Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not Sure what virus I have


  • Please log in to reply
25 replies to this topic

#1 infamy707

infamy707

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 16 April 2009 - 02:34 PM

When clicking on links after I perform a search in Google I get redirected to different and completely not related sites.




DDS (Ver_09-03-16.01) - NTFSx86
Run by AnthonyT at 15:25:37.25 on Thu 04/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1269 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\AnthonyT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\AnthonyT\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061223
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [CPM1bb8a8cf] Rundll32.exe "c:\windows\system32\pijegewe.dll",a
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: mcalks.dll c:\windows\system32\pijegewe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pijegewe.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\pijegewe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anthonyt\applic~1\mozilla\firefox\profiles\6jyywm3d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\anthonyt\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-20 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-9 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-9 27656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-17 298264]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-12-9 33792]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S3 emuumidi;E-MU USB-MIDI Driver;c:\windows\system32\drivers\emuumidi.sys [2005-4-26 36736]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-9-12 33808]

=============== Created Last 30 ================

2009-04-16 12:33 1,411,370 ---sh--- c:\windows\system32\eyekibas.ini
2009-04-14 15:09 <DIR> --d----- C:\Random Folders
2009-04-02 01:20 <DIR> --d----- c:\docume~1\anthonyt\applic~1\DAEMON Tools Pro
2009-04-02 01:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-04-02 01:09 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-04-02 01:08 <DIR> --d----- c:\docume~1\anthonyt\applic~1\DAEMON Tools Lite
2009-03-22 23:40 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-20 17:35 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-20 17:34 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

==================== Find3M ====================

2009-04-16 12:33 109,056 a--sh--- c:\windows\system32\pijegewe.dll
2009-04-16 12:33 102,400 a--sh--- c:\windows\system32\sabikeye.dll
2009-04-15 09:54 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-15 09:54 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 06:19 1,846,272 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-14 16:53 47,360 a------- c:\docume~1\anthonyt\applic~1\pcouffin.sys

============= FINISH: 15:27:00.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:10:54 AM

Posted 01 May 2009 - 10:06 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 infamy707

infamy707
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 03 May 2009 - 02:59 PM

Still having a problem with, I beleive, is Trojan.Vundo. I have been trying to get rid of it using Malware Bytes but I is not being successful in deleting it. Also, Now I can no longer use Firefox to connect to the internet. It is saying "Proxy Server Refused Connection"



DDS (Ver_09-03-16.01) - NTFSx86
Run by AnthonyT at 15:56:54.23 on Sun 05/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1418 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM6\aim6.exe
C:\DOCUME~1\AnthonyT\LOCALS~1\Temp\b79mlw.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\DOCUME~1\AnthonyT\LOCALS~1\Temp\b79mlw.exe
C:\Documents and Settings\AnthonyT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\AnthonyT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\AnthonyT\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061223
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: 796525 Class: {e7f15ac4-e0a9-43f0-921b-70dfea621220} - c:\windows\system32\796525\796525.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Windows Resurections] c:\docume~1\anthonyt\locals~1\temp\b79mlw.exe
uRun: [<NO NAME>] c:\docume~1\anthonyt\locals~1\temp\b79mlw.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: mcalks.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anthonyt\applic~1\mozilla\firefox\profiles\6jyywm3d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\anthonyt\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-20 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-9 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-9 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-17 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-12-9 33792]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
S3 emuumidi;E-MU USB-MIDI Driver;c:\windows\system32\drivers\emuumidi.sys [2005-4-26 36736]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2008-9-12 33808]

