Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MIVA DLL Malware


  • This topic is locked This topic is locked
20 replies to this topic

#1 blazerx

blazerx

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 20 July 2009 - 10:25 AM

first, i have AVG free and they detected and infection when it occured but it couldnt stop it and cant find it now. i have tried to install mbam and rootrepeal and it all ended up as a failure, from the malware blocking them. as stated this malware hijacks my internet searches and tries to get me to download or open internet files that i have not clicked.

i have read another post and have made a DDS text file and the "attach" file.

here is the DDS,


DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 10:04:44.35 on Mon 07/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1370 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [StartupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {FE6D9876-FA93-4FC2-ABEE-1FF366F0E06F} = 209.44.180.58,209.44.180.53
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\0h2va357.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\dyyno\dyyno player\npvlc.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-9 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-9 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-9 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-9 298776]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-16 192112]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-9-16 202352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-16 169584]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-19 1119888]
S3 lredbooo;lredbooo;\??\c:\docume~1\hp_adm~1\locals~1\temp\lredbooo.sys --> c:\docume~1\hp_adm~1\locals~1\temp\lredbooo.sys [?]

=============== Created Last 30 ================

2009-07-19 23:47 2,126 a------- c:\windows\system32\wpa.dbl
2009-07-19 23:15 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 23:15 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 23:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-19 12:12 <DIR> -cd-h--- C:\$AVG8.VAULT$
2009-07-19 09:29 0 a------- c:\windows\win.ini
2009-07-19 09:29 0 a------- c:\windows\system.ini
2009-07-14 22:39 226,418,688 a------- c:\windows\MEMORY.DMP
2009-07-14 19:43 0 a------- c:\documents and settings\hp_administrator\settings.dat
2009-07-02 13:55 41,808 a------- c:\windows\system32\xfcodec.dll
2009-06-26 13:11 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Xilisoft Corporation
2009-06-23 13:21 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\IObit
2009-06-20 16:02 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{5794CDCB-FAB7-4C15-9069-4D8AC02592DE}
2009-06-20 14:37 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2009-06-20 14:17 <DIR> -cd----- C:\ProgramData
2009-06-20 14:12 8,524 a------- c:\windows\system32\ealregsnapshot1.reg

==================== Find3M ====================

2009-07-19 19:13 139,584 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-19 19:13 189,104 a------- c:\windows\system32\PnkBstrB.exe
2009-07-09 18:06 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 13:11 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-20 20:49 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-20 14:39 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-06-20 14:37 22,328 ac------ c:\docume~1\hp_adm~1\applic~1\PnkBstrK.sys
2009-06-20 14:37 669,184 a------- c:\windows\system32\pbsvc.exe
2009-06-16 09:36 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-04 06:27 22,366 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 14:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 23:56 827,392 -------- c:\windows\system32\wininet.dll
2009-04-28 23:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 23:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 23:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 23:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 23:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 23:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-28 23:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-28 23:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 23:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 23:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 04:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 04:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 00:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 00:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-10-15 17:19 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101520081016\index.dat

============= FINISH: 10:05:56.18 ===============

and the "attach" file is here also

thank you for your time and assistance.

Attached Files



BC AdBot (Login to Remove)

 


#2 blazerx

blazerx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 25 July 2009 - 08:25 AM

ok now the malware got worse. it is now freezing my computer. unable to unfreeze (besides shutdown).

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:43 AM

Posted 30 July 2009 - 11:36 PM

Hello blazerx and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 blazerx

blazerx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 31 July 2009 - 04:16 PM

hello, thank you for your response but im sorry to say that i have seemed to have solved the problem. i will still post a copy of the DDS so you can make sure my system is ok. if it's alright with you guys..
if it helps in any way, what i did to solve the problem was messing with the registry. UAC i think is the beginning of this virus' name within the system. if u clean ur registry a little bit it seems that you can then get spybot S&D or mbam to work. IDK if you guys already have a solution to the malware but i hope i help you guys out with this information. please look over the DDS report to see him my computer is clean and fully functioning, thank you for your assistance.

DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Administrator at 16:14:53.92 on Fri 07/31/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1224 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {FE6D9876-FA93-4FC2-ABEE-1FF366F0E06F} = 209.44.180.58,209.44.180.53
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\0h2va357.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\dyyno\dyyno player\npvlc.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-9 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-9 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-9 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-9 298776]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-16 192112]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-9-16 202352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-16 169584]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-19 1119888]
S3 lredbooo;lredbooo; [x]
S3 MEMSWEEP2;MEMSWEEP2; [x]

=============== Created Last 30 ================

2009-07-30 19:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-07-30 19:50 <DIR> --d----- c:\program files\common files\EasyInfo
2009-07-29 12:20 <DIR> --d-h--- c:\windows\$hf_mig$
2009-07-28 19:21 <DIR> --d----- c:\program files\Microsoft Games
2009-07-28 11:19 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Reg Tool
2009-07-28 11:19 <DIR> --d----- c:\program files\Reg Tool
2009-07-26 09:39 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 09:39 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-26 09:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 22:10 61,440 a------- c:\windows\system32\drivers\gmzkos.sys
2009-07-25 21:53 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-07-25 20:30 <DIR> --d----- c:\program files\Sophos
2009-07-25 18:19 <DIR> --d----- c:\program files\EMCO
2009-07-25 16:51 120 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-07-25 16:51 2,336 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-25 16:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-07-25 16:50 <DIR> --d----- c:\program files\common files\iS3
2009-07-25 16:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-07-25 13:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-25 13:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-23 20:57 41,872 a------- c:\windows\system32\xfcodec.dll
2009-07-19 23:47 2,206 a------- c:\windows\system32\wpa.dbl
2009-07-19 23:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-19 12:12 <DIR> -cd-h--- C:\$AVG8.VAULT$
2009-07-19 09:29 0 a------- c:\windows\win.ini
2009-07-19 09:29 0 a------- c:\windows\system.ini
2009-07-14 19:43 0 a------- c:\documents and settings\hp_administrator\settings.dat

==================== Find3M ====================

2009-07-30 21:34 189,104 a------- c:\windows\system32\PnkBstrB.exe
2009-07-30 20:51 139,584 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-29 22:19 22,668 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-07-19 08:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 08:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-09 18:06 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 06:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 06:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 03:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 03:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 03:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-26 13:11 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-20 20:49 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-20 14:39 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-06-20 14:37 22,328 ac------ c:\docume~1\hp_adm~1\applic~1\PnkBstrK.sys
2009-06-20 14:37 669,184 a------- c:\windows\system32\pbsvc.exe
2009-06-20 14:12 8,524 a------- c:\windows\system32\ealregsnapshot1.reg
2009-06-16 09:36 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 14:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2008-10-15 17:19 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101520081016\index.dat

============= FINISH: 16:15:27.06 ===============

Attached Files


Edited by PropagandaPanda, 01 August 2009 - 09:29 PM.


#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 01 August 2009 - 09:32 PM

Hello.

If you were infected with UAC, then some more indepth scans will be needed.

Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop.
  • Double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

#6 blazerx

blazerx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 02 August 2009 - 04:06 PM

ok here is the OTS and GMER scan reports.

Attached Files

  • Attached File  OTS.Txt   164.18KB   1 downloads
  • Attached File  GMER.log   20.82KB   2 downloads


#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 03 August 2009 - 08:40 AM

Hello.

You are definately infected with UAC.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

With Regards,
The Panda

#8 blazerx

blazerx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 03 August 2009 - 10:30 PM

ok i did the combo fix and here is the log. thank you very much, i hope it did the trick.

ComboFix 09-08-03.04 - HP_Administrator 08/03/2009 22:11.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1464 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\Installer\a26ab75.msi
c:\windows\Installer\a9c57f.msi
c:\windows\Installer\e0f3050.msi
c:\windows\jestertb.dll
c:\windows\kb913800.exe
c:\windows\system32\Drivers\gmzkos.sys
c:\windows\system32\drivers\RKHit.sys
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.

