrProfiler] "C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" -r
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8514 bytes

Attached File(s)

Attach2.txt (4.7K)
Number of downloads: 0

#4 uronerose

Member

Group: Members
Posts: 17
Joined: 04-June 09

Posted 05 June 2009 - 12:19 AM

My computer started going nuts and the only thing that was popping out was 'System Security' which even changed my wallpaper to some warning message. My computer also started to restart unexpectedly. Right now, it seems fine but I'm surprised that there were so many objects found in the malwarebytes scan.

#5 miekiemoes

Malware Killer Dog

Group: Malware Response Team
Posts: 19,287
Joined: 18-February 05
Gender:Female
Location:Belgium

Posted 05 June 2009 - 02:28 AM

Quote

Right now, it seems fine but I'm surprised that there were so many objects found in the malwarebytes scan.

Why are you suprised?
Your computer was severly infected and maybe still is.

That's why...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

By the way, I see you had AVG before, uninstalled and installed NIS instead. Did you purchase NIS?

#6 uronerose

Member

Group: Members
Posts: 17
Joined: 04-June 09

Posted 10 June 2009 - 12:58 AM

Hello,

Were you talking about norton? if so, i uninstalled it because i did not have a key or anything to do with it. I'm guessing it was preinstalled on the computer when i first got it but the subscription is expired now anyway. I should only have AVG now. Here's the combofix log. Also, sorry if I was surprised, I'm not exactly much of an expert with computers. I just thought if i did the recovery that it would erase everything back to its factory installed state so i thought there wouldn't be anything wrong now. =P

ComboFix 09-06-09.06 - Compaq_Owner 06/09/2009 22:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702.391 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\as.txt
c:\documents and settings\All Users\Application Data\12910464
c:\documents and settings\All Users\Application Data\12910464\12910464.exe
c:\documents and settings\All Users\Application Data\12910464\12910464.glu
c:\documents and settings\All Users\Application Data\12910464\pc12910464cnf
c:\documents and settings\All Users\Application Data\12910464\pc12910464ins
c:\documents and settings\All Users\Application Data\92920456
c:\documents and settings\All Users\Application Data\92920456\92920456.exe
c:\progra~1\COMMON~1\{1849C~1
c:\progra~1\COMMON~1\{3849C~1
c:\temp\17o7
c:\temp\17o7\tmpTF.log
c:\temp\tn3
c:\windows\IE4 Error Log.txt
c:\windows\Install.txt
c:\windows\KBPK090604.log
c:\windows\search_res.txt
C:\xcrashdump.dat
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-05 06:02 . 2009-06-10 04:51 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-05 06:02 . 2009-06-05 06:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-05 06:02 . 2009-06-05 06:02 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-05 06:02 . 2009-06-05 06:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-05 06:02 . 2009-06-05 06:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-05 04:54 . 2009-06-05 04:54 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-05 04:53 . 2009-06-05 04:53 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-06-05 04:53 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-05 04:53 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-05 04:48 . 2009-06-05 04:48 7406 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{BE9FEFBA-F2F8-468B-A108-4356F73A3E9C}\_63cb6bfc.exe
2009-06-05 04:48 . 2009-06-05 04:48 1078 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{BE9FEFBA-F2F8-468B-A108-4356F73A3E9C}\_6e5d1ad4.exe
2009-06-05 04:47 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-06-05 04:42 . 2005-08-27 05:12 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2009-06-05 03:50 . 2009-06-05 03:50 202 ----a-w- C:\2.reg
2009-06-05 03:36 . 2009-06-05 05:03 -------- d-----w- c:\windows\dhcp
2009-06-05 03:33 . 2009-06-05 03:33 20480 ----a-w- C:\naiyvquh.exe
2009-05-31 19:50 . 2009-05-31 19:50 -------- d-----w- c:\program files\The Creative Assembly
2009-05-26 07:11 . 2009-06-04 23:20 -------- d--h--w- C:\$AVG8.VAULT$
2009-05-26 05:25 . 2009-05-26 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-16 01:07 . 2009-05-16 01:05 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-16 01:07 . 2009-05-16 01:05 3401496 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 05:27 . 2005-01-14 12:34 33128 -c--a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 05:05 . 2005-08-27 05:31 -------- d-----w- c:\program files\Symantec
2009-06-10 05:02 . 2005-08-27 05:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-05 13:45 . 2005-08-27 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-05 05:52 . 2009-03-25 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 04:54 . 2009-04-16 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-05 04:46 . 2009-06-05 04:46 1839 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_ED865AA-ABA SR1610NX NA540_YC_0Pres_QMXK535_E54NAheRED3_48_IAMETHYST-M_SMSI_V1.0_B3.33_T050817_WXH2_L409_M703_J80_7AMD_8Sempron_91.79_#050922_N10EC8139_Z11C1048C_G10025954_OTSSTcorp CDW DVD TS-H492C.MRK
2009-06-05 04:46 . 2005-08-27 05:24 -------- d-----w- c:\program files\Easy Internet signup
2009-06-02 05:17 . 2009-03-29 10:05 -------- d-----w- c:\program files\Diablo II
2009-04-28 21:37 . 2009-04-28 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-28 21:37 . 2009-04-28 21:34 -------- d-----w- c:\program files\Common Files\Apple
2009-04-28 21:36 . 2009-04-28 21:36 -------- d-----w- c:\program files\Bonjour
2009-04-28 21:34 . 2009-04-28 21:34 -------- d-----w- c:\program files\Apple Software Update
2009-04-28 21:34 . 2009-04-28 21:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-04-26 04:31 . 2009-04-26 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-26 04:30 . 2009-04-26 04:28 -------- d-----w- c:\program files\Yahoo!
2009-04-16 23:11 . 2009-04-16 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-02 23:29 . 2009-04-02 23:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-30 04:03 . 2009-03-29 10:13 36095 ----a-w- c:\windows\DIIUnin.dat
2009-03-29 10:13 . 2009-03-29 10:13 94208 ----a-w- c:\windows\DIIUnin.exe
2009-03-29 10:13 . 2009-03-29 10:13 2829 ----a-w- c:\windows\DIIUnin.pif
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 00:55 . 2009-04-26 04:28 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-08-27 05:03 . 2005-05-11 00:50 253952 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
2005-08-27 05:03 . 2005-05-11 00:50 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

