Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Links Redirected to Spam pages when clicked


  • This topic is locked This topic is locked
55 replies to this topic

#1 freedom lover

freedom lover

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 10 July 2009 - 12:21 AM

hi there,

last night I was browsing the internet when I clicked on a link from a post in forum I was viewing, the link opened up and instantly my adobe acrobat reader popped open and started loading...which I knew was a bad sign...well, a few minutes later my computer became hijacked by a fake security program telling me that my computer was infected...which it was (with that phony antispyware program)...so I used malwarebyte in safe mode and got rid of it...but part of it still lingers, I cannot use search engines because I keep getting redirected to crap sites when clicking thru the links on google, yahoo, etc...

I know you guys can help...so thank you kindly in advance!!

:thumbup2:


here is my dds log:


---


DDS (Ver_09-06-26.01) - NTFSx86
Run by Forrest Verde at 22:02:04.68 on Thu 07/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.442 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wuauclt.exe
L:\backup\D\Desktop 2\PROGRAMS\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Forrest Verde\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.staticfiends.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1/hidden
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\oembios.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\vidalia bundle\privoxy\privoxy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remoco~1.lnk - c:\program files\sony\usbsircs\usbsircs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timerr~1.lnk - c:\program files\sony\giga pocket\ReserveModule.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Google Search
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\forres~1\applic~1\mozilla\firefox\profiles\4axr0vr4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, false);
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-6-30 11608]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-6-30 68865]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-3-1 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-3-1 234888]
R3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-6-30 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-6-30 52056]
RUnknown omxikfm;omxikfm; [x]
S2 gupdate1c9baffdea06450;Google Update Service (gupdate1c9baffdea06450);c:\program files\google\update\GoogleUpdate.exe [2009-4-11 133104]

=============== Created Last 30 ================

2009-07-09 21:48 <DIR> --dsh--- c:\windows\system32\sysproc64
2009-07-09 21:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-09 21:31 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-09 04:59 <DIR> --d----- c:\docume~1\forres~1\applic~1\Messenger
2009-07-08 02:41 118 a------- c:\windows\system32\MRT.INI
2009-07-06 17:22 1,193,414 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-07-06 17:22 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-30 17:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-06-29 19:06 <DIR> --ds---- c:\documents and settings\forrest verde\UserData
2009-06-10 16:48 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-10 16:48 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-10 16:48 <DIR> --d----- c:\program files\iPod
2009-06-10 16:48 <DIR> --d----- c:\program files\iTunes
2009-06-10 16:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-10 16:47 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-05 20:13 157,159 a------- c:\windows\system32\kungsfvlypbqoe.dat
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-28 21:52 659,456 a------- c:\windows\system32\wininet.dll
2009-04-28 21:52 81,920 -------- c:\windows\system32\ieencode.dll
2009-04-17 09:27 145,504 a------- c:\windows\system32\bgsvcgen.exe
2009-04-17 09:27 59,488 a------- c:\windows\system32\GenSvcInst.exe
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 08:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-11 16:48 499,712 a------- c:\windows\system32\msvcp71.dll
2009-04-11 16:48 348,160 a------- c:\windows\system32\msvcr71.dll

============= FINISH: 22:04:00.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 11 July 2009 - 03:02 PM

this problem seems pretty common...so I followed some instructions from another topic that showed similar symptoms...I ran otm...so here are my logs (otm and dds):


++++++++++++++++++

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
Service\Driver uflej not found.
Service\Driver uflej not found.
========== FILES ==========
File/Folder c:\windows\system32\drivers\bxcdkegzyj.sys not found.
File/Folder c:\windows\system32\asfadf32.dll not found.
File/Folder c:\windows\system32\cwcz not found.
File/Folder c:\windows\system32\lsp.dll not found.
File/Folder c:\windows\system32\12520437n.dll not found.
File/Folder c:\program files\sfx not found.
File/Folder c:\windows\system32\3712545721.dat not found.
File/Folder c:\windows\system32\acelpdeci.exe not found.
========== REGISTRY ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 49286 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49152 bytes

User: Forrest Verde
->Temp folder emptied: 543059063 bytes
File delete failed. C:\Documents and Settings\Forrest Verde\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 154237553 bytes
->Java cache emptied: 34108435 bytes
->FireFox cache emptied: 75460373 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 22918665 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 118400035 bytes

User: Simon Lennon
->Temp folder emptied: 22834492 bytes
->Temporary Internet Files folder emptied: 104693450 bytes
->Java cache emptied: 22995970 bytes
->FireFox cache emptied: 54532863 bytes
->Google Chrome cache emptied: 6378812 bytes

User: You
->Temp folder emptied: 12237880 bytes
->Temporary Internet Files folder emptied: 158800901 bytes
->Java cache emptied: 13007530 bytes
->FireFox cache emptied: 42952162 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19528 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 4739069 bytes
RecycleBin emptied: 6120505 bytes

Total Files Cleaned = 1332.87 mb


OTM by OldTimer - Version 3.0.0.4 log created on 07112009_134250

Files moved on Reboot...

