 Hijacked Google search results in Chrome and FF, Safe mode gives a blue screen |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help DO NOT RUN ComboFix unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jan 12 2010, 01:07 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 7 Joined: 11-January 10 Member No.: 433,020  |
For a while now my Google search results have been hijacked. Results look normal, when you click you go somewhere else, usually with a couple of redirects and ending up literally anywhere, usually a snidy site but sometimes a respectable site liek Ebay. The problem happens most of the time but about one in five results works normally. Even if you keep clicking on the same result eventually it works. If I clear cookies it seems to fix it briefly but after a while it comes back. If I disable cookies it seems to fix it for longer but eventually it comes back. Every spyware (spybot, ad-aware, super anti spywar) I use seems to finds stuff on every scan, I remove them reboot rescan and still some results. So I tried safe mode and get a blue screen every time. At this stage FF had no problems, I uninstalled Chrome thinking that scans might be more succesful with it uninstalled and then I could reinstall it. Within an hour results were hijacked in FF. BelowI paste the pseudo HJT log, I will attach the "attach.txt" file and the two files from root repeal (one opened up in a file at the end of the scan the wone with the long file name, the other is what was in the application window when it said save scan results"). I hope I have done this right - let me know if I need to give you any more details. THANK YOU! DDS (Ver_09-12-01.01) - NTFSx86 Run by Lee Holden at 19:28:31.40 on 11/01/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.1771 [GMT 0:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\InstantEyedropper\InstantEyedropper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Documents and Settings\Lee Holden\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe svchost.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\eMule\emule.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\BetTraderEvolution\bettrader.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\Documents and Settings\Lee Holden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe C:\Documents and Settings\Lee Holden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Documents and Settings\Lee Holden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Lee Holden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Lee Holden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Lee Holden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE C:\Documents and Settings\Lee Holden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Documents and Settings\Lee Holden\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Lee Holden\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.co.uk/ uInternet Settings,ProxyOverride = *.local uURLSearchHooks: H - No File uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [instanteyedropper] "c:\program files\instanteyedropper\InstantEyedropper.exe" uRun: [webmasterstoolkit] "c:\program files\webmasterstoolkit\WebmastersToolkit.exe" min uRun: [Google Update] "c:\documents and settings\lee holden\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe uRun: [eMuleAutoStart] c:\program files\emule\emule.exe -AutoStart mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe" mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe" mRun: [<NO NAME>] mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bettra~1.lnk - c:\windows\installer\{27dbd206-cc3e-493e-ac86-ba9da5778cda}\_8EDBC3CB4B5F699E6F6D5C.exe IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {0AD401E5-2D78-45B1-B875-07B0F9ED3937} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} - hxxp://blah1.servebbs.org/jpgview.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll Notify: xxop81 - xxop81.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\leehol~1\applic~1\mozilla\firefox\profiles\27246k10.default\ FF - prefs.js: browser.startup.homepage - hxxp://localhost/ FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p= FF - component: c:\documents and settings\lee holden\application data\mozilla\firefox\profiles\27246k10.