Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting browser or searches hijacked


  • This topic is locked This topic is locked
16 replies to this topic

#1 eddsup

eddsup

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 18 July 2009 - 09:07 AM

Hi, I'm really hoping you can help me please.

The other day I firstly had the Windows Security Centre virus which ive removed with Malwarebytes' and this has worked.

I dont know if its connected but now when using any internet search engine, Google, ASK e.t.c. clicking on one of the displayed results I am redirected to a completely diffent website every time, mostly trying to sell or list the best Malware programs.

I have looked through other topic but I get the impression its best to start your own because your circunstances may be unique. I hope this is the right thing to do. In advance THANK YOU for your help.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Liam Parker at 14:55:55.01 on 18/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.488 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
C:\Program Files\3 Mobile Broadband\3Connect\WilogApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Liam Parker\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247231159468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247231135406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {E6EB2724-330B-463F-BCCA-EF99C0A7683D} = 141.1.1.1 195.27.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-9 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-9 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-9 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-9 298776]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2009-7-11 10240]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2008-6-24 11264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-5-17 36864]
RUnknown mxjsbacp;mxjsbacp; [x]
S3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2008-5-21 25088]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-8-22 7680]

=============== Created Last 30 ================

2009-07-17 18:08 <DIR> --d----- c:\docume~1\liampa~1\applic~1\Malwarebytes
2009-07-17 18:08 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 18:08 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 18:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 18:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-17 16:34 <DIR> --d----- c:\program files\uTorrent
2009-07-17 16:34 <DIR> --d----- c:\docume~1\liampa~1\applic~1\uTorrent
2009-07-15 10:37 244 a---h--- C:\sqmnoopt19.sqm
2009-07-15 10:37 232 a---h--- C:\sqmdata19.sqm
2009-07-14 20:27 244 a---h--- C:\sqmnoopt18.sqm
2009-07-14 20:27 232 a---h--- C:\sqmdata18.sqm
2009-07-14 06:45 244 a---h--- C:\sqmnoopt17.sqm
2009-07-14 06:45 232 a---h--- C:\sqmdata17.sqm
2009-07-14 06:21 244 a---h--- C:\sqmnoopt16.sqm
2009-07-14 06:21 232 a---h--- C:\sqmdata16.sqm
2009-07-14 06:16 244 a---h--- C:\sqmnoopt15.sqm
2009-07-14 06:16 232 a---h--- C:\sqmdata15.sqm
2009-07-14 06:09 244 a---h--- C:\sqmnoopt14.sqm
2009-07-14 06:09 232 a---h--- C:\sqmdata14.sqm
2009-07-13 13:48 244 a---h--- C:\sqmnoopt13.sqm
2009-07-13 13:48 232 a---h--- C:\sqmdata13.sqm
2009-07-11 16:22 244 a---h--- C:\sqmnoopt12.sqm
2009-07-11 16:22 232 a---h--- C:\sqmdata12.sqm
2009-07-11 15:59 244 a---h--- C:\sqmnoopt11.sqm
2009-07-11 15:59 232 a---h--- C:\sqmdata11.sqm
2009-07-11 13:07 244 a---h--- C:\sqmnoopt10.sqm
2009-07-11 13:07 232 a---h--- C:\sqmdata10.sqm
2009-07-11 12:52 244 a---h--- C:\sqmnoopt09.sqm
2009-07-11 12:52 232 a---h--- C:\sqmdata09.sqm
2009-07-11 12:50 244 a---h--- C:\sqmnoopt08.sqm
2009-07-11 12:50 232 a---h--- C:\sqmdata08.sqm
2009-07-11 12:49 244 a---h--- C:\sqmnoopt07.sqm
2009-07-11 12:49 232 a---h--- C:\sqmdata07.sqm
2009-07-11 12:38 <DIR> --d----- c:\docume~1\liampa~1\applic~1\Birdstep Technology
2009-07-11 12:37 621,056 a------- c:\windows\system32\drivers\mod7700.sys
2009-07-11 12:37 113,664 a------- c:\windows\system32\drivers\ewusbnet.sys
2009-07-11 12:37 102,656 a------- c:\windows\system32\drivers\ewusbfake.sys
2009-07-11 12:37 102,400 a------- c:\windows\system32\drivers\ewusbmdm.sys
2009-07-11 12:37 24,448 a------- c:\windows\system32\drivers\ewdcsc.sys
2009-07-11 12:37 70,671 a------- c:\windows\Huawei ModemsUninstall.exe
2009-07-11 12:37 <DIR> --d----- c:\program files\Huawei Modems
2009-07-11 12:37 10,240 -------- c:\windows\system32\drivers\mdvrmng.sys
2009-07-11 12:36 <DIR> --d----- c:\program files\3 Mobile Broadband
2009-07-11 12:17 <DIR> --d----- c:\windows\ie8updates
2009-07-10 23:01 244 a---h--- C:\sqmnoopt06.sqm
2009-07-10 23:01 232 a---h--- C:\sqmdata06.sqm
2009-07-10 22:54 244 a---h--- C:\sqmnoopt05.sqm
2009-07-10 22:54 232 a---h--- C:\sqmdata05.sqm
2009-07-10 22:21 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-10 22:21 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-10 22:21 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-07-10 22:21 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-07-10 21:08 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-10 21:03 <DIR> --d----- c:\program files\MSXML 4.0
2009-07-10 19:07 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2009-07-10 18:25 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-10 18:25 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-10 16:55 244 a---h--- C:\sqmnoopt04.sqm
2009-07-10 16:55 232 a---h--- C:\sqmdata04.sqm
2009-07-10 15:58 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-10 15:35 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-10 15:35 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-10 15:35 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-10 15:27 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-10 15:09 <DIR> --dsh--- c:\documents and settings\liam parker\IECompatCache
2009-07-10 15:09 <DIR> --dsh--- c:\documents and settings\liam parker\PrivacIE
2009-07-10 15:04 <DIR> --dsh--- c:\documents and settings\liam parker\IETldCache
2009-07-10 15:01 <DIR> -cd-h--- c:\windows\ie8
2009-07-10 14:37 <DIR> --d----- c:\windows\system32\PreInstall
2009-07-10 14:37 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-07-10 14:07 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-07-10 13:21 32,768 -------- c:\windows\system32\IJRMF.exe
2009-07-10 13:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Birdstep Technology
2009-07-10 12:59 <DIR> --d----- c:\program files\ZTE_MF6X6_USB_MODEM_1.2050.0.6
2009-07-10 12:59 <DIR> --d----- c:\program files\3
2009-07-02 23:02 <DIR> --d----- C:\ConvertTemp
2009-06-18 15:00 244 a---h--- C:\sqmnoopt03.sqm
2009-06-18 15:00 232 a---h--- C:\sqmdata03.sqm