=============== Created Last 30 ================

2009-05-03 15:37 33,792 ----h--- c:\windows\freddy42.exe
2009-05-02 14:06 1 ----h--- c:\windows\msmark2.dat
2009-05-02 14:05 27,136 ----h--- c:\windows\mstre18.exe
2009-05-02 14:05 2 ----h--- c:\windows\t55ft2695f44.dat
2009-05-02 14:05 34,304 ----h--- c:\windows\freddy41.exe
2009-05-02 14:05 2 ----h--- c:\windows\t55ft2667f44.dat
2009-05-02 14:05 1 ----h--- c:\windows\f23567.dat
2009-05-02 12:09 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-05-02 12:06 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-02 12:06 10,752 ----h--- c:\windows\pp06.exe
2009-05-02 12:05 14,848 a------- c:\windows\system32\DL32.exe
2009-05-02 12:05 2 ----h--- c:\windows\t55ft2692f44.dat
2009-05-02 12:05 <DIR> --d----- c:\windows\system32\796525
2009-05-02 12:05 0 a------- c:\windows\mqcd.dbt
2009-05-02 12:04 101,888 a------- C:\ohkbrkoo.exe
2009-05-02 12:04 577,536 a------- c:\windows\system32\itpfar
2009-05-02 12:04 113,664 a------- C:\xipr.exe
2009-05-02 12:04 93,564 a------- c:\windows\system32\drivers\9f6b26a5.sys
2009-05-02 12:04 28,672 a------- c:\windows\system32\inqby.sr
2009-05-02 12:04 32,768 a------- c:\windows\system32\ferryl.cbv
2009-05-02 12:04 32,768 a------- c:\windows\system32\fairy.an
2009-05-02 12:04 28,672 a------- c:\windows\system32\dolman.zt
2009-05-02 12:04 14,336 ----h--- c:\windows\ld08.exe
2009-05-02 12:04 79,360 a------- c:\windows\system32\ashl.nq
2009-05-02 12:03 101,888 a------- C:\wwmeoblk.exe
2009-05-02 12:03 2 a------- C:\411802620
2009-05-02 12:03 113,664 a------- c:\windows\system32\azton.mt
2009-05-02 12:03 113,664 a------- C:\kggi.exe
2009-04-25 12:01 2,713 ---sh--- c:\windows\system32\bimijipe.dll
2009-04-25 12:00 2,713 ---sh--- c:\windows\system32\webawewi.exe
2009-04-25 12:00 2,713 ---sh--- c:\windows\system32\mowuhomo.dll
2009-04-23 17:14 <DIR> --d----- c:\program files\Accessdiver
2009-04-22 21:58 <DIR> --d----- C:\VundoFix Backups
2009-04-19 05:04 61,440 a------- c:\windows\system32\drivers\bpuey.sys
2009-04-16 12:33 1,411,370 ---sh--- c:\windows\system32\eyekibas.ini
2009-04-14 15:09 <DIR> --d----- C:\Random Folders

==================== Find3M ====================

2009-05-03 00:03 47,104 a--sh--- c:\windows\system32\gebipize.exe
2009-05-02 12:09 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-05-02 12:03 577,536 a------- c:\windows\system32\user32.DLL
2009-05-02 12:03 577,536 a------- c:\windows\system32\dllcache\user32.dll
2009-05-02 12:03 47,104 a--sh--- c:\windows\system32\vijatawu.exe
2009-05-02 08:37 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 08:37 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-01 00:02 47,104 a--sh--- c:\windows\system32\hiwojalo.exe
2009-04-30 12:02 47,104 a--sh--- c:\windows\system32\mehoguju.exe
2009-04-30 00:03 88,576 a--sh--- c:\windows\system32\sejekemo.dll
2009-04-30 00:03 46,592 a--sh--- c:\windows\system32\viluzije.exe
2009-04-29 12:01 89,088 a--sh--- c:\windows\system32\fibotuvu.dll
2009-04-29 00:01 88,576 a--sh--- c:\windows\system32\judigotu.dll
2009-04-28 12:01 89,088 a--sh--- c:\windows\system32\fofiwiki.dll
2009-04-28 00:01 88,064 a--sh--- c:\windows\system32\bilemusa.dll
2009-04-27 12:01 88,064 a--sh--- c:\windows\system32\terulabo.dll
2009-04-27 12:01 46,592 a--sh--- c:\windows\system32\rofefema.exe
2009-04-27 00:00 89,088 a--sh--- c:\windows\system32\huyowivu.dll
2009-04-27 00:00 46,592 a--sh--- c:\windows\system32\yekugebe.exe
2009-04-26 12:00 46,592 a--sh--- c:\windows\system32\sehutota.exe
2009-04-26 00:00 88,576 a--sh--- c:\windows\system32\fijuhima.dll
2009-04-26 00:00 46,592 a--sh--- c:\windows\system32\fateguda.exe
2009-04-24 23:59 88,576 a--sh--- c:\windows\system32\bohogumo.dll
2009-04-24 23:59 47,616 a--sh--- c:\windows\system32\nusakila.exe
2009-04-24 17:35 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-24 11:59 89,600 a--sh--- c:\windows\system32\senudoge.dll
2009-04-24 11:59 46,592 a--sh--- c:\windows\system32\vodiyevu.exe
2009-04-23 23:59 89,600 a--sh--- c:\windows\system32\gohezabi.dll
2009-04-23 23:59 46,080 a--sh--- c:\windows\system32\jipolone.exe
2009-04-23 11:58 89,088 a--sh--- c:\windows\system32\dijejota.dll
2009-04-23 11:58 47,616 a--sh--- c:\windows\system32\fahuhuli.exe
2009-04-22 23:58 89,088 a--sh--- c:\windows\system32\mifijuhu.dll
2009-04-22 11:58 46,592 a--sh--- c:\windows\system32\natefijo.exe
2009-04-21 23:58 50,688 a--sh--- c:\windows\system32\kuwokilo.dll
2009-04-21 23:58 88,576 a--sh--- c:\windows\system32\gizehure.dll
2009-04-21 23:58 47,616 a--sh--- c:\windows\system32\wakepule.exe
2009-04-19 05:04 172 a------- c:\program files\vgastex.txt
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 15:06 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 06:19 1,846,272 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-14 16:53 47,360 a------- c:\docume~1\anthonyt\applic~1\pcouffin.sys