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\documents and settings\lee holden\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll FF - plugin: c:\program files\opera\program\plugins\np_gp.dll FF - plugin: c:\program files\opera\program\plugins\npmusicn.dll FF - plugin: c:\program files\opera\program\plugins\NPSibelius.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-1 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-1 335240] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-1 27784] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-1 108552] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908056] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 297752] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432] R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-3-3 202096] R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\mssql.4\reporting services\reportserver\bin\ReportingServicesService.exe [2007-3-3 17264] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408] S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_225.sys [2009-8-20 14592] S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225.sys [2009-8-20 18944] S3 NMRKUSBA;Numark USB2 WDM;c:\windows\system32\drivers\nmrkusba.sys [2009-9-9 31744] S3 NMRKUSBU;Numark USB2 driver;c:\windows\system32\drivers\nmrkusbu.sys [2009-9-9 351232] S3 RDID1008;Roland PC-300;c:\windows\system32\drivers\Rdwm1008.sys [2009-9-9 79361] S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?] S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128] S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712] S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-11 369688] =============== Created Last 30 ================ 2010-01-11 15:04:18 4624 ----a-w- c:\windows\system32\xxop81.dll 2010-01-10 14:53:32 0 d-----w- C:\Microgaming 2010-01-09 19:43:43 0 d-----w- C:\LDraw 2010-01-09 19:17:05 0 d-----w- c:\docume~1\leehol~1\applic~1\LEGO Company 2010-01-09 19:16:48 0 d-----w- c:\program files\LEGO Company 2010-01-06 01:38:37 0 d-----w- c:\windows\system32\Adobe 2010-01-05 19:00:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-01-05 19:00:18 0 d-----w- c:\program files\SUPERAntiSpyware 2010-01-05 19:00:18 0 d-----w- c:\docume~1\leehol~1\applic~1\SUPERAntiSpyware.com 2010-01-05 18:59:34 0 d-----w- c:\program files\common files\Wise Installation Wizard 2009-12-30 01:02:11 0 d-----w- c:\program files\Spybot - Search & Destroy 2009-12-30 01:02:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy ==================== Find3M ==================== 2010-01-06 17:45:36 308248 ----a-w- c:\windows\system32\drivers\iaStor.sys 2009-12-04 13:39:43 70312 -c-ha-w- c:\windows\system32\mlfcache.dat 2009-10-30 18:11:36 161377 ----a-w- c:\windows\hphins26.dat 2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe 2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll 2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll 2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys 2009-08-24 22:06:42 325632 ----a-w- c:\program files\mute.exe ============= FINISH: 19:30:36.71 ===============
Attached File(s)
Attach.txt ( 22.29k )
Number of downloads: 0
RootRepeal_report_01_11_10__20_17_49_.txt ( 4.83k )
Number of downloads: 1
rootrepeal.txt ( 4.83k )
Number of downloads: 1 |
 |
 
|
|
Jan 17 2010, 07:54 PM
Post
#2
|
|
 I know the drill! Group: Malware Response Team Posts: 13,623 Joined: 24-July 08 From: London Member No.: 224,929 |
Hi,
Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
Once I receive a reply then I will return with your first instructions. Thanks 
--------------------  m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Jan 18 2010, 08:16 AM
Post
#3
|
|
|
New Member Group: Members Posts: 7 Joined: 11-January 10 Member No.: 433,020 |
Hello m0le,
Yes I am here, subscribed and very grateful to receive your help. I wil refrain from installs, (since i posted this log I have installed Microsoft Visual C# Express and XNA Game Studio 3.1) Thanks, Lee. |
|
|
|
|
Jan 18 2010, 08:17 AM
Post
#4
|
|
|
New Member Group: Members Posts: 7 Joined: 11-January 10 Member No.: 433,020 |
XNA Game Studio 3.1 is a Microsoft product, an add on for Visual C# Express.
|
|
|
|
|
Jan 18 2010, 09:09 AM
Post
#5
|
|
|
I know the drill! Group: Malware Response Team Posts: 13,623 Joined: 24-July 08 From: London Member No.: 224,929 |
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Emule). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.