Registry entries deleted on Reboot...

++++++++++++++++++++++




dds
=======================


DDS (Ver_09-06-26.01) - NTFSx86
Run by Forrest Verde at 13:57:20.18 on Sat 07/11/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.520 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\notepad.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Forrest Verde\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.staticfiends.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1/hidden
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\oembios.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\vidalia bundle\privoxy\privoxy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remoco~1.lnk - c:\program files\sony\usbsircs\usbsircs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timerr~1.lnk - c:\program files\sony\giga pocket\ReserveModule.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Google Search
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\forres~1\applic~1\mozilla\firefox\profiles\4axr0vr4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, false);
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-6-30 11608]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-6-30 68865]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-3-1 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-3-1 234888]
S2 gupdate1c9baffdea06450;Google Update Service (gupdate1c9baffdea06450);c:\program files\google\update\GoogleUpdate.exe [2009-4-11 133104]
S3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-6-30 151297]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-6-30 52056]

=============== Created Last 30 ================

2009-07-11 13:42 <DIR> --d----- C:\_OTM
2009-07-09 21:48 <DIR> --dsh--- c:\windows\system32\sysproc64
2009-07-09 21:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-09 21:31 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-09 04:59 <DIR> --d----- c:\docume~1\forres~1\applic~1\Messenger
2009-07-08 02:41 118 a------- c:\windows\system32\MRT.INI
2009-07-06 17:22 1,193,414 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-07-06 17:22 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-30 17:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-06-29 19:06 <DIR> --ds---- c:\documents and settings\forrest verde\UserData

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-05 20:13 157,159 a------- c:\windows\system32\kungsfvlypbqoe.dat
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-28 21:52 659,456 a------- c:\windows\system32\wininet.dll
2009-04-28 21:52 81,920 -------- c:\windows\system32\ieencode.dll
2009-04-17 09:27 145,504 a------- c:\windows\system32\bgsvcgen.exe
2009-04-17 09:27 59,488 a------- c:\windows\system32\GenSvcInst.exe
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 08:11 584,192 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 13:59:20.42 ===============

Attached Files


Edited by freedom lover, 11 July 2009 - 04:12 PM.


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:22 AM

Posted 18 July 2009 - 06:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 18 July 2009 - 08:55 PM

the problem is the same as the original post...nothing has changed...except that the computer is running a bit slower...



here are the new logs that you requested...




-----------------------------------------------




DDS (Ver_09-06-26.01) - NTFSx86
Run by Forrest Verde at 18:46:42.82 on Sat 07/18/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.506 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Forrest Verde\Desktop\dds(2).scr
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.staticfiends.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1/hidden
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\oembios.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\vidalia bundle\privoxy\privoxy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remoco~1.lnk - c:\program files\sony\usbsircs\usbsircs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timerr~1.lnk - c:\program files\sony\giga pocket\ReserveModule.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Google Search
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\forres~1\applic~1\mozilla\firefox\profiles\4axr0vr4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\google\google gears\firefox\lib\ff30\gears.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, false);
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-6-30 11608]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-6-30 68865]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-3-1 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-3-1 234888]
R3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-6-30 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-6-30 52056]
S2 gupdate1c9baffdea06450;Google Update Service (gupdate1c9baffdea06450);c:\program files\google\update\GoogleUpdate.exe [2009-4-11 133104]

=============== Created Last 30 ================

2009-07-15 02:54 <DIR> --d----- c:\program files\IDM Computer Solutions
2009-07-14 22:51 <DIR> --d----- c:\program files\ABC Amber XML Converter
2009-07-14 21:35 <DIR> --d----- c:\program files\RustemSoft
2009-07-12 20:30 <DIR> --d----- c:\documents and settings\forrest verde\.p4qt
2009-07-12 19:39 <DIR> --d----- c:\program files\Perforce
2009-07-11 13:42 <DIR> --d----- C:\_OTM
2009-07-09 21:48 <DIR> --dsh--- c:\windows\system32\sysproc64
2009-07-09 21:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-09 21:31 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-09 04:59 <DIR> --d----- c:\docume~1\forres~1\applic~1\Messenger
2009-07-08 02:41 118 a------- c:\windows\system32\MRT.INI
2009-07-06 17:22 1,193,414 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-07-06 17:22 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-30 17:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-06-29 19:06 <DIR> --ds---- c:\documents and settings\forrest verde\UserData

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-05 20:13 157,159 a------- c:\windows\system32\kungsfvlypbqoe.dat
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-28 21:52 659,456 a------- c:\windows\system32\wininet.dll
2009-04-28 21:52 81,920 -------- c:\windows\system32\ieencode.dll

============= FINISH: 18:48:54.39 ===============

Attached Files



#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:22 AM

Posted 20 July 2009 - 12:16 PM

Hello freedom lover :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:



Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.




Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries





When completed please post both both logs fromGMER as well as the one from Kaspersky.

Please do not post any logs as an attachment unless asked to do so.


