Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect to overclick.cn


  • This topic is locked This topic is locked
17 replies to this topic

#1 eriatarka1

eriatarka1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 29 June 2009 - 10:40 AM

Basically, most of the time when I try to open a link from google, I end up with a redirect to a totally other website, via the "overclick.cn" domain. It happens it (at very least) Firefox and Chrome, and I also have (although rarely use) Internet Explorer, though I haven't checked that one.

No idea what to do - it also seems to be affecting other aspects - when I started up this time my computer reverted to the classic theme on XP, which I never use. I've also had problems connecting to the internet.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Robert at 16:29:26.28 on 29/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.295 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Documents and Settings\Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2080110
uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2080110
uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=l68bHwr4d9KW-IldsFa3NBuG0Yo
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [Google Update] "c:\documents and settings\robert\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EPSON Stylus DX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticde.exe /fu "c:\windows\temp\E_SEE.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [FlashMute] c:\program files\flashmute\FlashMute.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoSMHelp = 01000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll,avgrsstx.dll c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert\applic~1\mozilla\firefox\profiles\sl3gk2tm.default\
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig | www.bbc.co.uk
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - prefs.js: network.proxy.http - http://wwwcache.nottingham.ac.uk/proxyall.pac
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\robert\application data\mozilla\firefox\profiles\sl3gk2tm.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\robert\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\robert\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-11 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-18 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-11 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 298776]
R3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\ProtoWall.sys [2006-1-2 23296]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-1-10 29744]

=============== Created Last 30 ================

2009-06-29 14:47 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-06-29 14:46 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-06-29 14:46 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-06-29 14:46 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-06-29 14:46 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-06-29 14:46 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-06-29 14:46 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-06-29 14:46 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-06-29 14:46 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-06-29 14:46 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-06-29 14:44 19,016 a------- c:\windows\system32\dllcache\w926nd.sys
2009-06-29 14:43 794,399 a------- c:\windows\system32\dllcache\usr1806v.sys
2009-06-29 14:42 14,336 a------- c:\windows\system32\dllcache\tsprof.exe
2009-06-29 14:41 138,528 a------- c:\windows\system32\dllcache\tgiulnt5.sys
2009-06-29 14:40 155,648 a------- c:\windows\system32\dllcache\stlnprop.dll
2009-06-29 14:39 7,168 a------- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-06-29 14:38 157,696 a------- c:\windows\system32\dllcache\sisv256.dll
2009-06-29 14:38 50,432 a------- c:\windows\system32\dllcache\sisv.sys
2009-06-29 14:38 32,768 a------- c:\windows\system32\dllcache\sisnic.sys
2009-06-29 14:38 238,592 a------- c:\windows\system32\dllcache\sisgrv.dll
2009-06-29 14:38 104,064 a------- c:\windows\system32\dllcache\sisgrp.sys
2009-06-29 14:38 150,144 a------- c:\windows\system32\dllcache\sis6306v.dll
2009-06-29 14:38 68,608 a------- c:\windows\system32\dllcache\sis6306p.sys
2009-06-29 14:38 252,032 a------- c:\windows\system32\dllcache\sis300iv.dll
2009-06-29 14:38 101,760 a------- c:\windows\system32\dllcache\sis300ip.sys
2009-06-29 14:38 18,944 a------- c:\windows\system32\dllcache\simptcp.dll
2009-06-29 14:38 161,568 a------- c:\windows\system32\dllcache\sgsmusb.sys
2009-06-29 14:38 18,400 a------- c:\windows\system32\dllcache\sgsmld.sys
2009-06-29 14:38 98,080 a------- c:\windows\system32\dllcache\sgiulnt5.sys
2009-06-29 14:36 77,824 a------- c:\windows\system32\dllcache\s3sav4m.sys
2009-06-29 14:35 79,104 a------- c:\windows\system32\dllcache\rocket.sys
2009-06-29 14:34 16,128 a------- c:\windows\system32\dllcache\pscr.sys
2009-06-29 14:33 30,282 a------- c:\windows\system32\dllcache\pcntn5hl.sys
2009-06-29 14:32 43,689 a------- c:\windows\system32\dllcache\otceth5.sys
2009-06-29 14:31 91,488 a------- c:\windows\system32\dllcache\n9i3disp.dll
2009-06-29 14:30 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys
2009-06-29 14:29 58,880 a------- c:\windows\system32\dllcache\m3092dc.dll
2009-06-29 14:28 8,704 a------- c:\windows\system32\dllcache\kbdjpn.dll
2009-06-29 14:27 372,824 a------- c:\windows\system32\dllcache\iconf32.dll
2009-06-29 14:26 50,751 a------- c:\windows\system32\dllcache\hsf_tone.sys
2009-06-29 14:25 93,696 a------- c:\windows\system32\dllcache\hpgt42.dll
2009-06-29 14:24 455,680 a------- c:\windows\system32\dllcache\fus2base.sys
2009-06-29 14:23 595,647 a------- c:\windows\system32\dllcache\es56cvmp.sys
2009-06-29 14:22 44,103 a------- c:\windows\system32\dllcache\el515.sys
2009-06-29 14:21 110,592 a------- c:\windows\system32\dllcache\dc260usd.dll
2009-06-29 14:20 21,530 a------- c:\windows\system32\dllcache\ce2n5.sys
2009-06-29 14:19 89,952 a------- c:\windows\system32\dllcache\b1cbase.sys
2009-06-29 14:18 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-06-29 14:18 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-06-29 14:18 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-06-29 14:18 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-06-29 14:18 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-06-29 14:18 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-06-29 14:18 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-06-28 23:59 <DIR> --d----- c:\docume~1\robert\applic~1\Malwarebytes
2009-06-28 23:59 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 23:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-28 23:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-28 23:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 18:33 <DIR> --d----- c:\program files\GameSpy Arcade
2009-06-10 10:06 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 10:06 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-05 15:20 <DIR> --d----- c:\documents and settings\robert\.idlerc
2009-06-05 15:16 <DIR> --d----- C:\Python30
2009-06-04 00:32 <DIR> --d----- c:\program files\iPod

==================== Find3M ====================

2009-06-24 10:35 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-24 10:35 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-19 12:23 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-13 06:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 22:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 22:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 12:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 a------- c:\windows\system32\dllcache\rpcrt4.dll
2008-09-20 10:14 548,047 a------- c:\program files\lame3.98-final.zip
2008-09-12 19:49 24 a------- c:\documents and settings\robert\jagex_runescape_preferences.dat
2008-08-17 16:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 16:32:31.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 AM

Posted 02 July 2009 - 01:17 PM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 eriatarka1

eriatarka1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 02 July 2009 - 04:34 PM

No worries. Bit of further information on what I've done: scanned using Spybot, AVG, MalwareBytes. I found some cookies and a few trojans, but nothing else; I did get rid of it all.