==================== Find3M ====================

2009-07-14 10:42 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-14 10:41 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-17 22:58 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-20 18:40 628 a------- c:\docume~1\liampa~1\applic~1\wklnhst.dat
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-03 14:52 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-27 19:49 98,304 a------- c:\windows\system32\CmdLineExt.dll
2008-05-07 09:34 15,523,560 a------- c:\program files\U1 Setup.exe

============= FINISH: 14:59:25.87 ===============

Attached Files


Edited by eddsup, 18 July 2009 - 01:45 PM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 PM

Posted 28 July 2009 - 08:41 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 eddsup

eddsup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 28 July 2009 - 08:57 AM

Hiya, Thank you so much for replying, no apologie needed for the delay I understand.

Thank you in advance for your help.

I originally had the Windows Security Centre virus which I removed with Malware Bytes from the help of your Spyware Removal section.

Im not sure if its connected but soon after then nearly 80% of searches preformed using any search engine are redirected to something completely different.

Somtimes my Windows Firewall will turn itself off and Windows Defrag will not work.

Thank you again for your help.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Liam Parker at 14:46:12.54 on 28/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.430 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\TEMP\gnftcvskik.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
C:\Program Files\3 Mobile Broadband\3Connect\WilogApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\TEMP\gnftcvskik.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Liam Parker\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247231159468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247231135406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {E6EB2724-330B-463F-BCCA-EF99C0A7683D} = 141.1.1.1 195.27.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R?2 AlerterALG;Alerter AlerterALG;c:\windows\temp\gnftcvskik.exe service --> c:\windows\temp\gnftcvskik.exe service [?]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-9 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-9 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-9 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-9 298776]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2009-7-11 10240]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2008-6-24 11264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-5-17 36864]
S2 NlaERSvc;Network Location Awareness (NLA) NlaERSvc;c:\windows\temp\gbwkdevwgd.exe srv --> c:\windows\temp\gbwkdevwgd.exe srv [?]
S3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2008-5-21 25088]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-8-22 7680]