Note: There are time when Kaspersky will take many hours to run. If you experience this, cancel the scan and post the GMER log


Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 21 July 2009 - 04:21 PM

thank you... :thumbup2:


Kaspersky was taking forever so I canceled it as suggested...here is the gmer log:





---



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-21 14:16:55
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code \WINDOWS\System32\Drivers\kdrc.dll ZwCreateFile [0xF74C3404]
Code \WINDOWS\System32\Drivers\kdrc.dll ZwOpenFile [0xF74C373E]
Code \WINDOWS\System32\Drivers\kdrc.dll ZwOpenProcess [0xF74C2FB6]
Code \WINDOWS\System32\Drivers\kdrc.dll ZwOpenThread [0xF74C32BE]
Code \WINDOWS\System32\Drivers\kdrc.dll ZwQueryDirectoryFile [0xF74C3C1A]
Code \WINDOWS\System32\Drivers\kdrc.dll ZwWriteFile [0xF74C3A6A]
Code \WINDOWS\System32\Drivers\kdrc.dll NtCreateFile
Code \WINDOWS\System32\Drivers\kdrc.dll NtOpenFile
Code \WINDOWS\System32\Drivers\kdrc.dll NtOpenProcess
Code \WINDOWS\System32\Drivers\kdrc.dll NtOpenThread
Code \WINDOWS\System32\Drivers\kdrc.dll NtQueryDirectoryFile
Code \WINDOWS\System32\Drivers\kdrc.dll NtWriteFile
Code \WINDOWS\System32\Drivers\kdrc.dll PsRemoveLoadImageNotifyRoutine
Code \WINDOWS\System32\Drivers\kdrc.dll PsSetCreateProcessNotifyRoutine
Code \WINDOWS\System32\Drivers\kdrc.dll PsSetCreateThreadNotifyRoutine
Code \WINDOWS\System32\Drivers\kdrc.dll PsSetLoadImageNotifyRoutine

---- Kernel code sections - GMER 1.0.15 ----

.rdata C:\WINDOWS\system32\drivers\KSecDD.sys unknown last section [0xF74E6780, 0x80, 0xC0000040]
? C:\WINDOWS\system32\drivers\KSecDD.sys Access is denied.
? C:\WINDOWS\System32\Drivers\kdrc.dll Access is denied.
.rdata C:\WINDOWS\System32\DRIVERS\USBPORT.SYS unknown last section [0xF66E3E80, 0x80, 0xC0000040]
? C:\WINDOWS\System32\DRIVERS\USBPORT.SYS Access is denied.
.rdata C:\WINDOWS\System32\DRIVERS\kbdclass.sys unknown last section [0xF786D000, 0x80, 0xC0000040]
? C:\WINDOWS\System32\DRIVERS\kbdclass.sys Access is denied.

---- User code sections - GMER 1.0.15 ----

.rdata C:\WINDOWS\Explorer.EXE[2212] C:\WINDOWS\Explorer.EXE unknown last section [0x010FF000, 0x1000, 0xC0000040]
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\comctl32.dll:_rc_db_sec_obj (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2212] 0x01470000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2500] 0x00E60000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [2720] 0x09900000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2736] 0x00FC0000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [3240] 0x10000000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\Program Files\Sony\Giga Pocket\gps.exe [3432] 0x03270000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\WINDOWS\system32\rundll32.exe [3804] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\hjgruixqfoguva.sys (*** hidden *** ) [SYSTEM] hjgruigcnxsmte <-- ROOTKIT !!!
Service system32\drivers\kungsftltkkwbi.sys (*** hidden *** ) [SYSTEM] kungsfbwuxjrir <-- ROOTKIT !!!
Service system32\drivers\SKYNETpuxpbdmc.sys (*** hidden *** ) [SYSTEM] SKYNETimqdmdwq <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte@imagepath \systemroot\system32\drivers\hjgruixqfoguva.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruixqfoguva.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules@hjgruicmd.dll \systemroot\system32\hjgruieagjjmqn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules@hjgruilog.dat \systemroot\system32\hjgruihglhvxfj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules@hjgruiwsp.dll \systemroot\system32\hjgruisuafldim.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules@hjgrui.dat \systemroot\system32\hjgruidnldwfgy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir@imagepath \systemroot\system32\drivers\kungsftltkkwbi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main\injector@* kungsfwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules@kungsfrk.sys \systemroot\system32\drivers\kungsftltkkwbi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules@kungsfcmd.dll \systemroot\system32\kungsftexmhlvn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules@kungsflog.dat \systemroot\system32\kungsfvlypbqoe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules@kungsfwsp.dll \systemroot\system32\kungsfwjllwbwr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules@kungsf.dat \systemroot\system32\kungsfceaxkcet.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq@imagepath \systemroot\system32\drivers\SKYNETpuxpbdmc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpuxpbdmc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETxgeixfjt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte@imagepath \systemroot\system32\drivers\hjgruixqfoguva.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruixqfoguva.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules@hjgruicmd.dll \systemroot\system32\hjgruieagjjmqn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules@hjgruilog.dat \systemroot\system32\hjgruihglhvxfj.dat
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules@hjgruiwsp.dll \systemroot\system32\hjgruisuafldim.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules@hjgrui.dat \systemroot\system32\hjgruidnldwfgy.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir@imagepath \systemroot\system32\drivers\kungsftltkkwbi.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main\injector@* kungsfwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules@kungsfrk.sys \systemroot\system32\drivers\kungsftltkkwbi.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules@kungsfcmd.dll \systemroot\system32\kungsftexmhlvn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules@kungsflog.dat \systemroot\system32\kungsfvlypbqoe.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules@kungsfwsp.dll \systemroot\system32\kungsfwjllwbwr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules@kungsf.dat \systemroot\system32\kungsfceaxkcet.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq@imagepath \systemroot\system32\drivers\SKYNETpuxpbdmc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq\main
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq\modules
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpuxpbdmc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETxgeixfjt.dll