I have also encountered IRQL_NOT_LESS_OR_EQUAL errors (twice, once since the original post) on shutting down, and also the /?_V@YAXPAX@Z error on opening Firefox.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Robert at 22:21:24.46 on 02/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.504 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\TEMP\pfppagnpqr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\TEMP\pfppagnpqr.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Documents and Settings\Robert\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2080110
uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2080110
uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=l68bHwr4d9KW-IldsFa3NBuG0Yo
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [Google Update] "c:\documents and settings\robert\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EPSON Stylus DX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticde.exe /fu "c:\windows\temp\E_SEE.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [FlashMute] c:\program files\flashmute\FlashMute.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoSMHelp = 01000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll,avgrsstx.dll c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert\applic~1\mozilla\firefox\profiles\sl3gk2tm.default\
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig | www.bbc.co.uk
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - prefs.js: network.proxy.http - http://wwwcache.nottingham.ac.uk/proxyall.pac
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\robert\application data\mozilla\firefox\profiles\sl3gk2tm.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\robert\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\robert\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R?2 AdobeAlerter;Adobe LM Service AdobeAlerter;c:\windows\temp\pfppagnpqr.exe service --> c:\windows\temp\pfppagnpqr.exe service [?]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-11 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-18 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-11 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 298776]
R3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\ProtoWall.sys [2006-1-2 23296]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-1-10 29744]

=============== Created Last 30 ================

2009-06-29 14:47 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-06-29 14:46 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-06-29 14:46 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-06-29 14:46 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-06-29 14:46 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-06-29 14:46 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-06-29 14:46 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-06-29 14:46 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-06-29 14:46 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-06-29 14:46 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-06-29 14:44 19,016 a------- c:\windows\system32\dllcache\w926nd.sys
2009-06-29 14:43 794,399 a------- c:\windows\system32\dllcache\usr1806v.sys
2009-06-29 14:42 14,336 a------- c:\windows\system32\dllcache\tsprof.exe
2009-06-29 14:41 138,528 a------- c:\windows\system32\dllcache\tgiulnt5.sys
2009-06-29 14:40 155,648 a------- c:\windows\system32\dllcache\stlnprop.dll
2009-06-29 14:39 7,168 a------- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-06-29 14:38 157,696 a------- c:\windows\system32\dllcache\sisv256.dll
2009-06-29 14:38 50,432 a------- c:\windows\system32\dllcache\sisv.sys
2009-06-29 14:38 32,768 a------- c:\windows\system32\dllcache\sisnic.sys
2009-06-29 14:38 238,592 a------- c:\windows\system32\dllcache\sisgrv.dll
2009-06-29 14:38 104,064 a------- c:\windows\system32\dllcache\sisgrp.sys
2009-06-29 14:38 150,144 a------- c:\windows\system32\dllcache\sis6306v.dll
2009-06-29 14:38 68,608 a------- c:\windows\system32\dllcache\sis6306p.sys
2009-06-29 14:38 252,032 a------- c:\windows\system32\dllcache\sis300iv.dll
2009-06-29 14:38 101,760 a------- c:\windows\system32\dllcache\sis300ip.sys
2009-06-29 14:38 18,944 a------- c:\windows\system32\dllcache\simptcp.dll
2009-06-29 14:38 161,568 a------- c:\windows\system32\dllcache\sgsmusb.sys
2009-06-29 14:38 18,400 a------- c:\windows\system32\dllcache\sgsmld.sys
2009-06-29 14:38 98,080 a------- c:\windows\system32\dllcache\sgiulnt5.sys
2009-06-29 14:36 77,824 a------- c:\windows\system32\dllcache\s3sav4m.sys
2009-06-29 14:35 79,104 a------- c:\windows\system32\dllcache\rocket.sys
2009-06-29 14:34 16,128 a------- c:\windows\system32\dllcache\pscr.sys
2009-06-29 14:33 30,282 a------- c:\windows\system32\dllcache\pcntn5hl.sys
2009-06-29 14:32 43,689 a------- c:\windows\system32\dllcache\otceth5.sys
2009-06-29 14:31 91,488 a------- c:\windows\system32\dllcache\n9i3disp.dll
2009-06-29 14:30 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys
2009-06-29 14:29 58,880 a------- c:\windows\system32\dllcache\m3092dc.dll
2009-06-29 14:28 8,704 a------- c:\windows\system32\dllcache\kbdjpn.dll
2009-06-29 14:27 372,824 a------- c:\windows\system32\dllcache\iconf32.dll
2009-06-29 14:26 50,751 a------- c:\windows\system32\dllcache\hsf_tone.sys
2009-06-29 14:25 93,696 a------- c:\windows\system32\dllcache\hpgt42.dll
2009-06-29 14:24 455,680 a------- c:\windows\system32\dllcache\fus2base.sys
2009-06-29 14:23 595,647 a------- c:\windows\system32\dllcache\es56cvmp.sys
2009-06-29 14:22 44,103 a------- c:\windows\system32\dllcache\el515.sys
2009-06-29 14:21 110,592 a------- c:\windows\system32\dllcache\dc260usd.dll
2009-06-29 14:20 21,530 a------- c:\windows\system32\dllcache\ce2n5.sys
2009-06-29 14:19 89,952 a------- c:\windows\system32\dllcache\b1cbase.sys
2009-06-29 14:18 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-06-29 14:18 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-06-29 14:18 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-06-29 14:18 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-06-29 14:18 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-06-29 14:18 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-06-29 14:18 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-06-28 23:59 <DIR> --d----- c:\docume~1\robert\applic~1\Malwarebytes
2009-06-28 23:59 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 23:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-28 23:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-28 23:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 18:33 <DIR> --d----- c:\program files\GameSpy Arcade
2009-06-10 10:06 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 10:06 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-05 15:20 <DIR> --d----- c:\documents and settings\robert\.idlerc
2009-06-05 15:16 <DIR> --d----- C:\Python30
2009-06-04 00:32 <DIR> --d----- c:\program files\iPod

