Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer Redirect/Malware Exploits


  • This topic is locked This topic is locked
11 replies to this topic

#1 Lemmi

Lemmi

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 18 February 2009 - 02:27 AM

Hello,
This started on feb. 17 2009

autorun eater was used at first just so i could open programs and get to my /C and /E drives
i could watch videos look at pictures that are on my desktop but i couldnt open any programs or open my C or E
drive it was giving me a cannot find window recycler/s error box after removing 2 auto.ini files.i was able to use my scanning programs

now this is where im at


When i open my internet explorer (homepage google) i get page cannot be displayed. When i look at my
peergaurdian i see its blocking - Malware Exploits with a destinations of 85.255.112.81.53 + 85.255.155.20.53

if i let peerguardian block these i cant use the internet, all pages come up page cannot be displayed. but if i
unblock them for a period of time i can use the internet.

so here is where the other problem comes in, some websites redirect me to

hxxp://banners.adultfriendfinder.com/go/page/115385_06?pid=g775836&no_click=1&popunder_off=1&spcpromo_creative=July-Spc&models=0

and this one
hxxp://banners.adultfriendfinder.com/go/page/iframe_cm_17868?pid=g775836

i also cant open new windows when i right click on on a link it usually crashes IE
i also cant directly click any links to download pages it will either do nothing or crash IE, i couldnt even open the link on this site to the "Read this topic before posting a log." i had to click properites and copy and paste the link directly into the browser. i am able to click on the normal thread links here
i cant use system restore either


at first i used AVG for viruses, found 4
c:\recycler\S-1-0-63-100025697-100000929-100026379-5986.com - deleted
c:\recycler\S-3-7-42-100007529-100027851-100003040-4034.com - deleted
c:\WINDOWS\Temp\134687.tmp - deleted
c:\WINDOWS\Temp\221187.tmp - deleted

also in this scan is something called - Boot sector of disk C: - result/status says - change


then i used AD-Aware to scan for spyware and removed these 3 items
C:\WINDOWS\system32\divx.dll
C:\WINDOWS\system32\divxdec.ax
C:\WINDOWS\system32\mp4fil32.dll

I hope you can help, thanks

Here is the DDS log and attachment



DDS (Ver_09-02-01.01) - NTFSx86
Run by Scott at 2:11:21.32 on Wed 02/18/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.550 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Scott\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [POINTER] point32.exe
mRun: [VTTimer] VTTimer.exe
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InstallShield Update Services] c:\windows\system32:msnmsgr.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\scott\startm~1\programs\startup\remindme.lnk - c:\documents and settings\scott\desktop\remind me\remindme\RemindMe.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: turbotax.com
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/V6/V5Controls/en/x86/client/wuweb_site.cab?1220556517125
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39695.512337963
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-17 64160]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-3-21 11264]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-3-22 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-3-22 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-3-22 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-3-22 10760]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2007-3-21 13696]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-23 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-3-22 394952]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2007-3-22 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2007-3-22 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2007-3-22 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-3-22 4960]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 DCamUSBSony3;Sony Visual Communication Camera PCGA-UVC10;c:\windows\system32\drivers\snyucam3.sys [2008-8-7 419022]

=============== Created Last 30 ================

2009-02-17 23:17 <DIR> --d----- c:\program files\Trend Micro
2009-02-17 19:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-17 19:18 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-17 19:17 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-17 19:17 <DIR> --d----- c:\program files\Lavasoft
2009-02-17 18:42 <DIR> --d----- c:\program files\Autorun Eater
2009-02-14 16:34 <DIR> --d----- c:\program files\common files\HP
2009-02-14 16:34 43,488 a------- c:\windows\system32\drivers\AFS2K.SYS
2009-02-14 16:22 <DIR> --d----- c:\program files\HP
2009-02-14 16:22 28,922 a------- c:\windows\hpoins03.dat
2009-02-14 16:22 34,468 -------- c:\windows\hpomdl03.dat
2009-02-12 23:35 <DIR> --d----- c:\program files\Boilsoft Video Splitter
2009-02-10 22:33 608,448 a------- c:\windows\system32\comctl32.ocx
2009-02-10 00:59 <DIR> --d----- c:\program files\Real Alternative
2009-01-31 00:32 <DIR> --d----- c:\program files\Yahoo!