============= FINISH: 15:57:02.84 ===============

Attached Files



#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:54 AM

Posted 03 May 2009 - 08:16 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-- If you receive this error:
"Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid", please download Comdlg32.ocx, place it in your C:\Windows\system32 folder and try running VundoFix again.


And then update Malwarebytes' Anti-Malware and run a full scan. If you can't scan with Malwarebytes' Anti-Malware, reboot to safe mode and run the scan. Then post the log here.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 infamy707

infamy707
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 May 2009 - 04:02 PM

Hi, Ran the Vundofix and it said that there were no infected files, which is impossible. Here is a Hijackthis file.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:12 PM, on 5/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM6\aim6.exe
C:\DOCUME~1\AnthonyT\LOCALS~1\Temp\b79mlw.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\DOCUME~1\AnthonyT\LOCALS~1\Temp\b79mlw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\AnthonyT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\AnthonyT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\AnthonyT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\AnthonyT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\AnthonyT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\AnthonyT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\AnthonyT\My Documents\Downloads\VundoFix.exe
C:\Documents and Settings\AnthonyT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061223
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: (no name) - {b2ba40a2-74f0-42bd-f434-12345a2c8953} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: 796525 helper - {e7f15ac4-e0a9-43f0-921b-70dfea621220} - C:\WINDOWS\system32\796525\796525.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Windows Resurections] C:\DOCUME~1\AnthonyT\LOCALS~1\Temp\b79mlw.exe
O4 - HKCU\..\Run: [] C:\DOCUME~1\AnthonyT\LOCALS~1\Temp\b79mlw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: mcalks.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8433 bytes

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:54 AM

Posted 04 May 2009 - 04:22 PM

Vundofix is looking for a very specific kind of file. You may have already gotten rid of that. Did you run an Malwarebytes' Anti-Malware scan? Can you post the log?


The next step is to run combofix.

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 infamy707

infamy707
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 May 2009 - 07:49 PM