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP214\A0037131.dll:_rc_db_5.1.2600 62464 bytes executable
ADS C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP214\A0037131.dll:_rc_db_sec_obj 203264 bytes executable
ADS C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 62464 bytes executable
ADS C:\WINDOWS\system32\comctl32.dll:_rc_db_sec_obj 203264 bytes executable

---- EOF - GMER 1.0.15 ----





























GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-21 14:16:55
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code \WINDOWS\System32\Drivers\kdrc.dll ZwCreateFile [0xF74C3404]
Code \WINDOWS\System32\Drivers\kdrc.dll ZwOpenFile [0xF74C373E]
Code \WINDOWS\System32\Drivers\kdrc.dll ZwOpenProcess [0xF74C2FB6]
Code \WINDOWS\System32\Drivers\kdrc.dll ZwOpenThread [0xF74C32BE]
Code \WINDOWS\System32\Drivers\kdrc.dll ZwQueryDirectoryFile [0xF74C3C1A]
Code \WINDOWS\System32\Drivers\kdrc.dll ZwWriteFile [0xF74C3A6A]
Code \WINDOWS\System32\Drivers\kdrc.dll NtCreateFile
Code \WINDOWS\System32\Drivers\kdrc.dll NtOpenFile
Code \WINDOWS\System32\Drivers\kdrc.dll NtOpenProcess
Code \WINDOWS\System32\Drivers\kdrc.dll NtOpenThread
Code \WINDOWS\System32\Drivers\kdrc.dll NtQueryDirectoryFile
Code \WINDOWS\System32\Drivers\kdrc.dll NtWriteFile
Code \WINDOWS\System32\Drivers\kdrc.dll PsRemoveLoadImageNotifyRoutine
Code \WINDOWS\System32\Drivers\kdrc.dll PsSetCreateProcessNotifyRoutine
Code \WINDOWS\System32\Drivers\kdrc.dll PsSetCreateThreadNotifyRoutine
Code \WINDOWS\System32\Drivers\kdrc.dll PsSetLoadImageNotifyRoutine

---- Kernel code sections - GMER 1.0.15 ----

.rdata C:\WINDOWS\system32\drivers\KSecDD.sys unknown last section [0xF74E6780, 0x80, 0xC0000040]
? C:\WINDOWS\system32\drivers\KSecDD.sys Access is denied.
? C:\WINDOWS\System32\Drivers\kdrc.dll Access is denied.
.rdata C:\WINDOWS\System32\DRIVERS\USBPORT.SYS unknown last section [0xF66E3E80, 0x80, 0xC0000040]
? C:\WINDOWS\System32\DRIVERS\USBPORT.SYS Access is denied.
.rdata C:\WINDOWS\System32\DRIVERS\kbdclass.sys unknown last section [0xF786D000, 0x80, 0xC0000040]
? C:\WINDOWS\System32\DRIVERS\kbdclass.sys Access is denied.