2009-08-01 17:50 . 2009-08-01 20:38 -------- d-----w- c:\program files\iTunes
2009-08-01 17:35 . 2009-08-01 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-31 00:54 . 2009-07-31 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-31 00:54 . 2009-07-31 16:02 -------- d-----w- c:\program files\NOS
2009-07-31 00:52 . 2009-07-31 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-07-31 00:50 . 2009-07-31 00:50 -------- d-----w- c:\program files\Common Files\EasyInfo
2009-07-29 17:20 . 2009-07-29 17:20 -------- d--h--w- c:\windows\$hf_mig$
2009-07-29 00:21 . 2009-07-29 00:21 -------- d-----w- c:\program files\Microsoft Games
2009-07-28 16:19 . 2009-07-28 16:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Reg Tool
2009-07-28 16:19 . 2009-07-28 16:22 -------- d-----w- c:\program files\Reg Tool
2009-07-26 14:39 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 14:39 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-26 14:39 . 2009-07-26 14:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-26 02:53 . 2009-07-26 02:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-07-26 01:30 . 2009-07-26 01:30 -------- d-----w- c:\program files\Sophos
2009-07-25 23:23 . 2009-07-28 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-25 23:19 . 2009-07-25 23:19 -------- d-----w- c:\program files\EMCO
2009-07-25 21:50 . 2009-07-25 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-07-25 21:50 . 2009-07-25 21:50 -------- d-----w- c:\program files\Common Files\iS3
2009-07-25 21:50 . 2009-07-26 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-07-25 18:21 . 2009-07-26 03:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-25 18:08 . 2009-07-26 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-25 18:08 . 2009-07-25 18:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-25 17:53 . 2009-07-25 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-25 17:53 . 2009-07-25 17:53 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-24 01:57 . 2009-07-24 01:57 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-07-20 04:32 . 2009-07-20 04:32 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\File Renamer Basic
2009-07-20 04:15 . 2009-07-20 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-19 17:12 . 2009-07-26 15:31 -------- dc-h--w- C:\$AVG8.VAULT$
2009-07-15 00:43 . 2009-07-15 00:43 0 ----a-w- c:\documents and settings\HP_Administrator\settings.dat
2009-07-13 19:22 . 2009-07-13 19:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-09 23:07 . 2009-07-09 23:06 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 00:51 . 2007-12-27 21:03 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-03 00:51 . 2007-12-27 21:03 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-03 00:38 . 2009-04-24 19:20 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Xfire
2009-08-01 20:41 . 2006-12-13 21:50 22668 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-08-01 20:38 . 2007-02-26 22:30 -------- d-----w- c:\program files\iPod
2009-08-01 20:38 . 2008-10-05 03:37 -------- d-----w- c:\program files\Common Files\Apple
2009-07-31 00:52 . 2006-12-20 18:02 -------- d-----w- c:\program files\Electronic Arts
2009-07-31 00:36 . 2006-08-19 22:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 15:13 . 2009-04-24 19:20 -------- d-----w- c:\program files\Xfire
2009-07-28 17:56 . 2009-06-15 20:11 -------- d-----w- c:\program files\IObit
2009-07-25 21:56 . 2009-07-25 21:51 2336 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-25 21:51 . 2009-07-25 21:51 120 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-07-25 18:18 . 2006-08-19 22:05 -------- d-----w- c:\program files\Java
2009-07-20 16:54 . 2007-02-18 02:48 -------- d-----w- c:\program files\Warcraft III
2009-07-19 17:16 . 2009-05-17 01:51 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ventrilo
2009-07-19 16:56 . 2006-12-17 15:55 -------- d-----w- c:\program files\LucasArts
2009-07-19 16:52 . 2007-04-08 15:10 -------- d-----w- c:\program files\THQ
2009-07-19 16:52 . 2006-12-18 16:29 -------- d-----w- c:\program files\Sierra
2009-07-19 16:50 . 2007-07-15 23:31 -------- d-----w- c:\program files\Activision
2009-07-09 23:06 . 2009-01-09 20:17 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 16:12 . 2004-08-09 21:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-09 21:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 18:11 . 2009-01-09 20:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 18:11 . 2009-01-09 20:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 18:11 . 2009-06-26 18:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Xilisoft Corporation
2009-06-23 21:57 . 2009-06-19 19:31 706192 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-23 19:03 . 2009-06-23 18:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\IObit
2009-06-23 18:36 . 2009-01-04 21:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\GameTracker
2009-06-23 18:36 . 2006-12-03 18:08 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-06-23 18:36 . 2008-08-20 19:04 -------- d-----w- c:\program files\Tune Tools
2009-06-23 18:36 . 2006-08-19 22:37 -------- d-----w- c:\program files\MSN Encarta Standard
2009-06-23 18:36 . 2006-08-19 22:29 -------- d-----w- c:\program files\Rhapsody
2009-06-21 01:49 . 2007-12-27 21:03 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-20 19:39 . 2007-06-28 01:21 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-20 19:37 . 2007-12-27 21:03 22328 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\PnkBstrK.sys
2009-06-20 19:37 . 2007-12-27 21:03 22328 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\PnkBstrK.sys
2009-06-20 19:37 . 2007-12-27 21:03 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-06-20 19:12 . 2009-06-20 19:12 8524 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-20 13:19 . 2006-08-19 22:34 147648 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-17 18:39 . 2008-11-11 16:17 -------- d-----w- c:\program files\Memorex exPressit Label Design Studio
2009-06-17 18:39 . 2006-08-19 22:30 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-06-16 14:36 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-09 21:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-15 20:26 . 2008-10-09 22:03 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-15 20:11 . 2009-06-15 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-06-09 21:12 . 2009-06-09 21:12 -------- d-----w- c:\program files\SmartSound Software Inc
2009-06-03 19:09 . 2004-08-09 21:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-29 18:36 . 2009-03-16 13:02 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-29 18:36 . 2008-10-05 03:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-21 16:33 . 2008-11-13 01:11 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:32 . 2004-08-09 21:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-15 20:30 . 2009-07-18 22:22 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-10-25 16855552]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-19 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 18:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCLEPCI

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GS In-Game Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\World Editor.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25777:UDP"= 25777:UDP:Xfire

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/9/2009 3:17 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/9/2009 3:17 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/9/2009 3:17 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/9/2009 3:17 PM 298776]
S3 lredbooo;lredbooo; [x]
S3 MEMSWEEP2;MEMSWEEP2; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-01 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-09 00:12]

2009-08-03 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-06-23 14:22]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TkBellExe - realsched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
Trusted Zone: trymedia.com
TCP: {FE6D9876-FA93-4FC2-ABEE-1FF366F0E06F} = 209.44.180.58,209.44.180.53
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0h2va357.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 22:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-530873147-734200102-2274013695-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{447BA9E6-9BA9-55FA-10F5-7FE1C7CF5388}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abfoccalpinfbjbnfgphbifodhichelaol"=hex:61,61,00,00
"bbfoccalpinfbjbnfgaiifhdpcpdkhhablma"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-530873147-734200102-2274013695-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6d,83,32,eb,32,5c,e6,02,98,19,99,e0,c1,08,c5,56,11,eb,e8,65,88,c5,23,
83,01,6b,36,3f,b7,f3,6e,cd,1c,6d,c5,f5,8b,35,0e,4e,6e,91,a1,7f,4b,a1,d1,3b,\
"??"=hex:18,65,31,66,ed,16,d0,b6,b9,be,f2,3f,8b,43,b7,37

[HKEY_USERS\S-1-5-21-530873147-734200102-2274013695-1007\Software\SecuROM\License information*]
"datasecu"=hex:41,0c,fd,26,60,e8,77,57,13,ec,f0,c9,64,dc,4e,28,31,aa,05,ad,2f,
d1,fe,dc,d2,c6,83,10,a9,a8,54,90,d9,ff,c7,7f,d0,c5,0e,64,73,86,f9,4f,4f,3d,\
"rkeysecu"=hex:56,c6,0d,e0,20,27,f2,5f,5e,7a,0c,15,6c,01,a7,f3