==================== Find3M ====================

2009-02-17 18:03 149,839,904 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-17 18:03 1,758,056 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-14 02:23 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 2:11:58.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 28 February 2009 - 02:38 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 28 February 2009 - 03:34 PM

Hello PropagandaPanda
thanks for your help

the only changes i made to my system since 2-17-09 was i installed a freeware program called PDF creator yesterday, i uninstalled it about an hour later after remembering that i wasnt supposed to make any changes


here are my logs:

ComboFix 09-02-28.01 - Scott 2009-02-28 15:10:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.601 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
.
ADS - system32: deleted 997 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Scott\Start Menu\Programs\freshplay
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\gaopdxnoukygvq.sys
c:\windows\system32\drivers\gaopdxrjesiutf.sys
c:\windows\system32\drivers\gaopdxwkbaitet.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxvsdodubd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-28 to 2009-02-28 )))))))))))))))))))))))))))))))
.

2009-02-27 15:15 . 2001-10-28 17:42 116,224 --a------ c:\windows\system32\pdfcmnnt.dll
2009-02-17 23:17 . 2009-02-17 23:17 <DIR> d-------- c:\program files\Trend Micro
2009-02-17 19:29 . 2009-01-18 16:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-17 19:18 . 2009-01-18 16:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-17 19:17 . 2009-02-17 19:17 <DIR> d-------- c:\program files\Lavasoft
2009-02-17 19:17 . 2009-02-17 19:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-17 19:17 . 2009-02-17 19:17 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-17 18:42 . 2009-02-18 00:56 <DIR> d-------- c:\program files\Autorun Eater
2009-02-15 13:55 . 2009-02-15 13:55 <DIR> d-------- c:\documents and settings\Scott\Application Data\Snapfish
2009-02-14 16:34 . 2009-02-14 16:34 <DIR> d-------- c:\program files\Common Files\HP
2009-02-14 16:34 . 2009-02-14 16:34 43,488 --a------ c:\windows\system32\drivers\AFS2K.SYS
2009-02-14 16:22 . 2009-02-14 16:38 <DIR> d-------- c:\program files\HP
2009-02-14 16:22 . 2003-08-11 03:07 34,468 --------- c:\windows\hpomdl03.dat
2009-02-14 16:22 . 2009-02-14 16:42 28,922 --a------ c:\windows\hpoins03.dat
2009-02-12 23:35 . 2009-02-12 23:35 <DIR> d-------- c:\program files\Boilsoft Video Splitter
2009-02-10 22:33 . 2000-05-22 22:58 608,448 --a------ c:\windows\system32\comctl32.ocx
2009-02-10 00:59 . 2009-02-10 00:59 <DIR> d-------- c:\program files\Real Alternative
2009-01-31 00:32 . 2009-01-31 00:32 <DIR> d-------- c:\program files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-28 20:14 149,903,392 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-28 20:00 --------- d-----w c:\program files\PeerGuardian2
2009-02-28 17:41 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-02-28 17:40 14,077,815 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-02-28 17:37 --------- d-----w c:\documents and settings\Scott\Application Data\uTorrent
2009-02-27 18:10 --------- d-----w c:\documents and settings\Scott\Application Data\MailWasherPro
2009-02-26 03:37 --------- d-----w c:\program files\Google
2009-02-25 00:03 --------- d-----w c:\program files\uTorrent
2009-02-22 21:37 --------- d-----w c:\program files\SpeedFan
2009-02-18 06:12 --------- d-----w c:\documents and settings\Scott\Application Data\AVG7
2009-02-18 03:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-18 03:53 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 23:03 1,758,056 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-11 03:35 --------- d-----w c:\program files\Total Video Converter
2008-12-14 07:23 410,984 ----a-w c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-22 590848]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-06-26 212992]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 c:\windows\soundman.exe]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]

c:\documents and settings\Scott\Start Menu\Programs\Startup\
RemindMe.lnk - c:\documents and settings\Scott\Desktop\remind me\remindme\RemindMe.exe [2009-02-04 228334]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= c:\progra~1\ffdshow\ffdshow.ax
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-17 64160]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-03-21 11264]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2007-03-21 13696]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
S3 DCamUSBSony3;Sony Visual Communication Camera PCGA-UVC10;c:\windows\system32\drivers\snyucam3.sys [2008-08-07 419022]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c842c908-6e35-11dd-96f6-806d6172696f}]
\shell\play\Command - "c:\program files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Windows Live Update]
c:\windows\system32:msnmsgr.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 16:34]