==================== Find3M ====================

2009-06-24 10:35 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-24 10:35 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-19 12:23 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-13 06:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 22:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 22:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 12:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 a------- c:\windows\system32\dllcache\rpcrt4.dll
2008-09-20 10:14 548,047 a------- c:\program files\lame3.98-final.zip
2008-09-12 19:49 24 a------- c:\documents and settings\robert\jagex_runescape_preferences.dat
2008-08-17 16:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 22:24:13.46 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:14 PM

Posted 04 July 2009 - 07:12 PM

Hi eriataka1,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

-------------------------------------------------------------------

Do you still have the last MBAM log? If so please post it.

Then

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Finally

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 eriatarka1

eriatarka1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 06 July 2009 - 03:17 AM

OK...here goes. Interestingly I seem to have had a new E:\ created recently, which is a virtual one, and nothing to do with me... (although the H:\ is my own virtual drive).

MBAM log:

Malwarebytes' Anti-Malware 1.38
Database version: 2347
Windows 5.1.2600 Service Pack 3

29/06/2009 00:14:48
mbam-log-2009-06-29 (00-14-48).txt

Scan type: Quick Scan
Objects scanned: 103382
Time elapsed: 11 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.

GMER log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-05 12:38:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x62 ? 86FDABF8
INT 0x82 ? 86FDABF8
INT 0x84 ? 86D81BF8
INT 0x94 ? 86D81BF8
INT 0xA4 ? 86D81BF8

Code 86C7DC98 ZwEnumerateKey
Code 86C225C8 ZwFlushInstructionCache
Code 86BED10E IofCallDriver
Code 86C1B256 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 86BED113
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 86C1B25B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC4 5 Bytes JMP 86C225CC
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 5 Bytes JMP 86C7DC9C
? spjl.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F63A68AC 5 Bytes JMP 86D811D8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[224] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\WINDOWS\system32\igfxpers.exe[232] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003B000A
.text C:\WINDOWS\system32\RunDLL32.exe[276] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009D000A
.text C:\Program Files\Dell\MediaDirect\PCMService.exe[288] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BA000A
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[292] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text ...
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3596] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 05052422 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3596] USER32.dll!MessageBoxA 7E4507EA 5 Bytes JMP 050523CC C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[3596] USER32.dll!MessageBoxW 7E466534 5 Bytes JMP 050523F7 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\WINDOWS\Explorer.EXE[3828] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C6000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7381040] spjl.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F738113C] spjl.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73810BE] spjl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73817FC] spjl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73816D2] spjl.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7390D92] spjl.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86FD91F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 86D801F8
Device \Driver\usbuhci \Device\USBPDO-1 86D801F8
Device \Driver\sptd \Device\1722078792 spjl.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F6E1F8
Device \Driver\dmio \Device\DmControl\DmConfig 86F6E1F8
Device \Driver\dmio \Device\DmControl\DmPnP 86F6E1F8
Device \Driver\dmio \Device\DmControl\DmInfo 86F6E1F8
Device \Driver\usbuhci \Device\USBPDO-2 86D801F8
Device \Driver\usbuhci \Device\USBPDO-3 86D801F8
Device \Driver\usbehci \Device\USBPDO-4 86D531F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86FDB1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FDB1F8

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4C84B536-4209-4436-A643-EC638268B33D}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4C84B536-4209-4436-A643-EC638268B33D}@oafmaafppinhgdhkiojdmcdpdlemda 0x64 0x61 0x66 0x6B ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4C84B536-4209-4436-A643-EC638268B33D}@oajlpfbfcdoibngegilpiabdimgdhe 0x6B 0x61 0x63 0x69 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4C84B536-4209-4436-A643-EC638268B33D}@naplbajfcdpnfdljnngoojkkopii 0x69 0x61 0x68 0x6B ...

---- EOF - GMER 1.0.15 ----

DrWeb (which seems on the short side...)

RegUBP2b-Robert.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
hjgruikkltopxj.dll;C:\WINDOWS\system32;BackDoor.Tdss.265;Deleted.;

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:14 PM

Posted 06 July 2009 - 02:31 PM

There's some nasty stuff in those logs but they have all been removed. :)

How is the PC behaving now?

Let's run an online scan to check for other stray files.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Then please post new DDS log

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 eriatarka1

eriatarka1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 06 July 2009 - 06:07 PM

It is still redirecting me, even after that BitDefender scan. I haven't tried to revert the theme, so it hasn't become obvious if it is affecting me in any other way.

Also, how safe will this computer be (when fully cleaned) for activities such as internet banking? And will other computers on the same network be affected by it?