ComboFix 09-05-03.6 - AnthonyT 05/04/2009 20:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1440 [GMT -4:00]
Running from: c:\documents and settings\AnthonyT\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\f23567.dat
c:\windows\freddy42.exe
c:\windows\ld08.exe
c:\windows\mqcd.dbt
c:\windows\msmark2.dat
c:\windows\mstre18.exe
c:\windows\pp06.exe
c:\windows\system32\796525
c:\windows\system32\796525\796525.dll
c:\windows\system32\ashl.nq
c:\windows\system32\azton.mt
c:\windows\system32\bilemusa.dll
c:\windows\system32\bimijipe.dll
c:\windows\system32\bohogumo.dll
c:\windows\system32\dijejota.dll
c:\windows\system32\dl32.exe
c:\windows\system32\dolman.zt
c:\windows\system32\eyekibas.ini
c:\windows\system32\fairy.an
c:\windows\system32\ferryl.cbv
c:\windows\system32\fibotuvu.dll
c:\windows\system32\fijuhima.dll
c:\windows\system32\fofiwiki.dll
c:\windows\system32\gizehure.dll
c:\windows\system32\gohezabi.dll
c:\windows\system32\huyowivu.dll
c:\windows\system32\inqby.sr
c:\windows\system32\judigotu.dll
c:\windows\system32\kuwokilo.dll
c:\windows\system32\mifijuhu.dll
c:\windows\system32\mowuhomo.dll
c:\windows\system32\sejekemo.dll
c:\windows\system32\senudoge.dll
c:\windows\system32\terulabo.dll
c:\windows\system32\webawewi.exe

----- BITS: Possible infected sites -----

hxxp://83.149.105.228
.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-03 19:49 . 2009-05-03 19:49 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-05-02 18:05 . 2009-05-02 18:05 2 ---h--w c:\windows\t55ft2695f44.dat
2009-05-02 18:05 . 2009-05-02 18:05 34304 ---h--w c:\windows\freddy41.exe
2009-05-02 18:05 . 2009-05-02 18:05 2 ---h--w c:\windows\t55ft2667f44.dat
2009-05-02 16:09 . 2009-05-02 16:09 212480 ----a-w c:\windows\system32\dllcache\ndis.sys
2009-05-02 16:05 . 2009-05-02 16:05 2 ---h--w c:\windows\t55ft2692f44.dat
2009-05-02 16:04 . 2009-05-02 16:04 101888 ----a-w C:\ohkbrkoo.exe
2009-05-02 16:04 . 2009-05-02 16:04 113664 ----a-w C:\xipr.exe
2009-05-02 16:04 . 2009-05-05 00:44 93564 ----a-w c:\windows\system32\drivers\9f6b26a5.sys
2009-05-02 16:03 . 2009-05-02 16:04 101888 ----a-w C:\wwmeoblk.exe
2009-05-02 16:03 . 2009-05-02 16:03 113664 ----a-w C:\kggi.exe
2009-04-23 21:14 . 2009-04-26 21:10 -------- d-----w c:\program files\Accessdiver
2009-04-23 01:58 . 2009-04-23 01:58 -------- d-----w C:\VundoFix Backups
2009-04-19 09:04 . 2009-04-19 09:04 61440 ----a-w c:\windows\system32\drivers\bpuey.sys
2009-04-14 19:09 . 2009-04-14 19:10 -------- d-----w C:\Random Folders