It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology." It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves. Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office." ----------------------------------------------------------------------------- There's a trojan showing in the log but also evidence of a rootkit attack. Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
 Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:  Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Thanks  -------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Jan 18 2010, 11:11 AM
Post
#6
|
|
|
New Member Group: Members Posts: 7 Joined: 11-January 10 Member No.: 433,020 |
Thanks m0le,
here's the file, I will paste it too. ComboFix 10-01-17.02 - Lee Holden 18/01/2010 15:38:07.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2347 [GMT 0:00] Running from: c:\documents and settings\Lee Holden\Desktop\Combo-Fix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Lee Holden\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk c:\windows\system32\Cache c:\windows\system32\msvcsv60.dll c:\windows\system32\twain_32.dll Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected Restored copy from - Kitty ate it  . ((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 ))))))))))))))))))))))))))))))) . 2010-01-18 02:42 . 2010-01-18 02:42 -------- d-----w- c:\windows\system32\xlive 2010-01-18 02:42 . 2010-01-18 02:42 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE 2010-01-18 02:42 . 2010-01-18 02:42 -------- d-----w- c:\program files\Microsoft XNA 2010-01-18 02:39 . 2010-01-18 02:39 -------- d-----w- c:\program files\Microsoft Synchronization Services 2010-01-18 02:39 . 2010-01-18 02:39 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition 2010-01-17 20:59 . 2010-01-17 20:59 -------- d-----w- c:\program files\Citrix 2010-01-17 20:59 . 2010-01-17 20:59 60744 ----a-w- c:\documents and settings\Lee Holden\g2mdlhlpx.exe 2010-01-17 00:55 . 2010-01-17 00:55 -------- d-----w- c:\program files\DAEMON Tools Toolbar 2010-01-17 00:55 . 2010-01-17 00:55 691696 ----a-w- c:\windows\system32\drivers\sptd.sys 2010-01-17 00:54 . 2010-01-17 00:54 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\DAEMON Tools Lite 2010-01-17 00:54 . 2010-01-17 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite 2010-01-16 14:21 . 2010-01-16 14:21 -------- d-----w- c:\program files\ProgDVB 2010-01-16 00:09 . 2010-01-16 00:13 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\yoclient 2010-01-15 23:25 . 2010-01-15 23:29 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\Braid 2010-01-15 23:25 . 2009-09-04 17:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll 2010-01-15 23:25 . 2009-09-04 17:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll 2010-01-15 23:25 . 2009-09-04 17:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll 2010-01-15 23:25 . 2009-09-04 17:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll 2010-01-15 23:25 . 2009-09-04 17:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll 2010-01-15 23:25 . 2009-09-04 17:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll 2010-01-15 23:25 . 2009-09-04 17:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2010-01-15 23:25 . 2009-03-09 15:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll 2010-01-15 23:25 . 2009-03-09 15:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll 2010-01-15 23:23 . 2010-01-15 23:23 -------- d-----w- c:\windows\Logs 2010-01-15 23:18 . 2010-01-15 23:24 -------- d--h--w- c:\windows\msdownld.tmp 2010-01-11 23:14 . 2010-01-11 23:14 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\Ahead 2010-01-11 23:13 . 2005-04-20 13:32 2916352 ------w- c:\windows\UNNeroVision.exe 2010-01-11 23:13 . 2001-03-08 19:30 24064 ------w- c:\windows\system32\msxml3a.dll 2010-01-11 23:13 . 2010-01-11 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead 2010-01-11 23:13 . 2004-07-20 17:24 476320 ------w- c:\windows\system32\ImagXpr7.dll 2010-01-11 23:13 . 2004-07-20 17:24 471040 ------w- c:\windows\system32\ImagXRA7.dll 2010-01-11 23:13 . 2004-07-20 17:24 262144 ------w- c:\windows\system32\ImagXR7.dll 2010-01-11 23:13 . 2004-07-20 17:24 1568768 ------w- c:\windows\system32\ImagX7.dll 2010-01-11 23:13 . 2004-07-09 09:43 364544 ------w- c:\windows\system32\TwnLib4.dll 2010-01-11 23:13 . 2001-06-26 08:15 38912 ------w- c:\windows\system32\picn20.dll 2010-01-11 23:13 . 2000-06-26 11:45 106496 ------w- c:\windows\system32\TwnLib20.dll 2010-01-11 23:13 . 2010-01-11 23:13 -------- d-----w- c:\program files\Common Files\Ahead 2010-01-11 23:13 . 2010-01-11 23:13 -------- d-----w- c:\program files\Ahead 2010-01-11 20:42 . 2010-01-11 20:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9} 2010-01-10 14:53 . 2010-01-10 14:53 -------- d-----w- C:\Microgaming 2010-01-09 19:43 . 2010-01-09 19:44 -------- d-----w- C:\LDraw 2010-01-09 19:17 . 2010-01-09 19:17 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\LEGO Company 2010-01-09 19:16 . 2010-01-09 19:16 -------- d-----w- c:\program files\LEGO Company 2010-01-06 01:38 . 2010-01-06 01:38 -------- d-----w- c:\windows\system32\Adobe 2010-01-05 19:00 . 