BitDefender Online Scanner



Scan report generated at: Mon, Jul 06, 2009 - 23:28:01





Scan path: C:\;D:\;E:\;F:\;H:\;







Statistics

Time
02:19:24

Files
751649

Folders
22920

Boot Sectors
0

Archives
51628

Packed Files
28051




Results

Identified Viruses
3

Infected Files
4

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
4




Engines Info

Virus Definitions
3654461

Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins
17

Archive plugins
45

Unpack plugins
7

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-71e1b1ac=>vmain.class
Infected with: Exploit.Java.Gimsh.B

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-71e1b1ac=>vmain.class
Deleted

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-71e1b1ac
Updated

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-2b11a4c2.zip=>vmain.class
Infected with: Exploit.Java.Gimsh.B

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-2b11a4c2.zip=>vmain.class
Deleted

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-2b11a4c2.zip
Updated

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP166\A0015972.exe
Infected with: Trojan.Generic.1701291

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP166\A0015972.exe
Deleted

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP166\A0015978.exe
Infected with: Trojan.Generic.1643543

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP166\A0015978.exe
Deleted

DDS results:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Robert at 23:40:22.78 on 06/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.223 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\TEMP\pfppagnpqr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Documents and Settings\Robert\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\TEMP\pfppagnpqr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2080110
uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2080110
uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=l68bHwr4d9KW-IldsFa3NBuG0Yo
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [Google Update] "c:\documents and settings\robert\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EPSON Stylus DX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticde.exe /fu "c:\windows\temp\E_SEE.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [FlashMute] c:\program files\flashmute\FlashMute.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoSMHelp = 01000000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll,avgrsstx.dll c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert\applic~1\mozilla\firefox\profiles\sl3gk2tm.default\
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig | www.bbc.co.uk
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - prefs.js: network.proxy.http - http://wwwcache.nottingham.ac.uk/proxyall.pac
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\robert\application data\mozilla\firefox\profiles\sl3gk2tm.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\robert\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\robert\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R?2 AdobeAlerter;Adobe LM Service AdobeAlerter;c:\windows\temp\pfppagnpqr.exe service --> c:\windows\temp\pfppagnpqr.exe service [?]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-11 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-18 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-11 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 298776]
R3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\ProtoWall.sys [2006-1-2 23296]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-1-10 29744]

=============== Created Last 30 ================

2009-07-05 19:55 <DIR> --d----- c:\documents and settings\robert\DoctorWeb
2009-06-29 14:47 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-06-29 14:46 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-06-29 14:46 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-06-29 14:46 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-06-29 14:46 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-06-29 14:46 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-06-29 14:46 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-06-29 14:46 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-06-29 14:46 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-06-29 14:46 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-06-29 14:44 19,016 a------- c:\windows\system32\dllcache\w926nd.sys
2009-06-29 14:43 794,399 a------- c:\windows\system32\dllcache\usr1806v.sys
2009-06-29 14:42 14,336 a------- c:\windows\system32\dllcache\tsprof.exe
2009-06-29 14:41 138,528 a------- c:\windows\system32\dllcache\tgiulnt5.sys
2009-06-29 14:40 155,648 a------- c:\windows\system32\dllcache\stlnprop.dll
2009-06-29 14:39 7,168 a------- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-06-29 14:38 157,696 a------- c:\windows\system32\dllcache\sisv256.dll
2009-06-29 14:38 50,432 a------- c:\windows\system32\dllcache\sisv.sys
2009-06-29 14:38 32,768 a------- c:\windows\system32\dllcache\sisnic.sys
2009-06-29 14:38 238,592 a------- c:\windows\system32\dllcache\sisgrv.dll
2009-06-29 14:38 104,064 a------- c:\windows\system32\dllcache\sisgrp.sys
2009-06-29 14:38 150,144 a------- c:\windows\system32\dllcache\sis6306v.dll
2009-06-29 14:38 68,608 a------- c:\windows\system32\dllcache\sis6306p.sys
2009-06-29 14:38 252,032 a------- c:\windows\system32\dllcache\sis300iv.dll
2009-06-29 14:38 101,760 a------- c:\windows\system32\dllcache\sis300ip.sys
2009-06-29 14:38 18,944 a------- c:\windows\system32\dllcache\simptcp.dll
2009-06-29 14:38 161,568 a------- c:\windows\system32\dllcache\sgsmusb.sys
2009-06-29 14:38 18,400 a------- c:\windows\system32\dllcache\sgsmld.sys
2009-06-29 14:38 98,080 a------- c:\windows\system32\dllcache\sgiulnt5.sys
2009-06-29 14:36 77,824 a------- c:\windows\system32\dllcache\s3sav4m.sys
2009-06-29 14:35 79,104 a------- c:\windows\system32\dllcache\rocket.sys
2009-06-29 14:34 16,128 a------- c:\windows\system32\dllcache\pscr.sys
2009-06-29 14:33 30,282 a------- c:\windows\system32\dllcache\pcntn5hl.sys
2009-06-29 14:32 43,689 a------- c:\windows\system32\dllcache\otceth5.sys
2009-06-29 14:31 91,488 a------- c:\windows\system32\dllcache\n9i3disp.dll
2009-06-29 14:30 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys
2009-06-29 14:29 58,880 a------- c:\windows\system32\dllcache\m3092dc.dll
2009-06-29 14:28 8,704 a------- c:\windows\system32\dllcache\kbdjpn.dll
2009-06-29 14:27 372,824 a------- c:\windows\system32\dllcache\iconf32.dll
2009-06-29 14:26 50,751 a------- c:\windows\system32\dllcache\hsf_tone.sys
2009-06-29 14:25 93,696 a------- c:\windows\system32\dllcache\hpgt42.dll
2009-06-29 14:24 455,680 a------- c:\windows\system32\dllcache\fus2base.sys
2009-06-29 14:23 595,647 a------- c:\windows\system32\dllcache\es56cvmp.sys
2009-06-29 14:22 44,103 a------- c:\windows\system32\dllcache\el515.sys
2009-06-29 14:21 110,592 a------- c:\windows\system32\dllcache\dc260usd.dll
2009-06-29 14:20 21,530 a------- c:\windows\system32\dllcache\ce2n5.sys
2009-06-29 14:19 89,952 a------- c:\windows\system32\dllcache\b1cbase.sys
2009-06-29 14:18 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-06-29 14:18 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-06-29 14:18 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-06-29 14:18 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-06-29 14:18 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-06-29 14:18 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-06-29 14:18 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-06-28 23:59 <DIR> --d----- c:\docume~1\robert\applic~1\Malwarebytes
2009-06-28 23:59 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 23:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-28 23:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-28 23:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 18:33 <DIR> --d----- c:\program files\GameSpy Arcade
2009-06-10 10:06 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 10:06 12,800 -------- c:\windows\system32\dllcache\xpshims.dll