2009-02-24 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1174743517.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-06-26 18:50]

2009-02-14 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1234647648.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-06-26 18:50]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-InstallShield Update Services - c:\windows\system32:msnmsgr.exe
HKLM-Run-POINTER - point32.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 15:14:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
InstallShield Update Services = c:\windows\system32:msnmsgr.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-28 15:16:55
ComboFix-quarantined-files.txt 2009-02-28 20:16:48

Pre-Run: 7,193,669,632 bytes free
Post-Run: 17,224,982,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

157



============================================================================


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-28 15:27:10
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

---- EOF - GMER 1.0.14 ----

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 28 February 2009 - 04:30 PM

Hello.

ComboFix removed a nasty infection.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Please take a new DDS.txt log after.

With Regards,
The Panda

#5 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 28 February 2009 - 07:36 PM

Hello,

i dont use my computer for much of anything other than videos, mp3s, and visiting various websites
so if they want my account on videogame websites im not worried about that, i just want the random redirects from google and one other site to go away

i will be changing the hard drive sometime in march or april, so i will have a fresh install, but untill then i would like this cleaned up as best as possible for now

i updated Windows fully except for IE7 (i tried that once before and didnt like it)

here are the logs and thanks for your help.



DDS (Ver_09-02-01.01) - NTFSx86
Run by Scott at 19:23:51.92 on Sat 02/28/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.531 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Scott\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [VTTimer] VTTimer.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\scott\startm~1\programs\startup\remindme.lnk - c:\documents and settings\scott\desktop\remind me\remindme\RemindMe.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: turbotax.com
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235857477859
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235857468703
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39695.512337963
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-17 64160]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-3-21 11264]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-3-22 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-3-22 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-3-22 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-3-22 10760]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2007-3-21 13696]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-23 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-3-22 394952]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2007-3-22 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2007-3-22 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2007-3-22 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-3-22 4960]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 DCamUSBSony3;Sony Visual Communication Camera PCGA-UVC10;c:\windows\system32\drivers\snyucam3.sys [2008-8-7 419022]