2010-01-05 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-01-05 19:00 . 2010-01-07 13:17 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-01-05 19:00 . 2010-01-05 19:00 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\SUPERAntiSpyware.com 2010-01-05 18:59 . 2010-01-05 18:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-12-30 01:02 . 2009-12-30 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-12-30 01:02 . 2009-12-30 01:03 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-12-26 23:49 . 2009-12-26 23:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-18 15:52 . 2008-11-27 11:52 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\uTorrent 2010-01-18 13:17 . 2008-07-02 18:15 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\FileZilla 2010-01-18 02:50 . 2008-07-01 14:12 93672 ----a-w- c:\documents and settings\Lee Holden\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-01-18 02:44 . 2008-07-01 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-01-18 02:39 . 2008-07-10 16:21 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0 2010-01-15 23:20 . 2009-10-17 21:07 -------- d-----w- c:\program files\Braid 2010-01-15 18:15 . 2008-06-20 22:35 308248 ----a-w- c:\windows\system32\drivers\iaStor.sys 2010-01-14 11:30 . 2008-10-06 10:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-01-05 18:36 . 2009-09-09 17:14 -------- d-----w- c:\program files\Google 2010-01-05 18:34 . 2008-11-20 10:34 -------- d-----w- c:\program files\Bonjour 2010-01-05 18:33 . 2009-11-08 20:08 -------- d-----w- c:\program files\Common Files\Apple 2010-01-05 18:32 . 2009-11-26 20:01 -------- d-----w- c:\program files\ABC Amber LIT Converter 2009-12-22 10:47 . 2009-08-20 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip 2009-12-17 23:41 . 2009-04-03 17:48 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\dvdcss 2009-12-15 02:31 . 2008-08-18 09:47 -------- d-----w- c:\program files\InstantEyedropper 2009-12-11 14:50 . 2009-12-11 14:50 -------- d-----w- c:\program files\Emicsoft Studio 2009-12-08 20:16 . 2009-12-08 19:54 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\OxelonMC 2009-12-08 19:48 . 2009-12-08 19:43 -------- d-----w- c:\program files\Free Video Converter 2009-12-04 13:39 . 2009-02-27 18:02 70312 -c-ha-w- c:\windows\system32\mlfcache.dat 2009-12-04 13:32 . 2009-02-27 17:58 -------- d-----w- c:\program files\Safari 2009-12-03 18:21 . 2009-02-27 18:02 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\Apple Computer 2009-12-03 17:34 . 2008-08-18 12:24 -------- d-----w- c:\program files\Common Files\Adobe 2009-12-01 18:52 . 2009-12-01 18:52 -------- d-----w- c:\program files\nStuff 2009-12-01 12:20 . 2009-12-01 12:20 -------- d-----w- c:\program files\CopyFilenames 2009-11-21 16:14 . 2009-11-08 20:19 16 ----a-w- c:\windows\msocreg32.dat 2009-11-21 15:51 . 2004-08-11 16:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-20 13:09 . 2009-11-20 12:47 -------- d-----w- c:\documents and settings\Lee Holden\Application Data\BetTraderEvolution 2009-11-20 12:47 . 2009-11-20 12:47 -------- d-----w- c:\program files\BetTraderEvolution 2009-10-30 18:11 . 2009-10-30 17:59 161377 ----a-w- c:\windows\hphins26.dat 2009-10-29 07:45 . 2004-08-11 16:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2004-08-11 16:00 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-11 16:00 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-03 22:00 265728 ----a-w- c:\windows\system32\drivers\http.sys 2009-08-24 22:06 . 2009-08-24 22:06 325632 ----a-w- c:\program files\mute.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-09-02 10:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal] @="{C5994560-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}] 2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified] @="{C5994561-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}] 2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict] @="{C5994562-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}] 2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked] @="{C5994563-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}] 2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly] @="{C5994564-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}] 2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted] @="{C5994565-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}] 2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded] @="{C5994566-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}] 2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored] @="{C5994567-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}] 2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned] @="{C5994568-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}] 2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "instanteyedropper"="c:\program files\InstantEyedropper\InstantEyedropper.exe" [2007-10-17 352256] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-07 2002160] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-11-27 270128] "eMuleAutoStart"="c:\program files\eMule\emule.exe" [2009-02-22 5668864] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-21 2043160] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848] "nwiz"="nwiz.exe" [2006-08-11 1519616] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016] "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ BetTrader Evolution Auto-start.lnk - c:\windows\Installer\{27DBD206-CC3E-493E-AC86-BA9DA5778CDA}\_8EDBC3CB4B5F699E6F6D5C.exe [2009-11-20 3262] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= c:\documents and settings\Lee Holden\My Documents\Downloads\DG_ss10_foto_B_1600x1200.jpg FriendlyName= [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-27 10:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe"= "c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"= "c:\\ruby\\bin\\ruby.