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,f5,4e,70,ea,7a,
64,40,38,2e,e8,e1,00,eb,16,2b,de,b0,0f,a1,ae,b0,8b,7f,d1,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,bc,13,0b,3a,1b,
c4,34,1c,46,47,15,b0,92,4b,c7,ef,3c,92,52,4d,76,43,17,8d,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,17,84,90,99,84,
57,f7,0a,7a,45,05,fd,91,e8,6f,31,f5,d8,23,6c,9b,bc,13,12,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,03,d9,dc,bb,cc,
e3,1c,ea,6b,65,49,6a,7e,99,74,f7,be,62,fa,fd,67,11,b1,23,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,7d,15,c7,27,1b,
07,d5,f9,e9,02,6c,fa,fb,1d,47,57,03,13,99,24,53,2f,50,d2,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,6e,32,e5,48,f7,
4a,aa,e5,50,93,e5,ab,ec,6a,4e,ab,3f,b3,69,18,06,a0,80,79,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,6b,94,0a,ff,82,
4f,a5,50,97,20,4e,9a,c7,f1,35,ee,08,72,71,1b,cf,4e,0b,d9,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ef,fd,4c,a1,8d,
73,f5,4e,aa,52,c6,00,84,3c,26,64,a9,92,76,da,53,9e,bd,e8,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,3b,89,91,63,b3,
e2,6d,f1,b2,46,9a,e2,1b,fe,1b,94,a2,98,f5,c5,c4,d1,4c,d5,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,61,f0,d2,6a,f8,
32,d2,c4,37,a4,aa,c3,a6,15,56,0a,16,24,af,cf,f1,8c,79,8a,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,78,c6,7c,2c,d7,
22,98,65,f8,31,0f,a9,5f,a0,ec,fb,87,94,34,a7,b6,47,a4,f1,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,eb,d9,6f,33,cf,
82,68,fb,05,73,21,dd,54,d8,4a,c5,b9,cf,1e,71,57,10,cc,eb,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2000)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\LxrJD31s.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\UAService7.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-04 22:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-04 03:25

Pre-Run: 222,201,364,480 bytes free
Post-Run: 222,244,229,120 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=,1,2,3,4
410 --- E O F --- 2009-07-29 18:19

Attached Files


Edited by PropagandaPanda, 04 August 2009 - 08:04 AM.


#9 blazerx

blazerx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 03 August 2009 - 10:34 PM

also please notify me of any damage done, corrupted or damaged files from this virus and or any other mishaps, settings incorrectly changed, etc. just an overall - your system is A-OK. thank you very much

#10 blazerx

blazerx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 04 August 2009 - 12:53 AM

ok here is the OTS, Attatch, DDS and GMER reports. i dont really know what u need to see if the computer is "A-OK" but here are the 3 scan program reports u gave me earlier. (I still see UAC files "saved" or something on the GMER report. possibly in the registry?)

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 04 August 2009 - 08:11 AM

Hello.

There is no need to post reports unless I ask for them.

The leftover UAC entries in the registry are harmless.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTM by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :services
    lredbooo
    MEMSWEEP2
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Please take a new DDS.txt log after.

Any problems at the moment?

With Regards,
The Panda

#12 blazerx

blazerx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 04 August 2009 - 04:18 PM

sorry for those reports then,
here is the move it! log


All processes killed
========== SERVICES/DRIVERS ==========

Service\Driver lredbooo deleted successfully.

Service\Driver MEMSWEEP2 deleted successfully.
Service\Driver [emptytemp] not found.
Service\Driver [emptytemp] not found.

OTM by OldTimer - Version 3.0.0.5 log created on 08042009_094658

Files moved on Reboot...

