Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG detected Adware.videoegg - still concerned about spyware


  • This topic is locked This topic is locked
17 replies to this topic

#1 Cyanide263

Cyanide263

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 22 June 2009 - 08:54 PM

Hi. I'm concerned that I may still be infected with spyware - I'm running up to date AVG Antivirus 8.5 paid version, Comodo Firewall, Lavasoft Ad-Aware and as an extra Malwarebytes free version. Also using GhostSurf proxy. Also have latest OS updates. My last scan with AVG detected Adware.videoegg. I believe it has been removed, however I am still concerned that it might have left traces. I was also running tor but I can't seem to permanently delete the files, it caused my browsing to be too slow. I ran a HijackThis scan, here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:03:34, on 23/06/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - c:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - c:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: EODD - Unknown owner - C:\Users\Calum\AppData\Local\Temp\EODD.exe (file missing)
O23 - Service: Google Update Service (gupdate1c98d425b5afb13) (gupdate1c98d425b5afb13) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBQNDZR - Unknown owner - C:\Users\Calum\AppData\Local\Temp\MBQNDZR.exe (file missing)

--
End of file - 7011 bytes

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 June 2009 - 10:25 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 Cyanide263

Cyanide263
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 02 July 2009 - 02:52 PM

Hi. I ran the DDS scan, the logfile is posted below.
I have also uploaded the Attach.txt file.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Calum at 21:13:46.47 on 02/07/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3070.1713 [GMT 1:00]

SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgcfgex.exe
C:\Users\Calum\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = <local>
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [GhostSurfDelSatellite] c:\program files\ghostsurf 2005\DeleteSatellite.exe
StartupFolder: c:\users\calum\appdata\roaming\micros~1\windows\startm~1\programs\startup\schedu~1.lnk - c:\program files\ghostsurf 2005\Scheduler daemon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ghosts~1.lnk - c:\program files\ghostsurf 2005\Proxy.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: secuload.dll,avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\calum\appdata\roaming\mozilla\firefox\profiles\z4ba9j3n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 7212
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 7212
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 7212
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 7212
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 7212
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-7-18 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-9 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-18 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-23 108552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-5-27 130080]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-5-27 28704]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-5-31 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-5-31 41424]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-8 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 298776]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-5-29 79888]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-5-29 87760]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S2 gupdate1c98d425b5afb13;Google Update Service (gupdate1c98d425b5afb13);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 EODD;EODD;c:\users\calum\appdata\local\temp\eodd.exe --> c:\users\calum\appdata\local\temp\EODD.exe [?]
S3 MBQNDZR;MBQNDZR;c:\users\calum\appdata\local\temp\mbqndzr.exe --> c:\users\calum\appdata\local\temp\MBQNDZR.exe [?]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2009-5-29 31952]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2009-07-02 15:25 <DIR> --d----- c:\users\calum\appdata\roaming\.clamwin
2009-07-02 15:25 <DIR> --d----- c:\program files\ClamWin
2009-07-01 17:14 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-01 17:14 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-01 17:13 <DIR> --d----- c:\users\calum\appdata\roaming\SUPERAntiSpyware.com
2009-07-01 17:13 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-01 17:04 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-28 17:53 <DIR> --d----- c:\program files\Audacity
2009-06-28 15:40 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-06-28 15:38 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-06-26 17:37 <DIR> --d----- c:\windows\system32\SpycatcherAgentSetupTemp
2009-06-24 23:11 <DIR> --d----- c:\program files\GhostSurf 2005
2009-06-23 01:57 <DIR> --d----- c:\program files\Trend Micro
2009-06-21 14:33 <DIR> --d----- c:\users\calum\appdata\roaming\Malwarebytes
2009-06-21 14:32 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-21 14:32 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-21 14:32 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-21 14:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-21 14:32 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-20 15:51 79,896 a------- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-06-20 15:50 <DIR> --d----- c:\windows\system32\RsFx
2009-06-20 15:48 <DIR> --d----- c:\windows\system32\1033
2009-06-20 15:34 <DIR> --d----- c:\program files\common files\Merge Modules
2009-06-17 18:54 <DIR> --d----- c:\users\calum\appdata\roaming\Tenebril
2009-06-17 18:53 <DIR> --d----- c:\windows\system32\tenarchlib
2009-06-10 12:53 <DIR> --dsh--- c:\windows\system32\%APPDATA%
2009-06-10 12:49 623,616 a------- c:\windows\system32\localspl.dll
2009-06-10 12:49 2,034,688 a------- c:\windows\system32\win32k.sys
2009-06-10 12:49 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-09 12:38 <DIR> --d----- c:\programdata\AVG Security Toolbar
2009-06-09 12:38 <DIR> --d----- c:\progra~2\AVG Security Toolbar
2009-06-09 01:07 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-09 00:49 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-09 00:49 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-09 00:49 <DIR> --d----- c:\programdata\Lavasoft
2009-06-09 00:49 <DIR> --d----- c:\program files\Lavasoft
2009-06-07 19:58 <DIR> --d----- c:\program files\uTorrent
2009-06-07 19:57 <DIR> --d----- c:\users\calum\appdata\roaming\uTorrent
2009-06-07 19:26 <DIR> --d----- c:\users\calum\Cool Stuff
2009-06-07 18:36 <DIR> --d----- c:\windows\system32\wbem\repository
2009-06-07 18:36 <DIR> --d----- c:\windows\Registration
2009-06-06 15:23 <DIR> --d----- c:\users\calum\appdata\roaming\DNA(32)
2009-06-05 00:04 <DIR> --d----- c:\users\calum\appdata\roaming\tor
2009-06-02 23:18 <DIR> --d----- c:\program files\iPod
2009-06-02 23:18 <DIR> --d----- c:\program files\iTunes