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\BetTraderEvolution\\bettrader.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "60317:TCP"= 60317:TCP:mu "60900:TCP"= 60900:TCP:utorrent R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [01/09/2009 12:48 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/07/2008 14:50 335240] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/07/2008 14:50 108552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [03/07/2008 10:52 908056] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [03/07/2008 10:52 297752] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 14:49 1028432] R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [03/03/2007 22:12 202096] R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe [03/03/2007 22:09 17264] R3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_225.sys [20/08/2009 19:54 14592] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408] S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225.sys [20/08/2009 19:54 18944] S3 NMRKUSBA;Numark USB2 WDM;c:\windows\system32\drivers\nmrkusba.sys [09/09/2009 19:03 31744] S3 NMRKUSBU;Numark USB2 driver;c:\windows\system32\drivers\nmrkusbu.sys [09/09/2009 19:03 351232] S3 RDID1008;Roland PC-300;c:\windows\system32\drivers\Rdwm1008.sys [09/09/2009 19:38 79361] S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?] S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 00:28 47128] S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 01:49 242712] S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11/07/2008 00:28 369688] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}] 2009-03-04 15:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder 2010-01-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 12:48] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uInternet Settings,ProxyOverride = *.local IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll DPF: {C6A03519-BA6F-438E-AF3A-878F11521CA5} - hxxp://blah1.servebbs.org/jpgview.cab FF - ProfilePath - c:\documents and settings\Lee Holden\Application Data\Mozilla\Firefox\Profiles\27246k10.default\ FF - prefs.js: browser.startup.homepage - hxxp://localhost/ FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p= FF - component: c:\documents and settings\Lee Holden\Application Data\Mozilla\Firefox\Profiles\27246k10.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll FF - component: c:\documents and settings\Lee Holden\Application Data\Mozilla\Firefox\Profiles\27246k10.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll FF - plugin: c:\program files\Opera\program\plugins\npmusicn.dll FF - plugin: c:\program files\Opera\program\plugins\NPSibelius.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - HKCU-Run-webmasterstoolkit - c:\program files\WebmastersToolkit\WebmastersToolkit.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-18 15:56 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\msftesql] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER" [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(712) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(4688) c:\windows\system32\WININET.dll c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll c:\program files\TortoiseSVN\bin\TortoiseStub.dll c:\program files\TortoiseSVN\bin\TortoiseSVN.dll c:\program files\TortoiseSVN\bin\intl3_tsvn.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Roxio\Drag-to-Disc\Shellex.dll c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL c:\program files\Roxio\Drag-to-Disc\ShellRes.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\windows\system32\inetsrv\inetinfo.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe c:\program files\BetTraderEvolution\bettrader.exe c:\program files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe c:\windows\system32\nvsvc32.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\Lavasoft\Ad-Aware\AAWTray.exe . ************************************************************************** . Completion time: 2010-01-18 16:00:43 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-18 16:00 Pre-Run: 76,061,589,504 bytes free Post-Run: 76,159,242,240 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 4A4962DEC8E4123C8B1E328FC859FC93
Attached File(s)
|
|
|
|
|
Jan 18 2010, 05:02 PM
Post
#7
|
|
|
I know the drill! Group: Malware Response Team Posts: 13,623 Joined: 24-July 08 From: London Member No.: 224,929 |
That's removed the TDL3 rootkit and that should stop the redirections.