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 00:42 . 2005-08-16 09:18 577536 ----a-w c:\windows\system32\user32.dll
2009-05-03 19:53 . 2006-12-23 22:34 -------- d-----w c:\program files\Google
2009-05-03 19:35 . 2008-11-19 23:10 -------- d-----w c:\program files\DNA
2009-05-03 04:03 . 2009-02-03 04:03 47104 --sha-w c:\windows\system32\gebipize.exe
2009-05-02 16:09 . 2005-08-16 09:18 212480 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-02 16:03 . 2009-02-02 16:03 47104 --sha-w c:\windows\system32\vijatawu.exe
2009-05-02 12:37 . 2009-02-17 14:19 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-02 12:37 . 2008-12-09 19:22 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-01 04:02 . 2009-02-01 04:02 47104 --sha-w c:\windows\system32\hiwojalo.exe
2009-04-30 16:02 . 2009-01-30 16:02 47104 --sha-w c:\windows\system32\mehoguju.exe
2009-04-30 04:03 . 2009-01-30 04:03 46592 --sha-w c:\windows\system32\viluzije.exe
2009-04-27 16:01 . 2009-01-27 16:01 46592 --sha-w c:\windows\system32\rofefema.exe
2009-04-27 04:00 . 2009-01-27 04:00 46592 --sha-w c:\windows\system32\yekugebe.exe
2009-04-26 16:00 . 2009-01-26 16:00 46592 --sha-w c:\windows\system32\sehutota.exe
2009-04-26 04:00 . 2009-01-26 04:00 46592 --sha-w c:\windows\system32\fateguda.exe
2009-04-25 03:59 . 2009-01-25 03:59 47616 --sha-w c:\windows\system32\nusakila.exe
2009-04-24 21:35 . 2009-03-20 21:35 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-24 15:59 . 2009-01-24 15:59 46592 --sha-w c:\windows\system32\vodiyevu.exe
2009-04-24 03:59 . 2009-01-24 03:59 46080 --sha-w c:\windows\system32\jipolone.exe
2009-04-23 15:58 . 2009-01-23 15:58 47616 --sha-w c:\windows\system32\fahuhuli.exe
2009-04-22 15:58 . 2009-01-22 15:58 46592 --sha-w c:\windows\system32\natefijo.exe
2009-04-22 03:58 . 2009-01-22 03:58 47616 --sha-w c:\windows\system32\wakepule.exe
2009-04-19 18:00 . 2007-09-17 22:24 -------- d-----w c:\program files\Dl_cats
2009-04-19 09:04 . 2009-04-19 09:04 172 ----a-w c:\program files\vgastex.txt
2009-04-15 01:42 . 2007-01-15 20:47 -------- d-----w c:\program files\Full Tilt Poker
2009-04-13 17:14 . 2008-12-10 01:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2008-12-10 01:06 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-10 01:06 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 05:09 . 2009-04-02 05:09 -------- d-----w c:\program files\DAEMON Tools Lite
2009-03-20 21:34 . 2007-09-27 20:54 -------- d-----w c:\program files\Lavasoft
2009-03-15 07:13 . 2008-09-12 18:22 310208 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-10 03:55 . 2006-12-23 22:29 -------- d-----w c:\program files\Viewpoint
2009-03-09 19:06 . 2009-03-23 03:40 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-02-14 20:48 . 2009-02-14 20:48 107272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-09 10:19 . 2005-08-16 09:18 1846272 ----a-w c:\windows\system32\win32k.sys
2009-01-22 02:21 . 2009-01-22 02:21 49664 --sha-w c:\windows\system32\genajiwe.dll.tmp
2009-01-22 02:21 . 2009-01-22 02:21 49664 --sha-w c:\windows\system32\zirinuva.dll.tmp
2009-01-22 02:21 . 2009-01-22 02:21 49664 --sha-w c:\windows\system32\zivoliwo.dll.tmp
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-29 185896]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 12:37 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^AnthonyT^Start Menu^Programs^Startup^iPhoneRingToneMaker.lnk]
path=c:\documents and settings\AnthonyT\Start Menu\Programs\Startup\iPhoneRingToneMaker.lnk
backup=c:\windows\pss\iPhoneRingToneMaker.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^AnthonyT^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\AnthonyT\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iWinGamesInstaller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\1174019496\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iPhoneRingToneMaker\\iPhoneRingToneMaker.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-24 953168]
R3 emuumidi;E-MU USB-MIDI Driver;c:\windows\system32\drivers\emuumidi.sys [2005-04-27 36736]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2008-08-04 33808]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-24 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-02 325896]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-02 298776]
S3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2005-05-10 33792]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - gusvc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80630d1a-aea1-11dc-ae96-00038a000015}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 21:35]

2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4049520560-1358814952-1140669730-1006.job
- c:\documents and settings\AnthonyT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 02:09]
.
- - - - ORPHANS REMOVED - - - -

BHO-{e7f15ac4-e0a9-43f0-921b-70dfea621220} - c:\windows\system32\796525\796525.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061223
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\AnthonyT\Application Data\Mozilla\Firefox\Profiles\6jyywm3d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\AnthonyT\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 20:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\9f6b26a5]
"ImagePath"="\SystemRoot\System32\drivers\9f6b26a5.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-4049520560-1358814952-1140669730-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D921DD09-8098-41FB-C8EC-66EBD5050340}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaicmcocjfnapjdhalpebgpalhjkka"=hex:64,61,69,69,6a,6d,6b,62,00,90
"oambkojcipljaimpeoepnamfkfblnb"=hex:6a,61,69,69,6e,6a,68,64,67,6a,6b,69,6f,6f,
67,6c,6c,6a,70,65,00,fd
"nagbggkokjgndjnhljlpopimabpe"=hex:6a,61,69,69,6e,6a,68,64,67,6a,6b,69,6f,6f,
67,6c,6c,6a,70,65,00,fd