---- User code sections - GMER 1.0.15 ----

.rdata C:\WINDOWS\Explorer.EXE[2212] C:\WINDOWS\Explorer.EXE unknown last section [0x010FF000, 0x1000, 0xC0000040]
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\comctl32.dll:_rc_db_sec_obj (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2212] 0x01470000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2500] 0x00E60000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [2720] 0x09900000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2736] 0x00FC0000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [3240] 0x10000000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\Program Files\Sony\Giga Pocket\gps.exe [3432] 0x03270000
Library C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 (*** hidden *** ) @ C:\WINDOWS\system32\rundll32.exe [3804] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\hjgruixqfoguva.sys (*** hidden *** ) [SYSTEM] hjgruigcnxsmte <-- ROOTKIT !!!
Service system32\drivers\kungsftltkkwbi.sys (*** hidden *** ) [SYSTEM] kungsfbwuxjrir <-- ROOTKIT !!!
Service system32\drivers\SKYNETpuxpbdmc.sys (*** hidden *** ) [SYSTEM] SKYNETimqdmdwq <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte@imagepath \systemroot\system32\drivers\hjgruixqfoguva.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruixqfoguva.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules@hjgruicmd.dll \systemroot\system32\hjgruieagjjmqn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules@hjgruilog.dat \systemroot\system32\hjgruihglhvxfj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules@hjgruiwsp.dll \systemroot\system32\hjgruisuafldim.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruigcnxsmte\modules@hjgrui.dat \systemroot\system32\hjgruidnldwfgy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir@imagepath \systemroot\system32\drivers\kungsftltkkwbi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main\injector@* kungsfwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules@kungsfrk.sys \systemroot\system32\drivers\kungsftltkkwbi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules@kungsfcmd.dll \systemroot\system32\kungsftexmhlvn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules@kungsflog.dat \systemroot\system32\kungsfvlypbqoe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules@kungsfwsp.dll \systemroot\system32\kungsfwjllwbwr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfbwuxjrir\modules@kungsf.dat \systemroot\system32\kungsfceaxkcet.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq@imagepath \systemroot\system32\drivers\SKYNETpuxpbdmc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpuxpbdmc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETimqdmdwq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETxgeixfjt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte@imagepath \systemroot\system32\drivers\hjgruixqfoguva.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruixqfoguva.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules@hjgruicmd.dll \systemroot\system32\hjgruieagjjmqn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules@hjgruilog.dat \systemroot\system32\hjgruihglhvxfj.dat
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules@hjgruiwsp.dll \systemroot\system32\hjgruisuafldim.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruigcnxsmte\modules@hjgrui.dat \systemroot\system32\hjgruidnldwfgy.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir@imagepath \systemroot\system32\drivers\kungsftltkkwbi.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main\injector@* kungsfwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules@kungsfrk.sys \systemroot\system32\drivers\kungsftltkkwbi.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules@kungsfcmd.dll \systemroot\system32\kungsftexmhlvn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules@kungsflog.dat \systemroot\system32\kungsfvlypbqoe.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules@kungsfwsp.dll \systemroot\system32\kungsfwjllwbwr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfbwuxjrir\modules@kungsf.dat \systemroot\system32\kungsfceaxkcet.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq@imagepath \systemroot\system32\drivers\SKYNETpuxpbdmc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq\main
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq\modules
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpuxpbdmc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETimqdmdwq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETxgeixfjt.dll

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP214\A0037131.dll:_rc_db_5.1.2600 62464 bytes executable
ADS C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP214\A0037131.dll:_rc_db_sec_obj 203264 bytes executable
ADS C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 62464 bytes executable
ADS C:\WINDOWS\system32\comctl32.dll:_rc_db_sec_obj 203264 bytes executable

---- EOF - GMER 1.0.15 ----

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:22 AM

Posted 21 July 2009 - 07:14 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 21 July 2009 - 11:20 PM

ComboFix 09-07-21.03 - Forrest Verde 07/21/2009 20:38.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.176 [GMT -7:00]
Running from: c:\documents and settings\Forrest Verde\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\99729056.ini
c:\documents and settings\LocalService\Application Data\sysproc64
c:\documents and settings\LocalService\Application Data\sysproc64\sysproc32.sys
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\recycler\S-1-5-21-1004574870-2323233685-3874368327-1003
c:\recycler\S-1-5-21-1153268050-1745101451-2860577156-1003
c:\recycler\S-1-5-21-2390782801-2610304041-153104931-1003
c:\recycler\S-1-5-21-2610108528-1692246880-3841467644-1003
c:\recycler\S-1-5-21-2641702931-1635820559-1401996470-1003
c:\recycler\S-1-5-21-3175570731-937336541-441031306-1003
c:\recycler\S-1-5-21-3639935143-843763449-1625352185-1003
c:\recycler\S-1-5-21-3930981269-3810791699-899491540-1003
c:\recycler\S-1-5-21-4069970522-2291726883-3272541339-1003
c:\recycler\S-1-5-21-776561741-1757981266-725345543-1003
c:\windows\Installer\95be8.msi
c:\windows\Installer\bc9d5.msi
c:\windows\system32\drivers\hjgruixqfoguva.sys
c:\windows\system32\hjgruidnldwfgy.dat
c:\windows\system32\hjgruieagjjmqn.dll
c:\windows\system32\hjgruihglhvxfj.dat
c:\windows\system32\hjgruisuafldim.dll
c:\windows\system32\kungsfvlypbqoe.dat
c:\windows\system32\oembios.exe
c:\windows\system32\sysproc64
c:\windows\system32\sysproc64\sysproc32.sys
c:\windows\system32\sysproc64\sysproc86.sys
L:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HJGRUIGCNXSMTE
-------\Service_hjgruigcnxsmte
-------\Service_kungsfbwuxjrir
-------\Service_SKYNETimqdmdwq