Just run ESET online scan to mop up anything else you may have picked up. I'd like us to scan your machine with ESET OnlineScan
-------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
button.
to download the ESET Smart Installer. Save it to your desktop.
icon on your desktop.
button.
, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
button.
|
Jan 19 2010, 06:18 AM
Post
#8
|
|
|
New Member Group: Members Posts: 7 Joined: 11-January 10 Member No.: 433,020 |
Here's the results of that scan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Win32/Olmarik.RF virus deleted - quarantined C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\13\5754a58d-1dbd14e8 multiple threats deleted - quarantined Thanks, Lee. |
|
|
|
|
Jan 19 2010, 07:53 AM
Post
#9
|
|
|
I know the drill! Group: Malware Response Team Posts: 13,623 Joined: 24-July 08 From: London Member No.: 224,929 |
How is the PC running now. Should be running as well, or better, than before the infection.
-------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
Jan 19 2010, 09:01 AM
Post
#10
|
|
|
New Member Group: Members Posts: 7 Joined: 11-January 10 Member No.: 433,020 |
Yes thank you so much, seems to be perfect since we ran combo fix.
Thank you very much for your help. If I or someone I know has problems is it safe to follow these steps or do you need to see the original two logs before recommending Combofix? |
|
|
|
|
Jan 19 2010, 02:37 PM
Post
#11
|
|
|
I know the drill! Group: Malware Response Team Posts: 13,623 Joined: 24-July 08 From: London Member No.: 224,929 |
It's an individual fix so it should not be copied. It is an incredibly bad idea to run Combofix without support anyway as it can leave your PC unbootable.
I just have to post the final instructions. These are important - they remove things and reset certain important functions. You're clean. Good stuff! Let's do some clearing up Uninstall ComboFix Remove Combofix now that we're done with it.
Download and Run OTC We will now remove the tools we used during this fix using OTC.
Here's some advice on how you can keep your PC clean Update your AntiVirus Software It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions. Make sure your applications have all of their updates It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates. Install an AntiSpyware Program A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period. Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software. Finally, here's a treasure trove of antivirus, antimalware and antispyware resources That's it kettlecup, happy surfing! Cheers. m0le -------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
icon to start the program. 
button.|
Jan 19 2010, 02:47 PM
Post
#12
|
|
|
New Member Group: Members Posts: 7 Joined: 11-January 10 Member No.: 433,020 |
I have followed those instructions and will heed the warning not to run combofix without supervision!
Thanks again for such a brilliant service. Lee. |
|
|
|
|
Jan 24 2010, 07:20 PM
Post
#13
|
|
|
I know the drill! Group: Malware Response Team Posts: 13,623 Joined: 24-July 08 From: London Member No.: 224,929 |
Thanks kettlecup.
-------------------------------------------------- Since this issue appears to be resolved ... this topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread. Everyone else please begin a New Topic. -------------------- m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators) m0le can be found at Bleeping Computer Geeks To Go, and SpywareHammer If I have helped you fix your PC then please donate to the anti-malware cause. Thanks |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 29th July 2010 - 09:38 AM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.