==================== Find3M ====================

2009-06-24 10:35 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-24 10:35 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-19 12:23 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-13 06:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 22:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 22:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 12:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 a------- c:\windows\system32\dllcache\rpcrt4.dll
2008-09-20 10:14 548,047 a------- c:\program files\lame3.98-final.zip
2008-09-12 19:49 24 a------- c:\documents and settings\robert\jagex_runescape_preferences.dat
2008-08-17 16:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 23:43:41.39 ===============

Attached Files


Edited by eriatarka1, 06 July 2009 - 06:17 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:14 PM

Posted 06 July 2009 - 07:13 PM

Let's remove this bad driver and see if that stops the redirects.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    ;File
    C:\WINDOWS\TEMP\pfppagnpqr.exe
    :Services
    AdobeAlerter
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

Then

Please run MBAM on Full Scan to see what's left.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 eriatarka1

eriatarka1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 07 July 2009 - 09:33 AM

I'm not entirely sure that the OTM one worked properly...it seemed to stop partway through after the reboot...

The MBAM came back clean though, so quite what that means I am unsure.

Also - is this safe for ecommerce once cleaned fully? I'd quite like to know.

All processes killed
Error: Unable to interpret <;File> in the current context!
Error: Unable to interpret <C:\WINDOWS\TEMP\pfppagnpqr.exe> in the current context!
========== SERVICES/DRIVERS ==========

Service\Driver AdobeAlerter deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 49152 bytes
->Temporary Internet Files folder emptied: 70726 bytes
->FireFox cache emptied: 2961741 bytes

User: All Users

User: Default User
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 143243 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 31131703 bytes

User: Robert
->Temp folder emptied: 288734338 bytes
->Temporary Internet Files folder emptied: 339347841 bytes
->Java cache emptied: 38459052 bytes
->FireFox cache emptied: 109359393 bytes
->Google Chrome cache emptied: 57695039 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
File delete failed. C:\WINDOWS\temp\pfppagnpqr.exe scheduled to be deleted on reboot.
Windows Temp folder emptied: 32638942 bytes
RecycleBin emptied: 7127673295 bytes

Total Files Cleaned = -535.50 mb


OTM by OldTimer - Version 3.0.0.4 log created on 07072009_141038

Files moved on Reboot...
C:\WINDOWS\temp\pfppagnpqr.exe moved successfully.

Registry entries deleted on Reboot...


MBAM log:

Malwarebytes' Anti-Malware 1.38
Database version: 2347
Windows 5.1.2600 Service Pack 3

07/07/2009 15:27:32
mbam-log-2009-07-07 (15-27-32).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|H:\|)
Objects scanned: 281867
Time elapsed: 51 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:14 PM

Posted 07 July 2009 - 11:49 AM

I think that's because of a typo. Please run it again using this code.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :File
    C:\WINDOWS\TEMP\pfppagnpqr.exe
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log as before.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 eriatarka1

eriatarka1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 07 July 2009 - 11:59 AM

I just got this back:

Error: Unable to interpret <:File> in the current context!
Error: Unable to interpret <C:\WINDOWS\TEMP\pfppagnpqr.exe> in the current context!

OTM by OldTimer - Version 3.0.0.4 log created on 07072009_175840

So it doesn't seem like anything's done.

And it is still redirecting

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:14 PM

Posted 07 July 2009 - 12:01 PM

Okay eriatarka1,

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 eriatarka1

eriatarka1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 07 July 2009 - 12:41 PM

Here it is:

ComboFix 09-07-06.A0 - Robert 07/07/2009 18:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.608 [GMT 1:00]
Running from: c:\documents and settings\Robert\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1483e8a.msi
c:\windows\system32\drivers\hjgruiltitbdpq.sys
c:\windows\system32\hjgruiappynmdd.dat
c:\windows\system32\hjgruikkltopxj.dll
c:\windows\system32\hjgruiqmjdubxo.dat
c:\windows\system32\hjgruiqoyxtwfh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiruuhrmql


((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-07 13:10 . 2009-07-07 13:10 -------- d-----w- C:\_OTM
2009-07-07 13:09 . 2009-07-07 13:09 -------- d-----w- c:\program files\ERUNT
2009-07-06 20:06 . 2009-07-06 22:28 -------- d-----w- c:\windows\BDOSCAN8
2009-07-05 18:55 . 2009-07-05 18:55 -------- d-----w- c:\documents and settings\Robert\DoctorWeb
2009-07-02 10:17 . 2009-07-02 10:17 -------- d-----w- c:\documents and settings\Robert\Local Settings\Application Data\Temp
2009-06-29 13:47 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-06-29 13:46 . 2001-08-17 21:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-06-29 13:46 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-06-29 13:46 . 2001-08-17 21:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-06-29 13:46 . 2001-08-17 21:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-06-29 13:46 . 2001-08-17 21:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2009-06-29 13:46 . 2001-08-17 11:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-06-29 13:46 . 2004-08-03 21:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-06-29 13:46 . 2004-08-03 21:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-06-29 13:44 . 2001-08-17 11:13 19016 ----a-w- c:\windows\system32\dllcache\w926nd.sys
2009-06-29 13:43 . 2001-08-17 12:28 794399 ----a-w- c:\windows\system32\dllcache\usr1806v.sys
2009-06-29 13:42 . 2004-08-04 05:00 14336 ----a-w- c:\windows\system32\dllcache\tsprof.exe
2009-06-29 13:41 . 2001-08-17 11:51 138528 ----a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2009-06-29 13:40 . 2001-08-17 21:36 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll
2009-06-29 13:39 . 2001-08-17 21:36 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-06-29 13:38 . 2001-08-17 13:56 157696 ----a-w- c:\windows\system32\dllcache\sisv256.dll
2009-06-29 13:38 . 2001-08-17 11:50 50432 ----a-w- c:\windows\system32\dllcache\sisv.sys
2009-06-29 13:38 . 2004-08-03 21:31 32768 ----a-w- c:\windows\system32\dllcache\sisnic.sys
2009-06-29 13:38 . 2001-08-17 21:36 238592 ----a-w- c:\windows\system32\dllcache\sisgrv.dll
2009-06-29 13:38 . 2001-08-17 11:50 104064 ----a-w- c:\windows\system32\dllcache\sisgrp.sys
2009-06-29 13:38 . 2001-08-17 13:56 150144 ----a-w- c:\windows\system32\dllcache\sis6306v.dll
2009-06-29 13:38 . 2001-08-17 11:50 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys
2009-06-29 13:38 . 2001-08-17 13:56 252032 ----a-w- c:\windows\system32\dllcache\sis300iv.dll
2009-06-29 13:38 . 2004-08-04 05:00 18944 ----a-w- c:\windows\system32\dllcache\simptcp.dll
2009-06-29 13:38 . 2001-08-17 11:50 101760 ----a-w- c:\windows\system32\dllcache\sis300ip.sys
2009-06-29 13:38 . 2001-07-21 13:29 161568 ----a-w- c:\windows\system32\dllcache\sgsmusb.sys
2009-06-29 13:38 . 2001-07-21 13:29 18400 ----a-w- c:\windows\system32\dllcache\sgsmld.sys
2009-06-29 13:38 . 2001-08-17 11:51 98080 ----a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2009-06-29 13:36 . 2001-08-17 11:50 77824 ----a-w- c:\windows\system32\dllcache\s3sav4m.sys
2009-06-29 13:35 . 2008-04-13 18:40 79104 ----a-w- c:\windows\system32\dllcache\rocket.sys
2009-06-29 13:34 . 2001-08-17 12:51 16128 ----a-w- c:\windows\system32\dllcache\pscr.sys
2009-06-29 13:33 . 2001-08-17 11:11 30282 ----a-w- c:\windows\system32\dllcache\pcntn5hl.sys
2009-06-29 13:32 . 2001-08-17 11:12 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2009-06-29 13:31 . 2001-08-17 13:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll
2009-06-29 13:30 . 2001-08-17 13:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-06-29 13:29 . 2001-08-17 21:36 58880 ----a-w- c:\windows\system32\dllcache\m3092dc.dll
2009-06-29 13:28 . 2001-08-17 21:36 8704 ----a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-06-29 13:27 . 2001-08-17 21:36 372824 ----a-w- c:\windows\system32\dllcache\iconf32.dll
2009-06-29 13:26 . 2001-08-17 12:28 50751 ----a-w- c:\windows\system32\dllcache\hsf_tone.sys
2009-06-29 13:25 . 2001-08-17 21:36 93696 ----a-w- c:\windows\system32\dllcache\hpgt42.dll
2009-06-29 13:24 . 2001-08-17 11:15 455680 ----a-w- c:\windows\system32\dllcache\fus2base.sys
2009-06-29 13:23 . 2001-08-17 12:28 595647 ----a-w- c:\windows\system32\dllcache\es56cvmp.sys
2009-06-29 13:22 . 2001-08-17 11:10 44103 ----a-w- c:\windows\system32\dllcache\el515.sys
2009-06-29 13:21 . 2001-08-17 21:36 110592 ----a-w- c:\windows\system32\dllcache\dc260usd.dll
2009-06-29 13:20 . 2001-08-17 11:13 21530 ----a-w- c:\windows\system32\dllcache\ce2n5.sys
2009-06-29 13:19 . 2001-08-17 11:19 36992 ----a-w- c:\windows\system32\dllcache\aztw2320.sys
2009-06-29 13:18 . 2004-08-04 05:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-06-29 13:18 . 2004-08-04 05:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-06-29 13:18 . 2004-08-04 05:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2009-06-29 13:18 . 2004-08-04 05:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-06-29 13:18 . 2004-08-04 05:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2009-06-29 13:18 . 2004-08-04 05:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-06-29 13:08 . 2009-06-29 13:08 390664 ----a-w- c:\documents and settings\Robert\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-29 08:12 . 2009-06-29 08:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-29 08:12 . 2009-06-29 08:12 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-06-29 07:07 . 2009-06-29 07:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-29 07:07 . 2009-06-29 07:07 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-28 22:59 . 2009-06-28 22:59 -------- d-----w- c:\documents and settings\Robert\Application Data\Malwarebytes
2009-06-28 22:59 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 22:59 . 2009-06-28 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-28 22:59 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-28 22:59 . 2009-06-28 22:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 15:02 . 2009-06-28 15:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-27 17:33 . 2009-06-27 17:33 -------- d-----w- c:\program files\GameSpy Arcade