=============== Created Last 30 ================

2009-07-21 00:36 32 a--s---- c:\windows\system32\970969472.dat
2009-07-21 00:36 59,904 ---shr-- c:\windows\system32\acleditz.exe
2009-07-17 18:08 <DIR> --d----- c:\docume~1\liampa~1\applic~1\Malwarebytes
2009-07-17 18:08 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 18:08 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 18:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 18:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-15 10:37 244 a---h--- C:\sqmnoopt19.sqm
2009-07-15 10:37 232 a---h--- C:\sqmdata19.sqm
2009-07-14 20:27 244 a---h--- C:\sqmnoopt18.sqm
2009-07-14 20:27 232 a---h--- C:\sqmdata18.sqm
2009-07-14 06:45 244 a---h--- C:\sqmnoopt17.sqm
2009-07-14 06:45 232 a---h--- C:\sqmdata17.sqm
2009-07-14 06:21 244 a---h--- C:\sqmnoopt16.sqm
2009-07-14 06:21 232 a---h--- C:\sqmdata16.sqm
2009-07-14 06:16 244 a---h--- C:\sqmnoopt15.sqm
2009-07-14 06:16 232 a---h--- C:\sqmdata15.sqm
2009-07-14 06:09 244 a---h--- C:\sqmnoopt14.sqm
2009-07-14 06:09 232 a---h--- C:\sqmdata14.sqm
2009-07-13 13:48 244 a---h--- C:\sqmnoopt13.sqm
2009-07-13 13:48 232 a---h--- C:\sqmdata13.sqm
2009-07-11 16:22 244 a---h--- C:\sqmnoopt12.sqm
2009-07-11 16:22 232 a---h--- C:\sqmdata12.sqm
2009-07-11 15:59 244 a---h--- C:\sqmnoopt11.sqm
2009-07-11 15:59 232 a---h--- C:\sqmdata11.sqm
2009-07-11 13:07 244 a---h--- C:\sqmnoopt10.sqm
2009-07-11 13:07 232 a---h--- C:\sqmdata10.sqm
2009-07-11 12:52 244 a---h--- C:\sqmnoopt09.sqm
2009-07-11 12:52 232 a---h--- C:\sqmdata09.sqm
2009-07-11 12:50 244 a---h--- C:\sqmnoopt08.sqm
2009-07-11 12:50 232 a---h--- C:\sqmdata08.sqm
2009-07-11 12:49 244 a---h--- C:\sqmnoopt07.sqm
2009-07-11 12:49 232 a---h--- C:\sqmdata07.sqm
2009-07-11 12:38 <DIR> --d----- c:\docume~1\liampa~1\applic~1\Birdstep Technology
2009-07-11 12:37 621,056 a------- c:\windows\system32\drivers\mod7700.sys
2009-07-11 12:37 113,664 a------- c:\windows\system32\drivers\ewusbnet.sys
2009-07-11 12:37 102,656 a------- c:\windows\system32\drivers\ewusbfake.sys
2009-07-11 12:37 102,400 a------- c:\windows\system32\drivers\ewusbmdm.sys
2009-07-11 12:37 24,448 a------- c:\windows\system32\drivers\ewdcsc.sys
2009-07-11 12:37 70,671 a------- c:\windows\Huawei ModemsUninstall.exe
2009-07-11 12:37 <DIR> --d----- c:\program files\Huawei Modems
2009-07-11 12:37 10,240 -------- c:\windows\system32\drivers\mdvrmng.sys
2009-07-11 12:36 <DIR> --d----- c:\program files\3 Mobile Broadband
2009-07-11 12:17 <DIR> --d----- c:\windows\ie8updates
2009-07-10 23:01 244 a---h--- C:\sqmnoopt06.sqm
2009-07-10 23:01 232 a---h--- C:\sqmdata06.sqm
2009-07-10 22:54 244 a---h--- C:\sqmnoopt05.sqm
2009-07-10 22:54 232 a---h--- C:\sqmdata05.sqm
2009-07-10 22:21 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-10 22:21 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-10 22:21 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-07-10 22:21 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-07-10 21:08 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-10 21:03 <DIR> --d----- c:\program files\MSXML 4.0
2009-07-10 19:07 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2009-07-10 18:25 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-10 18:25 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-10 16:55 244 a---h--- C:\sqmnoopt04.sqm
2009-07-10 16:55 232 a---h--- C:\sqmdata04.sqm
2009-07-10 15:58 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-10 15:35 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-10 15:35 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-10 15:35 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-10 15:27 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-10 15:09 <DIR> --dsh--- c:\documents and settings\liam parker\IECompatCache
2009-07-10 15:09 <DIR> --dsh--- c:\documents and settings\liam parker\PrivacIE
2009-07-10 15:04 <DIR> --dsh--- c:\documents and settings\liam parker\IETldCache
2009-07-10 15:01 <DIR> -cd-h--- c:\windows\ie8
2009-07-10 14:37 <DIR> --d----- c:\windows\system32\PreInstall
2009-07-10 14:37 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-07-10 14:07 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-07-10 13:21 32,768 -------- c:\windows\system32\IJRMF.exe
2009-07-10 13:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Birdstep Technology
2009-07-10 12:59 <DIR> --d----- c:\program files\ZTE_MF6X6_USB_MODEM_1.2050.0.6
2009-07-10 12:59 <DIR> --d----- c:\program files\3
2009-07-02 23:02 <DIR> --d----- C:\ConvertTemp