=============== Created Last 30 ================

2009-02-28 19:16 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-02-28 18:56 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-28 18:55 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-02-28 18:55 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-28 18:55 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-28 18:55 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-28 18:55 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-28 18:55 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-28 18:55 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-28 18:55 <DIR> --d----- C:\e5ee6cb58adfb883cd3ada715d5e
2009-02-28 18:25 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-02-28 18:24 666,112 -c------ c:\windows\system32\dllcache\wininet.dll
2009-02-28 18:24 619,520 -c------ c:\windows\system32\dllcache\urlmon.dll
2009-02-28 18:24 1,499,136 -c------ c:\windows\system32\dllcache\shdocvw.dll
2009-02-28 18:24 3,067,904 -c------ c:\windows\system32\dllcache\mshtml.dll
2009-02-28 18:23 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-02-28 18:23 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-02-28 18:23 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-02-28 18:23 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-28 18:23 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-28 18:23 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-28 18:23 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-28 18:23 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-02-28 18:22 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-02-28 18:22 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-02-28 18:21 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-02-28 18:21 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-02-28 17:37 <DIR> --d----- c:\windows\system32\scripting
2009-02-28 17:37 <DIR> --d----- c:\windows\l2schemas
2009-02-28 17:37 <DIR> --d----- c:\windows\system32\en
2009-02-28 17:37 <DIR> --d----- c:\windows\system32\bits
2009-02-28 17:25 <DIR> --d----- c:\windows\network diagnostic
2009-02-28 17:08 176,640 -------- c:\windows\system32\napstat.exe
2009-02-28 17:07 144,384 -------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-28 16:45 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-28 15:25 250 a------- c:\windows\gmer.ini
2009-02-28 15:05 <DIR> a-dshr-- C:\cmdcons
2009-02-28 15:04 161,792 a------- c:\windows\SWREG.exe
2009-02-28 15:04 98,816 a------- c:\windows\sed.exe
2009-02-27 15:15 116,224 a------- c:\windows\system32\pdfcmnnt.dll
2009-02-17 23:17 <DIR> --d----- c:\program files\Trend Micro
2009-02-17 19:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-17 19:18 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-17 19:17 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-17 19:17 <DIR> --d----- c:\program files\Lavasoft
2009-02-17 18:42 <DIR> --d----- c:\program files\Autorun Eater
2009-02-14 16:34 <DIR> --d----- c:\program files\common files\HP
2009-02-14 16:34 35,840 a------- c:\windows\system32\drivers\AFS2K.SYS
2009-02-14 16:22 <DIR> --d----- c:\program files\HP
2009-02-14 16:22 28,922 a------- c:\windows\hpoins03.dat
2009-02-14 16:22 34,468 -------- c:\windows\hpomdl03.dat
2009-02-12 23:35 <DIR> --d----- c:\program files\Boilsoft Video Splitter
2009-02-10 22:33 608,448 a------- c:\windows\system32\comctl32.ocx
2009-02-10 00:59 <DIR> --d----- c:\program files\Real Alternative
2009-01-31 00:32 <DIR> --d----- c:\program files\Yahoo!

==================== Find3M ====================

2009-02-28 19:22 150,906,912 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-28 19:09 1,770,200 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-14 02:23 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 19:24:34.35 ===============

Attached Files


Edited by Lemmi, 28 February 2009 - 11:58 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 01 March 2009 - 10:15 AM

Hello.

AVG7 is outdated, and has been replaced by AVG8. Please uninstall it using Add/Remove Programs. Then, install a new antivirus.After installing, update the database, run a full system scan and remove any items found.

Take a new DDS.txt log after please.

Any issues at the moment?

With Regards,
The Panda

#7 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 01 March 2009 - 02:03 PM

Hello,

wow what a pain AVG8 and Ad-aware were fighting and it took me awhile to figure out why.
i had to uninstall ad-aware first then install AVG then put ad-aware back on

i ran AVG8 and it found many more tracking cookies and 4 other things not found by avg7
codecsetup1357.exe and codecsetup6819.exe - with \$JJ\matrix34620.exe after both
(my AVG7 morning scan removed stuff from Qoobox\quarantine and system volume info/restore)


I just checked the places giving me problems and all seems ok, and i have adultfriendfinder ads and cookies blocked now,
and im not getting the malware blocks in peerguardian anymore. i dont know about system restore working yet because i havent tried it. i will test it out later when i install my microsoft pointer software that combofix removed

here is the DDS log only this time, and thanks for your help


DDS (Ver_09-02-01.01) - NTFSx86
Run by Scott at 13:42:00.35 on Sun 03/01/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.564 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\Scott\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\scott\startm~1\programs\startup\remindme.lnk - c:\documents and settings\scott\desktop\remind me\remindme\RemindMe.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: turbotax.com
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235857477859
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235857468703
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39695.512337963
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-17 64160]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-3-21 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-1 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-1 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-1 107272]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2007-3-21 13696]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-23 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-3-22 394952]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-1 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-1 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 DCamUSBSony3;Sony Visual Communication Camera PCGA-UVC10;c:\windows\system32\drivers\snyucam3.sys [2008-8-7 419022]