((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-21 16:54 . 2009-07-21 16:54 70656 -c--a-w- c:\windows\system32\dllcache\d1.dat
2009-07-21 16:54 . 2009-07-21 16:54 62464 -c--a-w- c:\windows\system32\dllcache\p1.dat
2009-07-21 16:54 . 2009-07-21 16:54 1032704 -c--a-w- c:\windows\system32\dllcache\e1.dat
2009-07-21 16:54 . 2009-07-22 03:53 -------- dc----w- c:\windows\system32\dllcache\1152115159
2009-07-15 23:38 . 2009-07-18 02:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-07-15 09:54 . 2009-07-15 09:57 -------- d-----w- c:\program files\IDM Computer Solutions
2009-07-15 09:54 . 2009-07-15 09:54 -------- d-----w- c:\documents and settings\Forrest Verde\Application Data\IDMComp
2009-07-15 05:51 . 2009-07-15 06:17 -------- d-----w- c:\program files\ABC Amber XML Converter
2009-07-15 04:38 . 2009-07-15 04:38 -------- d-----w- c:\documents and settings\Forrest Verde\Local Settings\Application Data\RustemSoft
2009-07-15 04:35 . 2009-07-15 04:48 -------- d-----w- c:\program files\RustemSoft
2009-07-15 01:14 . 2009-07-15 01:14 -------- d-----w- c:\documents and settings\Forrest Verde\Application Data\Alien Skin
2009-07-13 03:30 . 2009-07-15 08:45 -------- d-----w- c:\documents and settings\Forrest Verde\.p4qt
2009-07-13 02:39 . 2009-07-13 02:39 -------- d-----w- c:\program files\Perforce
2009-07-13 02:34 . 2009-07-13 02:34 -------- d-----w- c:\documents and settings\Forrest Verde\Local Settings\Application Data\{20A6A10B-B868-4F43-9043-F0A30C6B38BD}
2009-07-13 02:32 . 2009-07-13 02:32 -------- d-----w- c:\documents and settings\Forrest Verde\Local Settings\Application Data\{3F72850E-E5C7-4AE1-9D26-4C455F499021}
2009-07-11 20:42 . 2009-07-11 20:42 -------- d-----w- C:\_OTM
2009-07-10 04:31 . 2009-07-10 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-10 04:31 . 2009-07-10 04:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-09 12:45 . 2009-07-09 12:45 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-09 11:59 . 2009-07-09 12:33 -------- d-----w- c:\documents and settings\Forrest Verde\Application Data\Messenger
2009-07-07 00:28 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-07 00:28 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-07 00:28 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-07 00:28 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-07 00:28 . 2009-02-06 16:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-07-07 00:28 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-07 00:28 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-07-07 00:28 . 2009-02-09 10:20 723456 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-07 00:28 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-07 00:28 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-07 00:28 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-07 00:22 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-02 03:53 . 2009-07-02 03:53 -------- d-----w- c:\documents and settings\You\Local Settings\Application Data\Identities
2009-07-01 00:39 . 2008-05-09 19:15 45376 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-01 00:39 . 2008-01-22 00:11 22336 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-01 00:39 . 2009-07-02 00:44 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-01 00:39 . 2009-07-01 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-30 02:06 . 2009-06-30 02:06 -------- d-s---w- c:\documents and settings\Forrest Verde\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 03:56 . 2009-04-22 15:11 -------- d-----w- c:\documents and settings\Forrest Verde\Application Data\tor
2009-07-21 16:56 . 2009-04-22 15:10 -------- d-----w- c:\documents and settings\Forrest Verde\Application Data\Vidalia
2009-07-18 02:39 . 2009-03-01 06:30 -------- d-----w- c:\program files\Google
2009-07-09 12:47 . 2009-06-04 05:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 23:45 . 2009-03-10 16:40 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-17 18:27 . 2009-06-04 05:32 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2009-06-04 05:32 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-13 01:17 . 2009-03-09 18:04 350616 ----a-w- c:\documents and settings\You\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 23:49 . 2009-03-08 19:56 -------- d-----w- c:\documents and settings\Forrest Verde\Application Data\Apple Computer
2009-06-10 23:48 . 2009-06-10 23:48 -------- d-----w- c:\program files\iTunes
2009-06-10 23:48 . 2009-06-10 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-10 23:48 . 2009-06-10 23:48 -------- d-----w- c:\program files\iPod
2009-06-10 23:48 . 2009-06-10 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-10 23:47 . 2009-06-10 23:47 -------- d-----w- c:\program files\Bonjour
2009-06-10 23:47 . 2009-06-10 23:47 -------- d-----w- c:\program files\Common Files\Apple
2009-06-10 23:43 . 2009-06-10 23:43 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 23:37 . 2003-12-02 20:37 -------- d-----w- c:\program files\QuickTime
2009-06-04 12:40 . 2009-06-04 12:40 -------- d-----w- c:\program files\CoffeeCup Software
2009-06-04 05:32 . 2009-06-04 05:32 -------- d-----w- c:\documents and settings\Forrest Verde\Application Data\Malwarebytes
2009-06-04 05:32 . 2009-06-04 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-02 18:34 . 2009-06-02 18:34 -------- d-----w- c:\program files\Photo Story 3 for Windows
2009-06-01 13:11 . 2009-06-01 13:11 -------- d-----w- c:\program files\Mapedit
2009-05-31 00:45 . 2009-04-12 15:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-30 01:09 . 2009-04-12 15:57 -------- d-----w- c:\program files\Norton Security Scan
2009-05-22 22:43 . 2009-03-01 08:11 350616 ----a-w- c:\documents and settings\Forrest Verde\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-20 10:40 . 2009-05-20 10:40 576184 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-07 15:44 . 2003-12-02 00:28 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2006-06-23 19:33 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-13 04:59 . 2009-03-01 06:48 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[-] 2004-08-04 05:59 1032704 8B8FF3B86D4ABDBD01AE7F4AD9A729E8 c:\windows\explorer.exe
[7] 2003-08-15 00:12 1005056 24A1AEB6D564CB06904499DC90A9F937 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 05:59 1032704 8B8FF3B86D4ABDBD01AE7F4AD9A729E8 c:\windows\system32\dllcache\explorer.exe