==================== Find3M ====================

2009-07-14 10:42 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-14 10:41 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-17 22:58 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-20 18:40 628 a------- c:\docume~1\liampa~1\applic~1\wklnhst.dat
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-03 14:52 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-05-07 09:34 15,523,560 a------- c:\program files\U1 Setup.exe

============= FINISH: 14:52:21.50 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 PM

Posted 30 July 2009 - 07:13 PM

Hi eddsup,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

I will be back soon with the first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 PM

Posted 30 July 2009 - 07:22 PM

Let's try and remove the redirects for you.

There are a few uninvited guests on the logs.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Then

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 eddsup

eddsup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 02 August 2009 - 06:11 AM

Hiya,

I would still like your help please Thank you. I'm away from my PC at the moment on holiday and I should be back on Tuesday to go through what you have said. Thank you.

#7 eddsup

eddsup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 03 August 2009 - 11:59 AM

While running Combo Fix it came up with this window and said to mention it.

'Combo Fix has detected the presence of rootkit activity and needs to reboot the machine'

C:\WINDOWS\system32\sdra64.exe

COMBO FIX LOG

ComboFix 09-08-02.04 - Liam Parker 03/08/2009 16:59.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.689 [GMT 1:00]
Running from: c:\documents and settings\Liam Parker\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1702280784-662691950-4043198955-1003
c:\recycler\S-1-5-21-2684140027-3040661829-210546423-1003
c:\recycler\S-1-5-21-3816753149-1207111628-141548857-1003
c:\recycler\S-1-5-21-57989841-2000478354-1547161642-1003
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-07-29 12:45 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 12:45 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-25 11:40 . 2009-07-25 11:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Birdstep Technology
2009-07-25 11:40 . 2009-07-25 11:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-20 23:36 . 2009-07-20 23:36 32 --s-a-w- c:\windows\system32\970969472.dat
2009-07-20 23:36 . 2009-07-20 23:36 59904 --sh--r- c:\windows\system32\acleditz.exe
2009-07-19 21:14 . 2009-07-19 21:14 -------- d-----w- c:\program files\QuickTime
2009-07-19 21:13 . 2009-07-19 21:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer
2009-07-19 21:13 . 2009-07-19 21:13 -------- d-----w- c:\documents and settings\Liam Parker\Local Settings\Application Data\Apple
2009-07-19 21:13 . 2009-07-19 21:13 -------- d-----w- c:\program files\Apple Software Update
2009-07-19 21:13 . 2009-07-19 21:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-07-19 21:12 . 2009-07-19 21:12 -------- d-----w- c:\documents and settings\Liam Parker\Local Settings\Application Data\Apple Computer
2009-07-17 18:27 . 2009-07-17 18:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-17 17:08 . 2009-07-17 17:08 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Malwarebytes
2009-07-17 17:08 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 17:08 . 2009-07-17 17:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 17:08 . 2009-07-17 17:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-17 17:08 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 16:30 . 2009-07-17 16:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-11 11:38 . 2009-07-11 11:38 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Birdstep Technology
2009-07-11 11:37 . 2009-02-13 07:19 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2009-07-11 11:37 . 2009-02-13 07:19 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2009-07-11 11:37 . 2009-02-13 07:19 113664 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2009-07-11 11:37 . 2009-02-13 07:19 102656 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
2009-07-11 11:37 . 2009-02-13 07:19 102400 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2009-07-11 11:37 . 2009-07-11 11:37 -------- d-----w- c:\program files\Huawei Modems
2009-07-11 11:37 . 2009-07-11 11:37 70671 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2009-07-11 11:37 . 2007-05-28 16:00 10240 ------w- c:\windows\system32\drivers\mdvrmng.sys
2009-07-11 11:36 . 2009-07-11 11:36 -------- d-----w- c:\program files\3 Mobile Broadband
2009-07-11 11:17 . 2009-07-11 11:17 -------- d-----w- c:\windows\ie8updates
2009-07-11 00:04 . 2009-07-11 00:04 -------- d-----w- c:\windows\Sun
2009-07-10 21:21 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-10 21:21 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-10 21:21 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-07-10 21:21 . 2009-07-19 17:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-07-10 21:19 . 2009-07-10 21:19 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-10 20:08 . 2009-07-10 20:08 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-10 20:03 . 2009-07-10 20:03 -------- d-----w- c:\program files\MSXML 4.0
2009-07-10 18:07 . 2009-07-28 17:25 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\skypePM