2005-11-22 05:59 . 2005-10-29 05:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
2005-08-27 04:48 . 2005-06-08 11:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

2005-08-27 04:56 . 2005-08-27 04:56 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
2005-08-27 04:56 . 2005-08-27 04:56 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

2005-03-04 16:40 . 2005-03-04 16:40 48752 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2004-11-03 06:59 . 2004-11-03 06:59 218240 c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

2007-02-21 04:06 . 2007-02-21 04:06 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

2006-03-15 03:14 . 2006-11-19 08:32 406016 c:\program files\Grisoft\AVG Free\bak\avgcc.exe

2005-02-26 05:34 . 2005-02-26 05:34 245760 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
2005-02-26 05:34 . 2005-02-26 05:34 245760 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

2005-02-17 13:11 . 2005-02-17 13:11 49152 c:\program files\HP\HP Software Update\bak\HPwuSchd2.exe
2005-02-17 13:11 . 2005-02-17 13:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2005-08-27 05:11 . 2005-08-27 05:11 98304 c:\program files\QuickTime\bak\qttask.exe
2005-08-27 05:11 . 2005-08-27 05:11 98304 c:\program files\QuickTime\qttask.exe

2006-10-10 23:32 . 2004-08-04 12:00 208952 c:\windows\ime\imjp8_1\bak\IMJPMIG.EXE
2006-10-10 23:32 . 2004-08-04 12:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

2006-10-10 23:33 . 2004-08-04 12:00 44032 c:\windows\ime\imkr6_1\bak\IMEKRMIG.EXE
2006-10-10 23:33 . 2004-08-04 12:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-27 180269]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"PCDrProfiler"="" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-05 06:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/4/2009 11:02 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/4/2009 11:02 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/24/2009 8:10 PM 298776]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-05 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-05-24 23:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 22:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-10 22:39
ComboFix-quarantined-files.txt 2009-06-10 05:39