[-] 2003-03-31 12:00 23424 1E7F78C2FC393356CD884C6FDE7966F9 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2004-08-04 05:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\kbdclass.sys
[-] 2004-08-04 05:59 24704 8DA2123636964A352630C1A7518F3D6A c:\windows\system32\dllcache\kbdclass.sys
[-] 2004-08-04 05:59 24704 8DA2123636964A352630C1A7518F3D6A c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-12-10 02:40 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2009-06-29 18:38 827392 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2009-06-29 18:38 827392 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2009-06-29 18:38 827392 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2009-01-21 4033618]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-16 1818624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344]
Remocon Driver.lnk - c:\program files\sony\usbsircs\usbsircs.exe [2009-2-28 229376]
Timer Recording Manager.lnk - c:\program files\Sony\Giga Pocket\ReserveModule.exe [2009-2-28 262144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-1-14 525664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Giga Pocket\\gps.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Explorer.EXE"=

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [3/1/2009 1:10 AM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [3/1/2009 1:11 AM 234888]
S2 gupdate1c9baffdea06450;Google Update Service (gupdate1c9baffdea06450);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2009 4:47 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 23:47]

2009-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 23:47]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CmPCIaudio - CMICNFG3.cpl


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.staticfiends.com/
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1/hidden
uInternet Settings,ProxyOverride = *.local
IE: &Google Search
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Forrest Verde\Application Data\Mozilla\Firefox\Profiles\4axr0vr4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

pref(dom.disable_open_during_load, false);.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 20:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\comctl32.dll:_rc_db_5.1.2600 62464 bytes executable
c:\windows\system32\comctl32.dll:_rc_db_sec_obj 203264 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3340)
c:\program files\Perforce\p4exp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Sony\Giga Pocket\shwserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Sony\Giga Pocket\RM_SV.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Sony\Giga Pocket\gps.exe
c:\program files\Vidalia Bundle\Tor\tor.exe
.
**************************************************************************
.
Completion time: 2009-07-22 20:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-22 03:59

Pre-Run: 22,478,352,384 bytes free
Post-Run: 22,550,491,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

285

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:22 AM

Posted 22 July 2009 - 05:37 PM

I need for you to check some files:

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
c:\windows\system32\dllcache\d1.dat
Click Submit.
Do the same for c:\windows\system32\dllcache\p1.dat

Please post the results of this scan to this thread.


Alternate site if Jottis' doesn't work or is too busy

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
c:\windows\system32\dllcache\d1.dat
Click Send.
Do the same for c:\windows\system32\dllcache\p1.dat


Please post the results of this scan to this thread.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 22 July 2009 - 08:57 PM

c:\windows\system32\dllcache\d1.dat

Jotti's malware scan
Filename: d1.dat
Status:
Scan finished. 8 out of 21 scanners reported malware.


Additional info
File size: 70656 bytes
Filetype: Unknown
MD5: d2d6d756e59439102b53827d17903f60
SHA1: 7b9701dff41bab5d7415f6e1aa86634098f2cd3a
Packer (Drweb): XOREXE
Packer (Kaspersky): PE-Crypt.XorPE


Scanners
[ArcaVir]
2009-07-22 Found nothing
[G DATA]
2009-07-23 Trojan.Generic.787288
[A-Squared]
2009-07-23 Found nothing
[Ikarus]
2009-07-23 Found nothing
[Avast! antivirus]
2009-07-22 Found nothing
[Kaspersky Anti-Virus]
2009-07-23 Rootkit.Win32.Agent.mau
[Grisoft AVG Anti-Virus]
2009-07-22 Found nothing
[ESET NOD32]
2009-07-22 Found nothing
[Avira AntiVir]
2009-07-22 Found nothing
[Norman Virus Control]
2009-07-22 Found nothing
[Softwin BitDefender]
2009-07-23 Trojan.Generic.787288
[Panda Antivirus]
2009-07-22 Found nothing
[ClamAV]
2009-07-22 Found nothing
[Quick Heal]
2009-07-22 Found nothing
[CPsecure]
2009-07-23 Rootkit.W32.Agent.mau
[Sophos]
2009-07-23 Sus/Behav-1021
[Dr.Web]
2009-07-23 Trojan.Proxy.3908
[VirusBlokAda VBA32]
2009-07-22 Win32.TrojanProxy.Agent.NFB
[Frisk F-Prot Antivirus]
2009-07-22 Found nothing
[VirusBuster]
2009-07-22 Found nothing
[F-Secure Anti-Virus]
2009-07-23 Rootkit.Win32.Agent.mau