2009-07-10 17:25 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-10 14:58 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-10 14:35 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-10 14:35 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-10 14:35 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-10 14:27 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-10 14:09 . 2009-07-10 14:09 -------- d-sh--w- c:\documents and settings\Liam Parker\IECompatCache
2009-07-10 14:09 . 2009-07-10 14:09 -------- d-sh--w- c:\documents and settings\Liam Parker\PrivacIE
2009-07-10 14:04 . 2009-07-10 14:04 -------- d-sh--w- c:\documents and settings\Liam Parker\IETldCache
2009-07-10 14:01 . 2009-07-10 14:02 -------- dc-h--w- c:\windows\ie8
2009-07-10 13:37 . 2009-01-07 17:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-10 12:21 . 2006-03-29 14:05 32768 ------w- c:\windows\system32\IJRMF.exe
2009-07-10 12:00 . 2009-07-11 11:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Birdstep Technology
2009-07-10 11:59 . 2009-07-10 12:00 -------- d-----w- c:\program files\ZTE_MF6X6_USB_MODEM_1.2050.0.6
2009-07-10 11:59 . 2009-07-10 11:59 -------- d-----w- c:\program files\3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 22:11 . 2009-04-27 23:35 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Skype
2009-07-20 18:29 . 2008-06-24 13:07 -------- d-----w- c:\program files\Windows Live Toolbar
2009-07-14 09:42 . 2009-04-09 18:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-14 09:41 . 2009-04-09 18:24 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-14 09:41 . 2009-04-09 18:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-11 11:36 . 2008-06-24 12:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-11 11:23 . 2009-05-03 13:49 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Samsung
2009-07-10 20:06 . 2008-06-24 13:05 -------- d-----w- c:\program files\Windows Live
2009-07-10 18:07 . 2009-07-10 18:07 32 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\ezsid.dat
2009-07-10 12:22 . 2009-06-13 21:24 -------- d-----w- c:\program files\Canon
2009-07-03 17:09 . 2008-04-25 05:06 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-17 21:58 . 2009-04-09 18:24 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-16 14:36 . 2008-04-25 05:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 05:04 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 22:35 . 2009-06-13 22:35 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Media Player Classic
2009-06-13 22:34 . 2009-06-13 22:34 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-13 22:20 . 2009-06-13 22:20 -------- d-----w- c:\program files\DivX
2009-06-13 21:45 . 2009-04-16 16:57 39944 ----a-w- c:\documents and settings\Liam Parker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 21:28 . 2009-06-13 21:28 -------- d--h--w- c:\docume~1\ALLUSE~1\APPLIC~1\CanonBJ
2009-06-13 21:28 . 2009-06-13 21:28 -------- d--h--w- c:\program files\CanonBJ
2009-06-13 20:53 . 2009-06-13 20:53 -------- d-----w- c:\program files\Ahead
2009-06-13 20:53 . 2009-06-13 20:53 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-13 20:41 . 2008-06-24 13:04 -------- d-----w- c:\program files\Microsoft Works
2009-06-13 20:28 . 2009-06-13 20:28 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Microsoft Web Folders
2009-06-03 19:09 . 2008-04-25 05:05 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-20 17:40 . 2009-04-16 16:56 628 ----a-w- c:\documents and settings\Liam Parker\Application Data\wklnhst.dat
2009-05-07 15:32 . 2008-04-25 05:04 345600 ----a-w- c:\windows\system32\localspl.dll
2008-05-07 08:34 . 2008-06-24 13:21 15523560 ----a-w- c:\program files\U1 Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-06-03 98304]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-06-03 479232]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-20 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-09 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-14 1948440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-13 16871936]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2006-07-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2006-05-04 2808832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-6-24 294912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-14 09:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/04/2009 19:24 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/04/2009 19:24 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [09/04/2009 19:24 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [09/04/2009 19:24 298776]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [11/07/2009 12:37 10240]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [24/06/2008 13:56 11264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [17/05/2008 11:19 36864]
S2 AlerterALG;Alerter AlerterALG;c:\windows\TEMP\gnftcvskik.exe service --> c:\windows\TEMP\gnftcvskik.exe service [?]
S2 NlaERSvc;Network Location Awareness (NLA) NlaERSvc;c:\windows\TEMP\gbwkdevwgd.exe srv --> c:\windows\TEMP\gbwkdevwgd.exe srv [?]
S3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [21/05/2008 06:20 25088]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [22/08/2008 19:56 7680]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 17:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
geyekrbevpejwc.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrbevpejwc.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(808)
geyekrbevpejwc.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrbevpejwc.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1640)
c:\windows\system32\WININET.dll
geyekrbevpejwc.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrbevpejwc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2009-08-03 17:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 16:25