Pre-Run: 52,640,096,256 bytes free
Post-Run: 52,670,525,440 bytes free

171

#7 miekiemoes

Malware Killer Dog

Group: Malware Response Team
Posts: 19,287
Joined: 18-February 05
Gender:Female
Location:Belgium

Posted 10 June 2009 - 02:23 AM

Hi,

This looks like this isn't the first time you got infected. You really have to be more careful. I'll post some tips afterwards how to do this :thumbup2:

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
C:\naiyvquh.exe
AWF::
c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
c:\program files\Grisoft\AVG Free\bak\avgcc.exe
Folder::
c:\windows\dhcp
c:\program files\Hewlett-Packard\HP Boot Optimizer\bak
c:\program files\HP\HP Software Update\bak
c:\program files\QuickTime\bak
c:\windows\ime\imjp8_1\bak
c:\windows\ime\imkr6_1\bak
c:\program files\Common Files\Symantec Shared\Security Center\bak
c:\program files\Common Files\Symantec Shared\bak
c:\hp\drivers\hplsbwatcher\bak
c:\program files\ATI Technologies\ATI Control Panel\bak
c:\program files\Common Files\Real\Update_OB\bak

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

#8 uronerose

Member

Group: Members
Posts: 17
Joined: 04-June 09

Posted 10 June 2009 - 05:03 PM

ComboFix 09-06-09.06 - Compaq_Owner 06/10/2009 14:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702.391 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\naiyvquh.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\hp\drivers\hplsbwatcher\bak
c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
C:\naiyvquh.exe
c:\program files\ATI Technologies\ATI Control Panel\bak
c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
c:\program files\Common Files\Real\Update_OB\bak
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\Common Files\Symantec Shared\bak
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\Common Files\Symantec Shared\Security Center\bak
c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\bak
c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
c:\program files\HP\HP Software Update\bak
c:\program files\HP\HP Software Update\bak\HPwuSchd2.exe
c:\program files\QuickTime\bak
c:\program files\QuickTime\bak\qttask.exe
c:\windows\dhcp
c:\windows\ime\imjp8_1\bak
c:\windows\ime\imjp8_1\bak\IMJPMIG.EXE
c:\windows\ime\imkr6_1\bak
c:\windows\ime\imkr6_1\bak\IMEKRMIG.EXE