==================== Find3M ====================

2009-07-01 15:10 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-27 15:54 86,016 a------- c:\windows\inf\infpub.dat
2009-06-20 17:38 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-20 17:38 143,360 a------- c:\windows\inf\infstor.dat
2009-05-29 20:13 79,888 a------- c:\windows\system32\drivers\VBoxNetAdp.sys
2009-05-29 20:13 41,424 a------- c:\windows\system32\drivers\VBoxUSBMon.sys
2009-05-29 20:13 31,952 a------- c:\windows\system32\drivers\VBoxUSB.sys
2009-05-29 20:13 100,944 a------- c:\windows\system32\drivers\VBoxDrv.sys
2009-05-29 20:12 133,648 a------- c:\windows\system32\VBoxNetFltNotify.dll
2009-05-29 20:12 87,760 a------- c:\windows\system32\drivers\VBoxNetFlt.sys
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-27 23:41 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-27 16:03 168,208 a------- c:\windows\system32\guard32.dll
2009-05-27 16:03 130,080 a------- c:\windows\system32\drivers\cmdguard.sys
2009-05-27 16:03 28,704 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-05-09 06:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 06:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-26 13:21 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-11 07:33 986,600 a------- c:\windows\system32\winload.exe
2009-04-11 07:33 926,184 a------- c:\windows\system32\winresume.exe
2009-04-11 07:33 614,376 a------- c:\windows\system32\ci.dll
2009-04-11 07:32 50,664 a------- c:\windows\system32\PSHED.DLL
2009-04-11 07:32 3,601,896 a------- c:\windows\system32\ntkrnlpa.exe
2009-04-11 07:32 3,549,672 a------- c:\windows\system32\ntoskrnl.exe
2009-04-11 07:32 438,744 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-04-11 07:32 245,736 a------- c:\windows\system32\clfs.sys
2009-04-11 07:32 177,128 a------- c:\windows\system32\halmacpi.dll
2009-04-11 07:32 140,776 a------- c:\windows\system32\halacpi.dll
2009-04-11 07:32 17,896 a------- c:\windows\system32\kd1394.dll
2009-04-11 07:32 19,944 a------- c:\windows\system32\kdusb.dll
2009-04-11 07:32 17,384 a------- c:\windows\system32\kdcom.dll
2009-04-11 07:27 627,200 a------- c:\windows\system32\sethc.exe
2009-04-11 07:22 7,168 a------- c:\windows\system32\f3ahvoas.dll
2009-04-11 07:21 37,376 a------- c:\windows\system32\cdd.dll
2009-04-11 06:03 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 06:03 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 05:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-04-11 05:54 2,048 a------- c:\windows\system32\mferror.dll
2009-04-11 05:39 16,384 a------- c:\windows\system32\iscsilog.dll
2009-04-11 05:27 2,560 a------- c:\windows\system32\msimsg.dll
2009-04-11 05:23 289,792 a------- c:\windows\system32\atmfd.dll
2009-04-11 05:12 617,984 a------- c:\windows\system32\adtschema.dll
2009-04-11 02:59 107,612 a------- c:\windows\system32\StructuredQuerySchema.bin
2008-07-19 17:51 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 21:15:08.54 ===============

Edited by Cyanide263, 02 July 2009 - 03:29 PM.


#4 Cyanide263

Cyanide263
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 02 July 2009 - 03:03 PM

The attachment dds.zip doesn't appear to be uploading. I browsed for the file, clicked on upload, it says "uploading" but no attachments appear in the section :thumbup2:

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 04 July 2009 - 06:55 AM

Hi cyanide263,

There seems to be traces left.