=============== Created Last 30 ================

2009-03-01 13:33 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-01 12:04 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-01 11:51 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-01 11:51 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-01 11:51 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-01 11:51 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-01 11:50 <DIR> --d----- c:\program files\AVG
2009-03-01 11:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-28 19:16 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-02-28 18:56 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-28 18:55 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-02-28 18:55 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-28 18:55 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-28 18:55 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-28 18:55 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-28 18:55 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-28 18:55 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-28 18:55 <DIR> --d----- C:\e5ee6cb58adfb883cd3ada715d5e
2009-02-28 18:25 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-02-28 18:24 666,112 -c------ c:\windows\system32\dllcache\wininet.dll
2009-02-28 18:24 619,520 -c------ c:\windows\system32\dllcache\urlmon.dll
2009-02-28 18:24 1,499,136 -c------ c:\windows\system32\dllcache\shdocvw.dll
2009-02-28 18:24 3,067,904 -c------ c:\windows\system32\dllcache\mshtml.dll
2009-02-28 18:23 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-02-28 18:23 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-02-28 18:23 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-02-28 18:23 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-28 18:23 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-28 18:23 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-28 18:23 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-28 18:23 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-02-28 18:22 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-02-28 18:22 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-02-28 18:21 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-02-28 18:21 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-02-28 17:37 <DIR> --d----- c:\windows\system32\scripting
2009-02-28 17:37 <DIR> --d----- c:\windows\l2schemas
2009-02-28 17:37 <DIR> --d----- c:\windows\system32\en
2009-02-28 17:37 <DIR> --d----- c:\windows\system32\bits
2009-02-28 17:25 <DIR> --d----- c:\windows\network diagnostic
2009-02-28 17:08 176,640 -------- c:\windows\system32\napstat.exe
2009-02-28 17:07 144,384 -------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-28 16:45 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-28 15:25 250 a------- c:\windows\gmer.ini
2009-02-28 15:05 <DIR> a-dshr-- C:\cmdcons
2009-02-28 15:04 161,792 a------- c:\windows\SWREG.exe
2009-02-28 15:04 98,816 a------- c:\windows\sed.exe
2009-02-27 15:15 116,224 a------- c:\windows\system32\pdfcmnnt.dll
2009-02-17 23:17 <DIR> --d----- c:\program files\Trend Micro
2009-02-17 19:18 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-17 19:17 <DIR> --d----- c:\program files\Lavasoft
2009-02-17 18:42 <DIR> --d----- c:\program files\Autorun Eater
2009-02-14 16:34 <DIR> --d----- c:\program files\common files\HP
2009-02-14 16:34 35,840 a------- c:\windows\system32\drivers\AFS2K.SYS
2009-02-14 16:22 <DIR> --d----- c:\program files\HP
2009-02-14 16:22 28,922 a------- c:\windows\hpoins03.dat
2009-02-14 16:22 34,468 -------- c:\windows\hpomdl03.dat
2009-02-12 23:35 <DIR> --d----- c:\program files\Boilsoft Video Splitter
2009-02-10 22:33 608,448 a------- c:\windows\system32\comctl32.ocx
2009-02-10 00:59 <DIR> --d----- c:\program files\Real Alternative
2009-01-31 00:32 <DIR> --d----- c:\program files\Yahoo!

==================== Find3M ====================

2009-03-01 13:42 152,055,840 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-01 13:36 1,783,856 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-14 02:23 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 13:42:56.54 ===============

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 01 March 2009 - 03:06 PM

Hello.

From you last DDS log, it appears that the System restore is working fine.

Let's run an online scanner to check for anything left.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

With Regards,
The Panda

#9 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 01 March 2009 - 05:32 PM

Hello,

i ran the scan and got this

Sunday, March 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 01, 2009 20:40:03
Records in database: 1860269


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 70237
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:13:14

File name Threat name Threats count
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\Content.IE5\4PA70DY7\form43810aas[1].htm Infected: Trojan.JS.Agent.ja 1

The selected area was scanned.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 01 March 2009 - 05:49 PM

Hello.

Looks good. Kaspersky found a temporary file.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#11 Lemmi

Lemmi
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 01 March 2009 - 06:42 PM

Everything seems to be running fine now :thumbup2:
Thank you for your help

when i uninstalled combofix i didnt get a disclaimer or a select "2" thing
but it removed the combofix icons, removed system restore points and made a new one and hid my file extentions

Thanks again and i hope i wont need help for atleast another 3 years :)

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 01 March 2009 - 07:38 PM

Welcome :thumbup2: .

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users