2009-06-22 14:23 . 2009-06-22 14:23 239088 ----a-w- c:\documents and settings\Robert\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-06-18 23:26 . 2009-06-18 23:26 152576 ----a-w- c:\documents and settings\Robert\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-11 13:45 . 2009-06-11 13:45 -------- d-----w- c:\documents and settings\Robert\Application Data\Creative
2009-06-10 09:06 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 09:06 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 17:33 . 2008-04-25 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-07-02 15:26 . 2008-11-16 17:04 -------- d-----w- c:\program files\Steam
2009-07-02 11:31 . 2009-01-03 23:17 1 ----a-w- c:\documents and settings\Robert\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-29 15:20 . 2008-08-31 18:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-28 22:45 . 2008-07-22 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-27 23:21 . 2008-01-21 18:22 -------- d-----w- c:\documents and settings\Robert\Application Data\uTorrent
2009-06-27 21:27 . 2009-01-10 18:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-27 21:23 . 2009-01-10 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-27 17:55 . 2008-02-18 17:37 -------- d-----w- c:\program files\Guitar Pro 5
2009-06-27 17:35 . 2008-01-09 23:27 55920 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-27 17:33 . 2008-01-09 23:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 16:44 . 2008-11-15 19:33 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-24 09:35 . 2008-07-04 20:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-24 09:35 . 2008-05-11 18:08 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-24 09:35 . 2008-01-18 14:43 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-19 23:27 . 2008-01-24 19:40 -------- d-----w- c:\documents and settings\Robert\Application Data\dvdcss
2009-06-19 00:58 . 2008-01-09 23:07 -------- d-----w- c:\program files\Java
2009-06-18 18:43 . 2009-05-09 12:13 -------- d-----w- c:\program files\ApexDC++
2009-06-17 23:41 . 2008-07-04 19:56 -------- d-----w- c:\documents and settings\Robert\Application Data\Skype
2009-06-17 23:04 . 2008-07-04 19:59 -------- d-----w- c:\documents and settings\Robert\Application Data\skypePM
2009-06-17 15:20 . 2008-10-26 14:55 -------- d-----w- c:\documents and settings\Robert\Application Data\vlc
2009-06-03 23:33 . 2008-10-24 16:41 -------- d-----w- c:\program files\iTunes
2009-06-03 23:32 . 2009-06-03 23:32 -------- d-----w- c:\program files\iPod
2009-06-03 23:32 . 2008-01-18 22:05 -------- d-----w- c:\program files\Common Files\Apple
2009-06-03 23:25 . 2009-06-03 23:23 -------- d-----w- c:\program files\QuickTime
2009-06-03 23:02 . 2009-06-03 23:02 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-29 12:36 . 2009-03-13 17:39 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-29 12:36 . 2008-01-18 22:06 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 10:32 . 2008-02-12 19:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-27 20:31 . 2009-05-27 20:26 -------- d-----w- c:\program files\SMPlayer
2009-05-27 07:30 . 2009-05-27 07:30 -------- d-----w- c:\program files\BBC iPlayer Desktop
2009-05-19 11:23 . 2008-05-11 18:08 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-13 14:20 . 2009-05-13 14:19 -------- d-----w- c:\documents and settings\Robert\Application Data\Prism
2009-05-13 14:20 . 2009-05-13 14:20 -------- d-----w- c:\documents and settings\Robert\Application Data\WebApps
2009-05-13 05:15 . 2004-08-11 17:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 16:16 . 2009-05-11 16:16 -------- d-----w- c:\documents and settings\Robert\Application Data\eMusic
2009-05-11 16:16 . 2009-05-11 16:15 -------- d-----w- c:\program files\eMusic Download Manager
2009-05-07 15:32 . 2004-08-11 17:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 16:57 . 2009-04-22 09:00 38208 ----a-w- c:\documents and settings\Robert\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-04-17 12:26 . 2004-08-11 17:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-11 17:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-09-20 09:14 . 2008-09-20 09:14 548047 ----a-w- c:\program files\lame3.98-final.zip
2008-11-15 15:32 . 2008-11-15 15:32 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-13 133104]
"FlashMute"="c:\program files\FlashMute\FlashMute.exe" [2006-03-11 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2006-10-03 221184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-15 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-31 1392640]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-24 1948440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-27 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"PD0620 STISvc"="P0620Pin.dll" - c:\windows\system32\P0620Pin.dll [2005-05-10 36864]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Robert\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-24 09:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Tango Patcher 2600 Reloader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Tango Patcher 2600 Reloader.lnk
backup=c:\windows\pss\Tango Patcher 2600 Reloader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"LBTServ"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Team17\\Worms2\\frontend.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Robert\\Local Settings\\Application Data\\Google\\Google Talk, Labs Edition\\GoogleTalkLabsEdition.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Robert\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Robert\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4 Demo\\Civilization4.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\eMusic Download Manager\\xulrunner\\xulrunner.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\football manager 2009\\fm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51018:TCP"= 51018:TCP:uTorrent
"6881:TCP"= 6881:TCP:BitTorrent
"6882:TCP"= 6882:TCP:BitTorrent 2
"6883:TCP"= 6883:TCP:BT3
"6884:TCP"= 6884:TCP:BT4
"6885:TCP"= 6885:TCP:BT4
"6886:TCP"= 6886:TCP:bt5
"6887:TCP"= 6887:TCP:bt
"6888:TCP"= 6888:TCP:bt
"6889:TCP"= 6889:TCP:bt
"43594:TCP"= 43594:TCP:rs2
"43595:TCP"= 43595:TCP:rs3
"41220:TCP"= 41220:TCP:uTorrent2