Registry entries deleted on Reboot...

ummm, the kapersky scan didnt find anything, but when i tried to load up the scan results my computer froze and i had to exit out of firefox. it completely stopped responding.

heres DDS and attach logs.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 04 August 2009 - 04:21 PM

Hello.

heres DDS and attach logs.

Where is here :thumbup2:

The Panda

#14 blazerx

blazerx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 04 August 2009 - 05:29 PM

:thumbup2: oh great, they didnt show up..... and i deleted them....have GMER for u in about an hour or more. long scan.

DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Administrator at 17:27:29.29 on Tue 08/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1220 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {FE6D9876-FA93-4FC2-ABEE-1FF366F0E06F} = 209.44.180.58,209.44.180.53
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\0h2va357.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\dyyno\dyyno player\npvlc.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-9 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-9 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-9 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-9 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-08-04 09:46 <DIR> -cd----- C:\_OTM
2009-08-03 22:24 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-03 22:09 219,648 a------- c:\windows\PEV.exe
2009-08-03 22:09 161,792 a------- c:\windows\SWREG.exe
2009-08-03 22:09 98,816 a------- c:\windows\sed.exe
2009-08-01 12:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-30 19:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-07-30 19:50 <DIR> --d----- c:\program files\common files\EasyInfo
2009-07-29 12:20 <DIR> --d-h--- c:\windows\$hf_mig$
2009-07-28 19:21 <DIR> --d----- c:\program files\Microsoft Games
2009-07-28 11:19 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Reg Tool
2009-07-28 11:19 <DIR> --d----- c:\program files\Reg Tool
2009-07-26 09:39 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 09:39 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-26 09:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 21:53 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-07-25 20:30 <DIR> --d----- c:\program files\Sophos
2009-07-25 18:19 <DIR> --d----- c:\program files\EMCO
2009-07-25 16:51 120 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-07-25 16:51 2,336 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-25 16:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-07-25 16:50 <DIR> --d----- c:\program files\common files\iS3
2009-07-25 16:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-07-25 13:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-25 13:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-23 20:57 41,872 a------- c:\windows\system32\xfcodec.dll
2009-07-19 23:47 2,206 a------- c:\windows\system32\wpa.dbl
2009-07-19 23:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-19 12:12 <DIR> -cd-h--- C:\$AVG8.VAULT$
2009-07-19 09:29 0 ac------ c:\windows\system.ini
2009-07-19 09:29 0 a------- c:\windows\win.ini
2009-07-14 19:43 0 a------- c:\documents and settings\hp_administrator\settings.dat

==================== Find3M ====================

2009-08-02 19:51 138,736 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-02 19:51 188,968 a------- c:\windows\system32\PnkBstrB.exe
2009-08-01 15:41 22,668 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-07-19 08:33 3,597,824 a------- c:\windows\system32\dllcache\cache\mshtml.dll
2009-07-19 08:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 08:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-09 18:06 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 06:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 06:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 03:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 03:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 03:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-26 13:11 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-20 20:49 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-20 14:39 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-06-20 14:37 22,328 ac------ c:\docume~1\hp_adm~1\applic~1\PnkBstrK.sys
2009-06-20 14:37 669,184 a------- c:\windows\system32\pbsvc.exe
2009-06-20 14:12 8,524 a------- c:\windows\system32\ealregsnapshot1.reg
2009-06-16 09:36 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 14:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2008-10-15 17:19 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101520081016\index.dat

============= FINISH: 17:27:46.10 ===============

Attached Files


Edited by PropagandaPanda, 04 August 2009 - 05:40 PM.


#15 blazerx

blazerx
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 04 August 2009 - 05:36 PM

:) ummm. heres the GMER report and this is wierd.... its totally different than the last time i scanned it. the text xfire stuff is new... :thumbup2: i cut the scan short because it shows stuff from the first few minutes, but then it just scans...on...and...on..and on. if i need to do it again for like 1-2 hours let me know (its still scanning in the background). its just REALLY annoying.
also can u tell if something screwy is going on with my itunes? cuz its going really crazy! (unistalled it and didnt fix it - corrupted or something?)

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users