Pre-Run: 31,471,423,488 bytes free
Post-Run: 31,619,506,176 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

216 --- E O F --- 2009-07-30 13:24


MALWAREBYTES LOG

Malwarebytes' Anti-Malware 1.39
Database version: 2451
Windows 5.1.2600 Service Pack 3

03/08/2009 17:49:58
mbam-log-2009-08-03 (17-49-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111989
Time elapsed: 13 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AlerterALG (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 PM

Posted 03 August 2009 - 04:21 PM

Hi eddsup,

We need to shift a couple of bad drivers.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
AlerterALG
NlaERSvc

File::
c:\windows\TEMP\gnftcvskik.exe
c:\windows\TEMP\gbwkdevwgd.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 eddsup

eddsup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 03 August 2009 - 05:26 PM

Hi, More Rootkits;

C:\WINDOWS\system32\drivers\geyekrlnosruwb.sys
C:\WINDOWS\system32\geyekriqxhswfl.dll
C:\WINDOWS\system32\geyekrnridqxrk.dat
C:\WINDOWS\system32\geyekrpayvbade.dat
C\WINDOWS\system32\geyekrbevpejwc.dll

COMBOFIX LOG

ComboFix 09-08-03.04 - Liam Parker 03/08/2009 23:10.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.691 [GMT 1:00]
Running from: c:\documents and settings\Liam Parker\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Liam Parker\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\TEMP\gbwkdevwgd.exe"
"c:\windows\TEMP\gnftcvskik.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\geyekrlnosruwb.sys
c:\windows\system32\geyekrbevpejwc.dll
c:\windows\system32\geyekriqxhswfl.dll
c:\windows\system32\geyekrnridqxrk.dat
c:\windows\system32\geyekrpayvbade.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrymrsvpta
-------\Legacy_ALERTERALG
-------\Legacy_NLAERSVC
-------\Service_NlaERSvc