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/05/2008 19:08 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/05/2008 19:08 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [04/07/2008 21:29 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2008 21:29 298776]
R3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\ProtoWall.sys [02/01/2006 05:20 23296]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/01/2008 00:19 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3699005805-2918242947-1475377695-1005Core.job
- c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-10 11:48]

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3699005805-2918242947-1475377695-1005UA.job
- c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-10 11:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2080110
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=l68bHwr4d9KW-IldsFa3NBuG0Yo
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\sl3gk2tm.default\
FF - prefs.js: browser.search.selectedEngine - Dictionary.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig | www.bbc.co.uk
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - prefs.js: network.proxy.http - http://wwwcache.nottingham.ac.uk/proxyall.pac
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\sl3gk2tm.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Robert\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 18:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3699005805-2918242947-1475377695-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4C84B536-4209-4436-A643-EC638268B33D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oafmaafppinhgdhkiojdmcdpdlemda"=hex:64,61,66,6b,67,67,6b,62,00,80
"oajlpfbfcdoibngegilpiabdimgdhe"=hex:6b,61,63,69,70,64,6e,67,66,6c,6b,67,6f,64,
62,64,63,61,70,70,6f,6c,00,00
"naplbajfcdpnfdljnngoojkkopii"=hex:69,61,68,6b,67,66,69,70,65,6b,66,6c,70,65,
67,68,67,66,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,f9,e9,10,46,da,
ff,2f,18,2e,e8,e1,00,eb,16,2b,de,9b,22,2e,8a,be,42,bb,a4,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,8f,60,5c,82,56,
90,c7,8c,46,47,15,b0,92,4b,c7,ef,42,35,c4,55,7e,6d,c8,e6,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,a2,f8,ff,1f,1c,
23,bc,76,7a,45,05,fd,91,e8,6f,31,e1,e7,76,6b,3f,80,b0,4c,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,04,37,a9,6c,63,
0b,32,3c,6b,65,49,6a,7e,99,74,f7,72,ae,16,ab,70,59,a9,b1,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,e2,91,b6,cf,8b,
db,de,64,e9,02,6c,fa,fb,1d,47,57,59,a2,2d,ec,ab,6d,16,5c,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,be,0d,fb,e5,8c,
d8,97,63,50,93,e5,ab,ec,6a,4e,ab,1f,37,62,7e,c1,00,00,14,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,0d,be,64,b7,96,
10,c0,77,97,20,4e,9a,c7,f1,35,ee,80,d2,cf,30,72,76,05,81,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,2f,16,af,59,ea,
9c,50,83,aa,52,c6,00,84,3c,26,64,e5,78,e8,19,3b,3b,5f,d7,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,6a,10,35,a9,fc,
7a,2e,15,b2,46,9a,e2,1b,fe,1b,94,59,62,aa,49,06,84,ec,c2,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,c4,92,86,80,15,
82,b0,db,37,a4,aa,c3,a6,15,56,0a,2f,85,6d,51,58,8f,17,23,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,8b,24,de,da,97,
b1,9d,fd,f8,31,0f,a9,5f,a0,ec,fb,46,6a,59,02,ac,26,f9,35,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,b0,c4,14,21,dc,
10,b7,f2,05,73,21,dd,54,d8,4a,c5,20,48,7e,c0,a0,08,94,ef,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="8B61823BF1C0F256F1743A621B42EA309791D4F97C92DEDF2B2037691789B76A5F491F6199470F9531AE6494C77CD86571C00DF4B24560A5AA95B58641891786CD5DC3C587F62E4336DC6815720784E0F40075443B13E2F2F972861EB682887DF9D4ED8EE67408D9B7F501D3681373338F26A641A8E15890590FBB91EEA70C711BA9CF4834E44A7383369DA54E581F12C150692B6318A56D21899F28B7B492297B194DE143741350F81BDF43991474D5A0DE3F22A624279B3AC1AE8B30E60610FAA601AE37CFF6D38C691F491685D27BD5F45CAA02F4A750A25E18CACF003F340D17B7668AABFD8746A665B6E16F91A31F7A26305901ECE5EC48C158FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808A6A0AC4980AC7933A6171C11EC38DE3DC0E22A93023C2E229C4DAA09FC68B6285D915D48CE0661F11919F9B8125531B30EA4C8DF8EE4CA85DBA19EF317F05C350C10286EBAD0D02A6BF6863B44F8D35DB0EDBCF00D02A6CF7534EB1D1B4F442880525F1F91B858CE5CD76A1073CA01253E99123DB394E04246908BB712068B4BFB380BE6D0DE33D1B08B5A3BB2AFAEC7A488C963C9E04E03FD486D961C5902CD13A125F38E2A4D0A83647DE5ABCB87669F9DD9A32FED751A20EEF037E9D2ADC02FF39C18EE4548B443B8EFD9190E69844340A9E153081277049E6EB3C2BF459C0C9955CB2F9CFAEF2F62C209CBA1688BF55C9829BB4114E9D6F2AFD17FB035B93B80A5299E626D3F5F41F886277D4A477361F4A402EB1E28178DF0F311FB1FD62299D86F9F8E5D0A3D388A09A5D50A67C9C30626D39F88CA1992E5A6F639571878D92D812ADABC1C05AC64EED1A65581DAFA83A2F03ADE50842AB317C94666024ABDD6E54844B1A44A8AE5364C318E8D5E819B3231DA60985481F596324408FE7A3F7CC79A8D9437F140E283C9F4CCE75FD76E127B66806A5AC8B81BEE192DDEBB63B9F555BCF3CA363F231D12BCDAD03C811123CD05E66FB8B5FE3E516DFAD218AD9B633C9C8FBB25FE64718110B6EC27860C6B3AA16FB2677FBE3F42AD4AF06C28A8282EBB5FC79EF9D490094114C52972DD1264EDA8A8B264E000398B263569E0D3FC986A0C935B301A2C2CE1D6451A5476E4865C572539234584C57C50FC93690BC1FE40F127E2224B9C83C81CBDAA413B556F277161F002BD788A393C0BC257ABF9F816A3EB9358735E3B123262DC4F05767E49A47B1FC98FA8BDBE14852644894BB10B67339EDB1491929C1A4D881A218329034EF361C5740728CEB1773CCDEB82E802B4AF0C3CA07A608B8B79564250D6F7578332A6C79AAB2AED284E5A958D0D7020BAF7B20D817F0B46EFC6466BC7F30B900BFCB3A3A44DB4E53C5C29411DFC"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1160)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\FlashMute\mutelib.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Kontiki\KService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\system32\rundll32.exe
c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2009-07-07 18:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 17:38

Pre-Run: 41,861,386,240 bytes free
Post-Run: 41,743,147,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

407 --- E O F --- 2009-06-10 10:50

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:14 PM

Posted 07 July 2009 - 03:48 PM

Oh, rootkit! That run may have stopped the redirecting. How is the PC now?

With the rootkit gone we can see what it has been hiding.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 eriatarka1

eriatarka1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 08 July 2009 - 03:14 PM

Looks like the redirecting has stopped as of yesterday, and also so far today. Thank you! Sorry about the long delay, got caught up with a few other things.

Anyway, DrWeb looks like it found something, so I'll chuck up the log.

Here it is:

RegUBP2b-Robert.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
hjgruikkltopxj.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.Tdss.265;Deleted.;
A0025606.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP240;BackDoor.Tdss.265;Deleted.;
A0025743.reg;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP240;Trojan.StartPage.1505;Deleted.;
pfppagnpqr.exe;C:\_OTM\MovedFiles\07072009_141038\WINDOWS\temp;BackDoor.Agent.17;Deleted.;




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users