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
Completion time: 2009-05-05 20:47
ComboFix-quarantined-files.txt 2009-05-05 00:46

Pre-Run: 111,591,501,824 bytes free
Post-Run: 112,839,577,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

279 --- E O F --- 2009-03-22 07:00

#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:54 AM

Posted 04 May 2009 - 09:24 PM

That should have helped some. Any changes to the problem? Does FireFox work now?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 infamy707

infamy707
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 May 2009 - 10:27 PM

Hi, Nope firefox still does not work. Also I just noticed that iexplore.exe keeps running and taking alot of CPU usage, and I am not opening it.

#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:54 AM

Posted 04 May 2009 - 10:30 PM

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

1. In Internet Explorer 7, click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

The Reset Internet Explorer Settings feature restores the following items to their default settings:

* Home pages
* Search scopes
* Browsing history
* Form data
* Passwords
* Appearance settings
* Toolbars
* ActiveX controls

Additionally, the Reset Internet Explorer Settings feature disables all add-ins. However, it does not remove the add-ins.


1. Close down Firefox completely: At the top of the Firefox window, click the File menu, and select the Exit menu item.

2. In Windows, click Start, open the All Programs list, and navigate to the Mozilla Firefox folder. In the Mozilla Firefox folder, select Mozilla Firefox (Safe Mode).

3. Firefox should start up with a Firefox Safe Mode dialog.

4. Click Continue In Safe Mode. This starts Firefox in its Safe Mode. While you are in Safe Mode, your extensions and themes will be disabled, and any toolbar customizations will be reverted back to their defaults. These changes are not permanent - when you leave Safe Mode and start Firefox up normally, your extensions, themes, and settings will return to the state they were in before you entered Safe Mode.

Check both IE and FireFox and see if they are able to connect to the net, and not use an abnormal amount of cycles.

If they cannot connect reliably to the internet then

Download WinSockFix from here or here.

Backing up the Registry

1. Double click on WinsockXPFix.exe to open.
2. On the Winsock and TCP Repair Utility screen, click "ReG-Backup"
3. On the ERDNT Welcome screen, click "OK".
4. On the Backup to: screen, click "OK".
5. On the Folder does not exist question screen click "Yes".
6. You will see a status screen as your registry is being backed up.
7. On the Registry backup is complete! screen, click "OK" and you will go back to the main window.

Resetting the Winsock Stack

1. On the Winsock and TCP Repair Utility screen, click "Fix".
2. On the Apply the VB_Winsock fix? screen click "Yes".
3. The screen will display a status message "repair completed please reboot."
4. On the Repair Completed screen click "OK" to reboot your computer.
5. If your computer was not using DHCP, you will need to reconfigure TCP/IP.
6. You should have connectivity restored.

Tutorial with graphics


Let me know how it goes.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 infamy707

infamy707
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 May 2009 - 11:21 PM

Did everything you said and Firefox still says "Proxy Server Refused Connection" but IE and Chrome work fine.

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:54 AM

Posted 04 May 2009 - 11:40 PM

Click start-->run
Type cmd in the Run box.
In the command prompt that opens, type or copy and paste the following:
netstat -b 5 > activity.txt

Press Enter. Wait 2 minutes then press Ctrl+C.
Type activity.txt on the command line to open the log file in notepad.

During that two minutes, try using FireFox to connect to something. Post the log.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 infamy707

infamy707
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 05 May 2009 - 12:29 AM

When I click ok, after i have pasted "netstat -b 5 > activity.txt", the command prompt only pops up for a split second and then dissapears.