((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-07-29 12:45 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 12:45 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-25 11:40 . 2009-07-25 11:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Birdstep Technology
2009-07-25 11:40 . 2009-07-25 11:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-20 23:36 . 2009-07-20 23:36 32 --s-a-w- c:\windows\system32\970969472.dat
2009-07-20 23:36 . 2009-07-20 23:36 59904 --sh--r- c:\windows\system32\acleditz.exe
2009-07-19 21:14 . 2009-07-19 21:14 -------- d-----w- c:\program files\QuickTime
2009-07-19 21:13 . 2009-07-19 21:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer
2009-07-19 21:13 . 2009-07-19 21:13 -------- d-----w- c:\documents and settings\Liam Parker\Local Settings\Application Data\Apple
2009-07-19 21:13 . 2009-07-19 21:13 -------- d-----w- c:\program files\Apple Software Update
2009-07-19 21:13 . 2009-07-19 21:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-07-19 21:12 . 2009-07-19 21:12 -------- d-----w- c:\documents and settings\Liam Parker\Local Settings\Application Data\Apple Computer
2009-07-17 18:27 . 2009-07-17 18:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-17 17:08 . 2009-07-17 17:08 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Malwarebytes
2009-07-17 17:08 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 17:08 . 2009-07-17 17:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 17:08 . 2009-07-17 17:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-17 17:08 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 16:30 . 2009-07-17 16:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-11 11:38 . 2009-07-11 11:38 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Birdstep Technology
2009-07-11 11:37 . 2009-02-13 07:19 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2009-07-11 11:37 . 2009-02-13 07:19 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2009-07-11 11:37 . 2009-02-13 07:19 113664 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2009-07-11 11:37 . 2009-02-13 07:19 102656 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
2009-07-11 11:37 . 2009-02-13 07:19 102400 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2009-07-11 11:37 . 2009-07-11 11:37 -------- d-----w- c:\program files\Huawei Modems
2009-07-11 11:37 . 2009-07-11 11:37 70671 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2009-07-11 11:37 . 2007-05-28 16:00 10240 ------w- c:\windows\system32\drivers\mdvrmng.sys
2009-07-11 11:36 . 2009-07-11 11:36 -------- d-----w- c:\program files\3 Mobile Broadband
2009-07-11 11:17 . 2009-07-11 11:17 -------- d-----w- c:\windows\ie8updates
2009-07-11 00:04 . 2009-07-11 00:04 -------- d-----w- c:\windows\Sun
2009-07-10 21:21 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-10 21:21 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-10 21:21 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-07-10 21:21 . 2009-07-19 17:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-07-10 21:19 . 2009-07-10 21:19 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-10 20:08 . 2009-07-10 20:08 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-10 20:03 . 2009-07-10 20:03 -------- d-----w- c:\program files\MSXML 4.0
2009-07-10 18:07 . 2009-07-28 17:25 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\skypePM
2009-07-10 17:25 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-10 14:58 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-10 14:35 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-10 14:35 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-10 14:35 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-10 14:27 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-10 14:09 . 2009-07-10 14:09 -------- d-sh--w- c:\documents and settings\Liam Parker\IECompatCache
2009-07-10 14:09 . 2009-07-10 14:09 -------- d-sh--w- c:\documents and settings\Liam Parker\PrivacIE
2009-07-10 14:04 . 2009-07-10 14:04 -------- d-sh--w- c:\documents and settings\Liam Parker\IETldCache
2009-07-10 14:01 . 2009-07-10 14:02 -------- dc-h--w- c:\windows\ie8
2009-07-10 13:37 . 2009-01-07 17:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-10 12:21 . 2006-03-29 14:05 32768 ------w- c:\windows\system32\IJRMF.exe
2009-07-10 12:00 . 2009-07-11 11:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Birdstep Technology
2009-07-10 11:59 . 2009-07-10 12:00 -------- d-----w- c:\program files\ZTE_MF6X6_USB_MODEM_1.2050.0.6
2009-07-10 11:59 . 2009-07-10 11:59 -------- d-----w- c:\program files\3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 22:11 . 2009-04-27 23:35 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Skype
2009-07-20 18:29 . 2008-06-24 13:07 -------- d-----w- c:\program files\Windows Live Toolbar
2009-07-14 09:42 . 2009-04-09 18:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-14 09:41 . 2009-04-09 18:24 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-14 09:41 . 2009-04-09 18:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-11 11:36 . 2008-06-24 12:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-11 11:23 . 2009-05-03 13:49 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Samsung
2009-07-10 20:06 . 2008-06-24 13:05 -------- d-----w- c:\program files\Windows Live
2009-07-10 18:07 . 2009-07-10 18:07 32 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\ezsid.dat
2009-07-10 12:22 . 2009-06-13 21:24 -------- d-----w- c:\program files\Canon
2009-07-03 17:09 . 2008-04-25 05:06 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-17 21:58 . 2009-04-09 18:24 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-16 14:36 . 2008-04-25 05:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 05:04 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 22:35 . 2009-06-13 22:35 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Media Player Classic
2009-06-13 22:34 . 2009-06-13 22:34 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-13 22:20 . 2009-06-13 22:20 -------- d-----w- c:\program files\DivX
2009-06-13 21:45 . 2009-04-16 16:57 39944 ----a-w- c:\documents and settings\Liam Parker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 21:28 . 2009-06-13 21:28 -------- d--h--w- c:\docume~1\ALLUSE~1\APPLIC~1\CanonBJ
2009-06-13 21:28 . 2009-06-13 21:28 -------- d--h--w- c:\program files\CanonBJ
2009-06-13 20:53 . 2009-06-13 20:53 -------- d-----w- c:\program files\Ahead
2009-06-13 20:53 . 2009-06-13 20:53 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-13 20:41 . 2008-06-24 13:04 -------- d-----w- c:\program files\Microsoft Works
2009-06-13 20:28 . 2009-06-13 20:28 -------- d-----w- c:\documents and settings\Liam Parker\Application Data\Microsoft Web Folders
2009-06-03 19:09 . 2008-04-25 05:05 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-20 17:40 . 2009-04-16 16:56 628 ----a-w- c:\documents and settings\Liam Parker\Application Data\wklnhst.dat
2009-05-07 15:32 . 2008-04-25 05:04 345600 ----a-w- c:\windows\system32\localspl.dll
2008-05-07 08:34 . 2008-06-24 13:21 15523560 ----a-w- c:\program files\U1 Setup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-08-03_16.17.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-03 22:16 . 2009-08-03 22:16 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
+ 2008-06-24 15:35 . 2009-08-03 16:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-24 15:35 . 2009-08-03 15:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-24 15:35 . 2009-08-03 15:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-24 15:35 . 2009-08-03 16:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-24 15:35 . 2009-08-03 16:51 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-06-24 15:35 . 2009-08-03 15:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-17 16:30 . 2009-08-03 16:51 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-07-17 16:30 . 2009-08-03 11:57 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-06-03 98304]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-06-03 479232]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-20 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-09 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-14 1948440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-13 16871936]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2006-07-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2006-05-04 2808832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-6-24 294912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-14 09:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/04/2009 19:24 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/04/2009 19:24 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [09/04/2009 19:24 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [09/04/2009 19:24 298776]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [11/07/2009 12:37 10240]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [24/06/2008 13:56 11264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [17/05/2008 11:19 36864]
S3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [21/05/2008 06:20 25088]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [22/08/2008 19:56 7680]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 23:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3040)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-03 23:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 22:19
ComboFix2.txt 2009-08-03 16:26