-------

c:\windows\system32\dllcache\p1.dat



Jotti's malware scan
Filename: p1.dat
Status:
Scan finished. 8 out of 21 scanners reported malware.

Additional info
File size: 62464 bytes
Filetype: Unknown
MD5: 2b18d007d2ccd7c1e2428c5cfca2e8f4
SHA1: 69d39dc47d4aa137052587f94458f95dff5ae31a
Packer (Drweb): XOREXE, UPX
Packer (Kaspersky): PE-Crypt.XorPE, PE_Patch.UPX, UPX


Scanners
[ArcaVir]
2009-07-22 Found nothing
[G DATA]
2009-07-23 Gen:Trojan.Heur.300C6DECEC
[A-Squared]
2009-07-23 Found nothing
[Ikarus]
2009-07-23 Found nothing
[Avast! antivirus]
2009-07-22 Found nothing
[Kaspersky Anti-Virus]
2009-07-23 Found nothing
[Grisoft AVG Anti-Virus]
2009-07-22 Found nothing
[ESET NOD32]
2009-07-22 Found nothing
[Avira AntiVir]
2009-07-22 TR/Spy.Gen
[Norman Virus Control]
2009-07-22 Found nothing
[Softwin BitDefender]
2009-07-23 Gen:Trojan.Heur.300C6DECEC
[Panda Antivirus]
2009-07-22 W32/Xor-encoded.A
[ClamAV]
2009-07-22 Found nothing
[Quick Heal]
2009-07-22 Found nothing
[CPsecure]
2009-07-23 Found nothing
[Sophos]
2009-07-23 Mal/Behav-181
[Dr.Web]
2009-07-23 Trojan.Siggen.2999
[VirusBlokAda VBA32]
2009-07-22 Backdoor.Win32.Agent.aggu
[Frisk F-Prot Antivirus]
2009-07-22 W32/Backdoor2.ETQG
[VirusBuster]
2009-07-22 Found nothing
[F-Secure Anti-Virus]
2009-07-23 Found nothing

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:22 AM

Posted 22 July 2009 - 09:33 PM

Here's the next thing:


Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\dllcache\d1.dat
c:\windows\system32\dllcache\p1.dat
c:\windows\system32\dllcache\e1.dat
c:\windows\system32\dllcache\1152115159
FCopy::
c:\windows\$NtServicePackUninstall$\explorer.exe | c:\windows\explorer.exe
c:\windows\$NtServicePackUninstall$\explorer.exe | c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
c:\windows\$NtServicePackUninstall$\explorer.exe | c:\windows\system32\dllcache\explorer.exe
c:\windows\ServicePackFiles\i386\kbdclass.sys | c:\windows\$NtServicePackUninstall$\kbdclass.sys
c:\windows\ServicePackFiles\i386\kbdclass.sys | c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\kbdclass.sys
c:\windows\ServicePackFiles\i386\kbdclass.sys | c:\windows\system32\dllcache\kbdclass.sys
c:\windows\ServicePackFiles\i386\kbdclass.sys | c:\windows\system32\drivers\kbdclass.sys
FixCSet::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 22 July 2009 - 11:43 PM

:)




I did exactly as requested...and when combofix restarted my computer it starts but when windows loads, all it loads is the wallpaper/background...thats it...every time it loads, it freezes at the wallpaper image...even in safe mode!!!

:thumbup2:

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:22 AM

Posted 23 July 2009 - 04:28 PM

I am checking on this. Will be back just as quick as I can.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:22 AM

Posted 23 July 2009 - 05:34 PM

We are going to try going back to the Last Known Good Configuration. These are the instructions from Microsoft.


You'll want to do this like you do when you are going into Safe Mode.

To start your computer by using the Last Known Good Configuration feature, follow these steps:

1. Start your computer.
2. When you see the "Please select the operating system to start" message, press the F8 key.
3. When the Windows Advanced Options menu appears, use the ARROW keys to select Last Known Good Configuration (your most recent settings that worked), and then press ENTER.
4. If you are running other operating systems on your computer, use the ARROW keys to select Microsoft Windows XP, and then press ENTER.


Link

If this works depending on where it boots to you could start experiencing problems like you had before we ran CF. If it does we'll deal with that.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 freedom lover

freedom lover
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 23 July 2009 - 10:49 PM

We are going to try going back to the Last Known Good Configuration.



the same problem is taking place...just the wallpaper comes up...

:thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users