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Services
    EODD
    MBQNDZR
    
    :Files
    c:\users\calum\appdata\local\temp\mbqndzr.exe
    c:\users\calum\appdata\local\temp\EODD.exe
    
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

Next

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Please also run MBAM on full scan and post the log that it produces.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:58 PM

Posted 07 July 2009 - 01:49 PM

Hi Cyanide263,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#7 Cyanide263

Cyanide263
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 08 July 2009 - 11:24 AM

Hi. Thanks again for your reply. Unfortunately, there seems to be a hardware issue with my desktop PC at the moment. I will try to sort it out as quickly as possible. If this information is useful, I will be away for about 3 weeks on holiday starting from the 13th July. I don't know whether or not I will have access to the internet so hopefully I can get this issue sorted out ASAP. I have a question about this - is this anything dangerous? Do I need to be concerned about any passwords/personal info I have entered on the machine? I use it for online shopping, E-Mail and social networking. I have run scans with a few extra security programs I have added, they have detected nothing however. I will get back to you ASAP. Thanks.

#8 Cyanide263

Cyanide263
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 08 July 2009 - 01:21 PM

I have solved the hardware issue and am able to use the machine. Here is the OTM log you requested. I will also post my most recent MBAM log.

========== SERVICES/DRIVERS ==========
Service\Driver EODD not found.
Unable to delete service\driver keyEODD.
Service\Driver MBQNDZR not found.
Unable to delete service\driver keyMBQNDZR.
========== FILES ==========
File/Folder c:\users\calum\appdata\local\temp\mbqndzr.exe not found.
File/Folder c:\users\calum\appdata\local\temp\EODD.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Calum
->Temp folder emptied: 101503018 bytes
File delete failed. C:\Users\Calum\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 8813353 bytes
->Java cache emptied: 47985942 bytes
->FireFox cache emptied: 39403642 bytes
->Google Chrome cache emptied: 986726 bytes
->Apple Safari cache emptied: 14732587 bytes
->Opera cache emptied: 633005 bytes

User: Default
->Temp folder emptied: 0 bytes
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBLNQL12\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AIURRLZC\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7XHFUOT1\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ZL88ZKX\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBLNQL12\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AIURRLZC\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7XHFUOT1\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ZL88ZKX\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Users\Default User\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Guest

User: Public

%systemdrive% .tmp files removed: 0 bytes
Folder delete failed. C:\Windows\msdownld.tmp scheduled to be deleted on reboot.
%systemroot% .tmp files removed: 112 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 4526575 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 208.52 mb


OTM by OldTimer - Version 3.0.0.4 log created on 07082009_190421

Edited by Cyanide263, 08 July 2009 - 01:50 PM.


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 11 July 2009 - 07:18 AM

Hi Cyanide263,

I am still waiting for the MBAM log. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 Cyanide263

Cyanide263
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 11 July 2009 - 10:07 AM

Am running full MBAM scan now. I hope the computer doesn't start making that whirring noise, it almost seems like its overheating and I have to turn it off. Something is also using a very large percentage of the CPU - 90 and sometimes 100%, eek.

#11 Cyanide263

Cyanide263
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 11 July 2009 - 12:49 PM

Here is the full scan MBAM log. It detected nothing. As of tomorrow lunchtime, I won't have access to the machine as I will be going on holiday. I had trouble running the gmer rootkit scan, I couldn't save the log because the program crashed, but I will see what I can do.

Malwarebytes' Anti-Malware 1.38
Database version: 2407
Windows 6.0.6002 Service Pack 2

11/07/2009 18:47:41
mbam-log-2009-07-11 (18-47-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 265257
Time elapsed: 2 hour(s), 46 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Cyanide263, 11 July 2009 - 12:51 PM.


#12 Cyanide263

Cyanide263
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 11 July 2009 - 12:57 PM

Here is also the gmer log that I recieved from the scan.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-11 18:56:33
Windows 6.0.6002 Service Pack 2


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 861211F8
Device \FileSystem\fastfat \Fat 889471F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 11 July 2009 - 02:03 PM

Both logs are good news. No rootkit on Gmer and MBAM hasn't found videoegg and it does target that adware.

Let's try an online scan and see if that picks up any remnants of the infections.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Please also post a new DDS log.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#14 Cyanide263

Cyanide263
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 11 July 2009 - 04:37 PM

Here is the bitdefender scan log. Everything seems normal from the results.

Attached Files



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 11 July 2009 - 04:49 PM

Hi Cyanide263,

Your log is clean!

Good stuff! :thumbup2:

Let's firstly do some housekeeping

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it Cyanide263. Good job and happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users