.
((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-05 06:02 . 2009-06-10 21:30 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-05 06:02 . 2009-06-05 06:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-05 06:02 . 2009-06-05 06:02 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-05 06:02 . 2009-06-05 06:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-05 06:02 . 2009-06-05 06:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-05 04:54 . 2009-06-05 04:54 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-05 04:53 . 2009-06-05 04:53 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-06-05 04:53 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-05 04:53 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-05 04:48 . 2009-06-05 04:48 7406 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{BE9FEFBA-F2F8-468B-A108-4356F73A3E9C}\_63cb6bfc.exe
2009-06-05 04:48 . 2009-06-05 04:48 1078 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{BE9FEFBA-F2F8-468B-A108-4356F73A3E9C}\_6e5d1ad4.exe
2009-06-05 04:47 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-06-05 04:42 . 2005-08-27 05:12 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2009-06-05 03:50 . 2009-06-05 03:50 202 ----a-w- C:\2.reg
2009-05-31 19:50 . 2009-05-31 19:50 -------- d-----w- c:\program files\The Creative Assembly
2009-05-26 07:11 . 2009-06-04 23:20 -------- d--h--w- C:\$AVG8.VAULT$
2009-05-26 05:25 . 2009-05-26 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-16 01:07 . 2009-05-16 01:05 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-16 01:07 . 2009-05-16 01:05 3401496 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 21:36 . 2005-08-27 05:10 -------- d-----w- c:\program files\QuickTime
2009-06-10 21:36 . 2005-08-27 05:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-10 05:27 . 2005-01-14 12:34 33128 -c--a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 05:05 . 2005-08-27 05:31 -------- d-----w- c:\program files\Symantec
2009-06-05 13:45 . 2005-08-27 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-05 05:52 . 2009-03-25 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 04:54 . 2009-04-16 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-05 04:46 . 2009-06-05 04:46 1839 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_ED865AA-ABA SR1610NX NA540_YC_0Pres_QMXK535_E54NAheRED3_48_IAMETHYST-M_SMSI_V1.0_B3.33_T050817_WXH2_L409_M703_J80_7AMD_8Sempron_91.79_#050922_N10EC8139_Z11C1048C_G10025954_OTSSTcorp CDW DVD TS-H492C.MRK
2009-06-05 04:46 . 2005-08-27 05:24 -------- d-----w- c:\program files\Easy Internet signup
2009-06-02 05:17 . 2009-03-29 10:05 -------- d-----w- c:\program files\Diablo II
2009-04-28 21:37 . 2009-04-28 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-28 21:37 . 2009-04-28 21:34 -------- d-----w- c:\program files\Common Files\Apple
2009-04-28 21:36 . 2009-04-28 21:36 -------- d-----w- c:\program files\Bonjour
2009-04-28 21:34 . 2009-04-28 21:34 -------- d-----w- c:\program files\Apple Software Update
2009-04-28 21:34 . 2009-04-28 21:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-04-26 04:31 . 2009-04-26 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-26 04:30 . 2009-04-26 04:28 -------- d-----w- c:\program files\Yahoo!
2009-04-16 23:11 . 2009-04-16 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-02 23:29 . 2009-04-02 23:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-30 04:03 . 2009-03-29 10:13 36095 ----a-w- c:\windows\DIIUnin.dat
2009-03-29 10:13 . 2009-03-29 10:13 94208 ----a-w- c:\windows\DIIUnin.exe
2009-03-29 10:13 . 2009-03-29 10:13 2829 ----a-w- c:\windows\DIIUnin.pif
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 00:55 . 2009-04-26 04:28 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-10_05.37.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-27 04:46 . 2005-06-28 17:21 22752 c:\windows\system32\spupdsvc.exe
- 2005-08-27 04:46 . 2005-02-25 03:35 22752 c:\windows\system32\spupdsvc.exe
+ 2005-08-27 04:44 . 2005-06-28 17:20 13536 c:\windows\system32\spmsg.dll
+ 2004-08-04 12:00 . 2007-04-30 15:20 5537792 c:\windows\system32\wmp.dll
+ 2004-08-04 12:00 . 2007-04-30 15:20 5537792 c:\windows\system32\dllcache\wmp.dll
+ 2007-08-15 09:28 . 2004-08-11 15:45 5550080 c:\windows\$NtUninstallKB936782_WMP10$\wmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-27 180269]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-05 06:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/4/2009 11:02 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/4/2009 11:02 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/24/2009 8:10 PM 298776]
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-05 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-05-24 23:46]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 14:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-10 14:43
ComboFix-quarantined-files.txt 2009-06-10 21:43
ComboFix2.txt 2009-06-10 05:39

Pre-Run: 52,636,839,936 bytes free
Post-Run: 52,623,949,824 bytes free

161 --- E O F --- 2009-06-10 06:01

#9 miekiemoes

Malware Killer Dog

Group: Malware Response Team
Posts: 19,287
Joined: 18-February 05
Gender:Female
Location:Belgium

Posted 10 June 2009 - 06:01 PM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

#10 uronerose

Member

Group: Members
Posts: 17
Joined: 04-June 09

Posted 10 June 2009 - 06:09 PM

"This looks like this isn't the first time you got infected. You really have to be more careful. I'll post some tips afterwards how to do this"

Everything seems fine so far. Any tips for future? Thanks a bunch!

#11 miekiemoes

Malware Killer Dog

Group: Malware Response Team
Posts: 19,287
Joined: 18-February 05
Gender:Female
Location:Belgium

Posted 10 June 2009 - 06:12 PM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

#12 miekiemoes

Malware Killer Dog

Group: Malware Response Team
Posts: 19,287
Joined: 18-February 05
Gender:Female
Location:Belgium

Posted 15 June 2009 - 10:52 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.