#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:54 AM

Posted 05 May 2009 - 10:25 AM

Type cmd in the Run box. This starts the command prompt. Are you doing that?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 infamy707

infamy707
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 05 May 2009 - 06:31 PM

Active Connections

Proto Local Address Foreign Address State PID
TCP Anthony:1142 hosted-by.leaseweb.com:4723 ESTABLISHED 2300
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:2540 www.10.07.facebook.com:http ESTABLISHED 208
[chrome.exe]

TCP Anthony:2603 qw-in-f113.google.com:http ESTABLISHED 208
[chrome.exe]

TCP Anthony:2616 channel10.01.05.sf2p.facebook.com:http ESTABLISHED 208
[chrome.exe]

TCP Anthony:3250 216.195.62.101:2547 ESTABLISHED 1660
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:4431 hosted-by.leaseweb.com:4723 ESTABLISHED 3000
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:4272 od-in-f104.google.com:http CLOSE_WAIT 864
[GoogleToolbarNotifier.exe]

TCP Anthony:4273 qy-in-f100.google.com:http CLOSE_WAIT 864
[GoogleToolbarNotifier.exe]


Active Connections

Proto Local Address Foreign Address State PID
TCP Anthony:1142 hosted-by.leaseweb.com:4723 ESTABLISHED 2300
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:2617 channel10.01.05.sf2p.facebook.com:http ESTABLISHED 208
[chrome.exe]

TCP Anthony:3250 216.195.62.101:2547 ESTABLISHED 1660
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:4431 hosted-by.leaseweb.com:4723 ESTABLISHED 3000
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:4272 od-in-f104.google.com:http CLOSE_WAIT 864
[GoogleToolbarNotifier.exe]

TCP Anthony:4273 qy-in-f100.google.com:http CLOSE_WAIT 864
[GoogleToolbarNotifier.exe]


Active Connections

Proto Local Address Foreign Address State PID
TCP Anthony:1142 hosted-by.leaseweb.com:4723 ESTABLISHED 2300
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:2617 channel10.01.05.sf2p.facebook.com:http ESTABLISHED 208
[chrome.exe]

TCP Anthony:3250 216.195.62.101:2547 ESTABLISHED 1660
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:4431 hosted-by.leaseweb.com:4723 ESTABLISHED 3000
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:4272 od-in-f104.google.com:http CLOSE_WAIT 864
[GoogleToolbarNotifier.exe]

TCP Anthony:4273 qy-in-f100.google.com:http CLOSE_WAIT 864
[GoogleToolbarNotifier.exe]


Active Connections

Proto Local Address Foreign Address State PID
TCP Anthony:1142 hosted-by.leaseweb.com:4723 ESTABLISHED 2300
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:2618 channel10.01.05.sf2p.facebook.com:http ESTABLISHED 208
[chrome.exe]

TCP Anthony:3250 216.195.62.101:2547 ESTABLISHED 1660
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:4431 hosted-by.leaseweb.com:4723 ESTABLISHED 3000
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:4272 od-in-f104.google.com:http CLOSE_WAIT 864
[GoogleToolbarNotifier.exe]

TCP Anthony:4273 qy-in-f100.google.com:http CLOSE_WAIT 864
[GoogleToolbarNotifier.exe]


Active Connections

Proto Local Address Foreign Address State PID
TCP Anthony:1142 hosted-by.leaseweb.com:4723 ESTABLISHED 2300
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:2618 channel10.01.05.sf2p.facebook.com:http ESTABLISHED 208
[chrome.exe]

TCP Anthony:3250 216.195.62.101:2547 ESTABLISHED 1660
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:4431 hosted-by.leaseweb.com:4723 ESTABLISHED 3000
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:4272 od-in-f104.google.com:http CLOSE_WAIT 864
[GoogleToolbarNotifier.exe]

TCP Anthony:4273 qy-in-f100.google.com:http CLOSE_WAIT 864
[GoogleToolbarNotifier.exe]


Active Connections

Proto Local Address Foreign Address State PID
TCP Anthony:1142 hosted-by.leaseweb.com:4723 ESTABLISHED 2300
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP Anthony:2618 channel10.01.05.sf2p.facebook.com:http ESTABLISHED 208
[chrome.exe]

TCP Anthony:2619 www.10.07.facebook.com:http ESTABLISHED 208
[chrome.exe]

TCP Anthony:3250 216.195.62.101:2547 ESTABLISHED 1660




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users