Pre-Run: 31,579,078,656 bytes free
Post-Run: 31,505,141,760 bytes free

218 --- E O F --- 2009-07-30 13:24

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 PM

Posted 04 August 2009 - 03:23 PM

Yes, more rootkit files but Combofix has now removed them all.

We need to follow up and see what else came in with them. :)

Please run MBAM again on Quick Scan.

Then run this online scanner

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 eddsup

eddsup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 04 August 2009 - 07:14 PM

Hi,

Ive been getting new windows pop up every now and then called Resident Sheild Alert saying multiple thread detection.

Is this normal?

Here are the logs you requested. Thanks

Malwarebytes' Anti-Malware 1.39
Database version: 2451
Windows 5.1.2600 Service Pack 3

04/08/2009 23:37:29
mbam-log-2009-08-04 (23-37-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 117668
Time elapsed: 48 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






BitDefender Online Scanner



Scan report generated at: Wed, Aug 05, 2009 - 01:08:59





Scan path: C:\;D:\;E:\;F:\;







Statistics

Time
01:02:56

Files
111578

Folders
2876

Boot Sectors
0

Archives
980

Packed Files
3503




Results

Identified Viruses
2

Infected Files
3

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
3




Engines Info

Virus Definitions
3833652

Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins
17

Archive plugins
45

Unpack plugins
7

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_geyekrlnosruwb_.sys.zip=>geyekrlnosruwb.sys
Infected with: Trojan.Generic.2171188

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_geyekrlnosruwb_.sys.zip=>geyekrlnosruwb.sys
Deleted

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_geyekrlnosruwb_.sys.zip
Updated

C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekrbevpejwc.dll.vir
Infected with: Trojan.CryptRedol.Gen.2

C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekrbevpejwc.dll.vir
Disinfection failed

C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekrbevpejwc.dll.vir
Deleted

C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekriqxhswfl.dll.vir
Infected with: Trojan.CryptRedol.Gen.2

C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekriqxhswfl.dll.vir
Disinfection failed

C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekriqxhswfl.dll.vir
Deleted

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 PM

Posted 05 August 2009 - 12:16 PM

The BitDefender log is showing clean - it just deleted the files in Combofix's quarantine folder.

Ive been getting new windows pop up every now and then called Resident Sheild Alert saying multiple thread detection.


Yes, if it's AVG Resident Shield that is your realtime antivirus protection doing its job. Try and get a screenshot of the window next time it happens so we can check.

Your log looks clean to me but we'll monitor the Resident Shield thing for a couple of days.


Let's do a little bit of clean up in the meantime

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.


Then get Java updated, it's a doorway for malware.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Let me know when you've done these steps :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 eddsup

eddsup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 05 August 2009 - 01:14 PM

Hi, Ive completed all the steps. It had Java Update 15 on there and not 14 so did that one. Hope that was ok.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:45 PM

Posted 05 August 2009 - 01:31 PM

Okay, we're there now.

Your log is clean. Good stuff! :thumbup2:

Let's do some housekeeping

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

I recommend that you download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it eddsup, I will keep the topic open for five days. If you can post a screenshot showing the window then please do. It's likely that it is only AVG's shield though.

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#15 eddsup

eddsup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 05 August 2009 - 01:55 PM

Mole, Thank you so much for your help and to everyone at Bleeping Computer. Your doing a fantastic job, and it was worth the wait.

If you get a chance can you explain the purpose of the HostsMan program? Thank you.

Ill be sure to post screen shots if I get any. I havnt had them today.

I have made a donation and Thank You again for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users